Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2644640pxj; Mon, 14 Jun 2021 03:54:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzq65gOzJ0B8lAVpTOlSpjCgeHv3w/UsIRcXlX+Iyh0iGh31xweoQdLdL3bEggfx76541zs X-Received: by 2002:a17:906:2c1b:: with SMTP id e27mr14789119ejh.5.1623668071990; Mon, 14 Jun 2021 03:54:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623668071; cv=none; d=google.com; s=arc-20160816; b=JAAWfkW6wI2So8t2ysF6mGoesUsfa60ctHpNnQYY0fNQgW/4bA/GZXO9PgDB6wyX2j z7ZcoJC5SAI5j1R+0kUZHist2hEvtGffm/+kn47EFaRf7ATNpGPN8EHEHByCZbgl4VJy MG+0TWIYu1+vv9CwoHdMZLNyGpMqrYXNoekZXOv8Q8V+ELOYq4yleYvKd4RiXmTKj1ht 3VO6UlaXdFUcSTww95ESH3lTCoi0nOgs5pLJzBCO9cLSpweuUhfD8RrbH6G+NfNBwLsE xwufcPVxX/GXKMyMZCu5/VoK31c1GFMTGJWuKGJ2UwkkzGogWlrfZ/jswVVvxCN8Xmpx uaFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=7iF1ae7hQTGxUGidQb75qic6Dl+uxs8AMEzvzinbFtw=; b=btJwK+h8+VpKh870rRTVKqR2zBHB/quxkqtwbzsSpdajYb+LWO52HCyREIxw73aQYr 7Yyp+oOUdF4g5Z3qjOOKbNEdiL9CLBpJvo0muBAA0NWvVCJVwVlKspe2/hpG0uCGV5sX Wn8vpMMI6FPp/riSXNFbQmVQdd06kkMaSk12iNxcuwAtYI4RshK0HXj2NbfZm5kIjBVF jFVmJmXKhNzBPNnimiFLr7imuQZD3RevQZHW0aPRmCyXE001RHvDKPLD6lY1kfTyzy7F RDFdZEC1HX/0nF0oog53LJhJNWmH8DNJbTlszYh3GcYQ0qPHrETE533BG5qZFaQJkZzJ fc6w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ydPCB7g1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id yd14si9147062ejb.245.2021.06.14.03.54.09; Mon, 14 Jun 2021 03:54:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ydPCB7g1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234733AbhFNKyR (ORCPT + 99 others); Mon, 14 Jun 2021 06:54:17 -0400 Received: from mail.kernel.org ([198.145.29.99]:50760 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233470AbhFNKrK (ORCPT ); Mon, 14 Jun 2021 06:47:10 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 8F8306140D; Mon, 14 Jun 2021 10:37:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623667030; bh=MaTYnUhJBvFJEF3/bmr1SykXKvD84Th/3oINBhD0xbQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ydPCB7g1Xmwtez4fNcRE6eHjks5zD7j2slkh2DUEwXPg3Yc0ZcLlNif4KD1jy6GNp laavimIXfO8eWnUZcCt14sALwib91siIUTanfu9BemZ2s+2PPTl8PyAdjF/8bBqgri 4VJLsl8GRni0CFzpsKgbNmfwW8qPQP1Sg0OoFPCc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wesley Cheng Subject: [PATCH 4.19 41/67] usb: gadget: f_fs: Ensure io_completion_wq is idle during unbind Date: Mon, 14 Jun 2021 12:27:24 +0200 Message-Id: <20210614102645.175236456@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210614102643.797691914@linuxfoundation.org> References: <20210614102643.797691914@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Wesley Cheng commit 6fc1db5e6211e30fbb1cee8d7925d79d4ed2ae14 upstream. During unbind, ffs_func_eps_disable() will be executed, resulting in completion callbacks for any pending USB requests. When using AIO, irrespective of the completion status, io_data work is queued to io_completion_wq to evaluate and handle the completed requests. Since work runs asynchronously to the unbind() routine, there can be a scenario where the work runs after the USB gadget has been fully removed, resulting in accessing of a resource which has been already freed. (i.e. usb_ep_free_request() accessing the USB ep structure) Explicitly drain the io_completion_wq, instead of relying on the destroy_workqueue() (in ffs_data_put()) to make sure no pending completion work items are running. Signed-off-by: Wesley Cheng Cc: stable Link: https://lore.kernel.org/r/1621644261-1236-1-git-send-email-wcheng@codeaurora.org Signed-off-by: Greg Kroah-Hartman --- drivers/usb/gadget/function/f_fs.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -3469,6 +3469,9 @@ static void ffs_func_unbind(struct usb_c ffs->func = NULL; } + /* Drain any pending AIO completions */ + drain_workqueue(ffs->io_completion_wq); + if (!--opts->refcnt) functionfs_unbind(ffs);