[PATCH 4.1 26/56] usb: gadget: f_fs: add extra check before unregister_gadget_item
From: Greg Kroah-Hartman
Date: Wed Jul 08 2015 - 03:54:33 EST
4.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rui Miguel Silva <rui.silva@xxxxxxxxxx>
commit f14e9ad17f46051b02bffffac2036486097de19e upstream.
ffs_closed can race with configfs_rmdir which will call config_item_release, so
add an extra check to avoid calling the unregister_gadget_item with an null
gadget item.
Signed-off-by: Rui Miguel Silva <rui.silva@xxxxxxxxxx>
Signed-off-by: Felipe Balbi <balbi@xxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/usb/gadget/function/f_fs.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -3435,6 +3435,7 @@ done:
static void ffs_closed(struct ffs_data *ffs)
{
struct ffs_dev *ffs_obj;
+ struct f_fs_opts *opts;
ENTER();
ffs_dev_lock();
@@ -3449,8 +3450,13 @@ static void ffs_closed(struct ffs_data *
ffs_obj->ffs_closed_callback)
ffs_obj->ffs_closed_callback(ffs);
- if (!ffs_obj->opts || ffs_obj->opts->no_configfs
- || !ffs_obj->opts->func_inst.group.cg_item.ci_parent)
+ if (ffs_obj->opts)
+ opts = ffs_obj->opts;
+ else
+ goto done;
+
+ if (opts->no_configfs || !opts->func_inst.group.cg_item.ci_parent
+ || !atomic_read(&opts->func_inst.group.cg_item.ci_kref.refcount))
goto done;
unregister_gadget_item(ffs_obj->opts->
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/