Hello. On 06/05/2014 05:08 PM, Marcus Nutzinger wrote:
Commit 1826e9b1 fixes the use after free of "dev".
Please also specify that commit's summary line in parens.
However if this is not the final call to dev_release() and the state is not reset to STATE_DEV_DISABLED and hence all further open() calls to the gadgetfs ep0 device will fail with EBUSY.
So this commit reverts 1826e9b1 and places the call put_dev() after setting the state.
Signed-off-by: Marcus Nutzinger <marcus.nutzinger@xxxxxxxxxxxxxxxxxxxxx> Reviewed-by: Christoph Muellner <christoph.muellner@xxxxxxxxxxxxxxxxxxxxx> --- drivers/usb/gadget/inode.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/inode.c b/drivers/usb/gadget/inode.c index a925d0c..6330528 100644 --- a/drivers/usb/gadget/inode.c +++ b/drivers/usb/gadget/inode.c @@ -1264,8 +1264,13 @@ dev_release (struct inode *inode, struct file *fd) kfree (dev->buf); dev->buf = NULL; - put_dev (dev); + /* other endpoints were all decoupled from this device */ + spin_lock_irq(&dev->lock); + dev->state = STATE_DEV_DISABLED; + spin_unlock_irq(&dev->lock);
Not sure I understand why you need spinlock here... isn't the assignment atomic already?
+ + put_dev (dev); return 0; }
WBR, Sergei -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
