The character device needs to live until the last file descriptor has
been closed (and until after ->release() is called in that case).
Change the lifetime of our character devices to match the module, so as
to avoid a use-after-free when closing a file descriptor after the
gadget function has been deleted.
Signed-off-by: John Keeping <john@xxxxxxxxxxxx>
---
v2:
- Updated for changes in patch 1
drivers/usb/gadget/function/f_hid.c | 42 +++++++++++++++++++++--------
1 file changed, 31 insertions(+), 11 deletions(-)
diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
index 6cf3b5b14ded..eda4f24d2790 100644
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -24,6 +24,7 @@
static int major, minors;
static struct class *hidg_class;
+static struct cdev *hidg_cdev;
static DEFINE_IDR(hidg_idr);
static DEFINE_MUTEX(hidg_idr_lock); /* protects access to hidg_idr */
@@ -58,7 +59,6 @@ struct f_hidg {
struct usb_request *req;
int minor;
- struct cdev cdev;
struct usb_function func;
struct usb_ep *in_ep;
@@ -827,11 +827,7 @@ static int hidg_bind(struct usb_configuration *c, struct usb_function *f)
INIT_LIST_HEAD(&hidg->completed_out_req);
/* create char device */
- cdev_init(&hidg->cdev, &f_hidg_fops);
dev = MKDEV(major, hidg->minor);
- status = cdev_add(&hidg->cdev, dev, 1);
- if (status)
- goto fail_free_descs;
mutex_lock(&hidg_idr_lock);
idr_replace(&hidg_idr, hidg, hidg->minor);
@@ -841,13 +837,14 @@ static int hidg_bind(struct usb_configuration *c, struct usb_function *f)
"%s%d", "hidg", hidg->minor);
if (IS_ERR(device)) {
status = PTR_ERR(device);
- goto del;
+ goto fail_idr_remove;
}
return 0;
-del:
- cdev_del(&hidg->cdev);
-fail_free_descs:
+fail_idr_remove:
+ mutex_lock(&hidg_idr_lock);
+ idr_replace(&hidg_idr, NULL, hidg->minor);
+ mutex_unlock(&hidg_idr_lock);
usb_free_all_descriptors(f);
fail:
ERROR(f->config->cdev, "hidg_bind FAILED\n");
@@ -1071,7 +1068,10 @@ static void hidg_unbind(struct usb_configuration *c, struct usb_function *f)
struct f_hidg *hidg = func_to_hidg(f);
device_destroy(hidg_class, MKDEV(major, hidg->minor));
- cdev_del(&hidg->cdev);
+
+ mutex_lock(&hidg_idr_lock);
+ idr_replace(&hidg_idr, NULL, hidg->minor);
+ mutex_unlock(&hidg_idr_lock);
usb_free_all_descriptors(f);
}
@@ -1129,6 +1129,7 @@ MODULE_AUTHOR("Fabien Chouteau");
static int ghid_setup(void)
{
+ struct cdev *cdev = NULL;
int status;
dev_t dev;
@@ -1149,12 +1150,30 @@ static int ghid_setup(void)
major = MAJOR(dev);
minors = HIDG_MINORS;
+ status = -ENOMEM;
+ cdev = cdev_alloc();
+ if (!cdev)
+ goto fail_unregister;
+
+ cdev->owner = THIS_MODULE;
+ cdev->ops = &f_hidg_fops;
+ kobject_set_name(&cdev->kobj, "hidg");
+
+ status = cdev_add(cdev, dev, HIDG_MINORS);
+ if (status)
+ goto fail_put;
+
status = usb_function_register(&hidusb_func);
if (status)
- goto fail_unregister;
+ goto fail_cdev_del;
+ hidg_cdev = cdev;
return 0;
+fail_cdev_del:
+ cdev_del(cdev);
+fail_put:
+ kobject_put(&cdev->kobj);
fail_unregister:
unregister_chrdev_region(dev, HIDG_MINORS);
class_destroy(hidg_class);
@@ -1165,6 +1184,7 @@ static int ghid_setup(void)
static void ghid_cleanup(void)
{
usb_function_unregister(&hidusb_func);
+ cdev_del(hidg_cdev);
if (major) {
unregister_chrdev_region(MKDEV(major, 0), minors);
--
2.23.0
