[PATCH v2 5/6] USB: gadget: f_hid: refcount f_hidg structure

John Keeping <john@xxxxxxxxxxxx> · Mon, 28 Oct 2019 11:42:27 +0000

f_hidg is referenced by file descriptors opened on /dev/hidgN as well as
being the USB gadget function.  Since these file descriptors can be kept
alive after the gadget function has been deleted, we need to decouple
the lifetime of the f_hidg structure from the function.

Make f_hidg reference counted so that it remains alive after the gadget
function has been deleted if necessary.

Signed-off-by: John Keeping <john@xxxxxxxxxxxx>
---
v2:
- No changes

 drivers/usb/gadget/function/f_hid.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
index eda4f24d2790..3d848f7a4cca 100644
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -58,6 +58,7 @@ struct f_hidg {
 	wait_queue_head_t		write_queue;
 	struct usb_request		*req;
 
+	struct kref			kref;
 	int				minor;
 	struct usb_function		func;
 
@@ -70,6 +71,14 @@ static inline struct f_hidg *func_to_hidg(struct usb_function *f)
 	return container_of(f, struct f_hidg, func);
 }
 
+static void hidg_release(struct kref *kref)
+{
+	struct f_hidg *hidg = container_of(kref, struct f_hidg, kref);
+
+	kfree(hidg->report_desc);
+	kfree(hidg);
+}
+
 /*-------------------------------------------------------------------------*/
 /*                           Static descriptors                            */
 
@@ -435,6 +444,9 @@ static __poll_t f_hidg_poll(struct file *file, poll_table *wait)
 
 static int f_hidg_release(struct inode *inode, struct file *fd)
 {
+	struct f_hidg *hidg = fd->private_data;
+
+	kref_put(&hidg->kref, hidg_release);
 	fd->private_data = NULL;
 	return 0;
 }
@@ -445,6 +457,8 @@ static int f_hidg_open(struct inode *inode, struct file *fd)
 
 	mutex_lock(&hidg_idr_lock);
 	hidg = idr_find(&hidg_idr, iminor(inode));
+	if (hidg)
+		kref_get(&hidg->kref);
 	mutex_unlock(&hidg_idr_lock);
 
 	if (!hidg)
@@ -1056,8 +1070,7 @@ static void hidg_free(struct usb_function *f)
 
 	hidg = func_to_hidg(f);
 	opts = container_of(f->fi, struct f_hid_opts, func_inst);
-	kfree(hidg->report_desc);
-	kfree(hidg);
+	kref_put(&hidg->kref, hidg_release);
 	mutex_lock(&opts->lock);
 	--opts->refcnt;
 	mutex_unlock(&opts->lock);
@@ -1109,6 +1122,8 @@ static struct usb_function *hidg_alloc(struct usb_function_instance *fi)
 
 	mutex_unlock(&opts->lock);
 
+	kref_init(&hidg->kref);
+
 	hidg->func.name    = "hid";
 	hidg->func.bind    = hidg_bind;
 	hidg->func.unbind  = hidg_unbind;
-- 
2.23.0







