On Mon, 2017-06-19 at 23:20 +0800, Greg Kroah-Hartman wrote: > 4.4-stable review patch. If anyone has any objections, please let me know. > > ------------------ > > From: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> > > commit f16443a034c7aa359ddf6f0f9bc40d01ca31faea upstream. [...] > The result of this race, as seen above, is that set_link_state() can > invoke a callback in gadgetfs even after gadgetfs has been unbound > from dummy_hcd's UDC and its private data structures have been > deallocated. > > include/linux/usb/gadget.h documents that the ->reset, ->disconnect, > ->suspend, and ->resume callbacks may be invoked in interrupt context. > In general this is necessary, to prevent races with gadget driver > removal. This patch fixes dummy_hcd to retain the spinlock across > these calls, and it adds a spinlock acquisition to dummy_udc_stop() to > prevent the race. > > The net2280 driver makes the same mistake of dropping the private > spinlock for its ->disconnect and ->reset callback invocations. The > patch fixes it too. [...] Why only these two drivers? Most of the other UDC drivers seem to do the same thing. Ben. -- Ben Hutchings Software Developer, Codethink Ltd.