• Chao Bi's avatar
    usb: gadget: ffs: race between ffs_epfile_io() and ffs_func_eps_disable() · 97839ca4
    Chao Bi authored
    ffs_epfile_io() is called from userspace, while ffs_func_eps_disable() might be
    called from USB disconnect interrupt, the two functions would run in parallel
    but they are not well protected, that epfile->ep would be removed by
    ffs_func_eps_disable() during ffs_epfile_io() is referring this pointer, then
    it leads to kernel PANIC.
    
    The scenario is as below:
    
    Thread 1                                 Thread 2
       |                                        |
    SyS_read                             dwc3_gadget_disconnect_interrupt
       |                                        |
    ffs_epfile_read                         reset_config
       |                                        |
    ffs_epfile_io                       ffs_func_eps_disable
       |                                        |
     -----                      usb_ep_disable():  epfile->ep->ep->desc = NULL
       |                                        |
    usb_ep_align_maybe():                     -----
    it refers ep->desc->wMaxPacketSize        -----
    Signed-off-by: default avatarChao Bi <chao.bi@intel.com>
    Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
    97839ca4
f_fs.c 67.2 KB