linux/drivers/usb/gadget
Benjamin Herrenschmidt 4a56a478a5 usb: gadget: mass_storage: Fix races between fsg_disable and fsg_set_alt
If fsg_disable() and fsg_set_alt() are called too closely to each
other (for example due to a quick reset/reconnect), what can happen
is that fsg_set_alt sets common->new_fsg from an interrupt while
handle_exception is trying to process the config change caused by
fsg_disable():

	fsg_disable()
	...
	handle_exception()
		sets state back to FSG_STATE_NORMAL
		hasn't yet called do_set_interface()
		or is inside it.

 ---> interrupt
	fsg_set_alt
		sets common->new_fsg
		queues a new FSG_STATE_CONFIG_CHANGE
 <---

Now, the first handle_exception can "see" the updated
new_fsg, treats it as if it was a fsg_set_alt() response,
call usb_composite_setup_continue() etc...

But then, the thread sees the second FSG_STATE_CONFIG_CHANGE,
and goes back down the same path, wipes and reattaches a now
active fsg, and .. calls usb_composite_setup_continue() which
at this point is wrong.

Not only we get a backtrace, but I suspect the second set_interface
wrecks some state causing the host to get upset in my case.

This fixes it by replacing "new_fsg" by a "state argument" (same
principle) which is set in the same lock section as the state
update, and retrieved similarly.

That way, there is never any discrepancy between the dequeued
state and the observed value of it. We keep the ability to have
the latest reconfig operation take precedence, but we guarantee
that once "dequeued" the argument (new_fsg) will not be clobbered
by any new event.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
2019-08-12 08:55:24 +03:00
..
function usb: gadget: mass_storage: Fix races between fsg_disable and fsg_set_alt 2019-08-12 08:55:24 +03:00
legacy Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-07-19 10:42:02 -07:00
udc usb: gadget: udc: renesas_usb3: Fix sysfs interface of "role" 2019-08-12 08:55:24 +03:00
composite.c usb: gadget: composite: Clear "suspended" on reset/disconnect 2019-08-12 08:55:24 +03:00
config.c USB: gadget: Remove redundant license text 2017-11-07 15:45:02 +01:00
configfs.c usb: gadget: configfs: avoid spaces for indentation 2018-07-26 13:49:49 +03:00
configfs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
epautoconf.c usb: gadget: move non-super speed code out of usb_ep_autoconfig_ss() 2019-02-07 13:14:51 +02:00
functions.c USB: add SPDX identifiers to all remaining files in drivers/usb/ 2017-11-04 11:48:02 +01:00
Kconfig docs: usb: rename files to .rst and add them to drivers-api 2019-06-20 14:28:36 +02:00
Makefile Revert "usb:gadget Separated decoding functions from dwc3 driver." 2019-07-04 13:02:09 +02:00
u_f.c usb: gadget: Change Andrzej Pietrasiewicz's e-mail address 2019-02-11 11:12:29 +02:00
u_f.h usb: gadget: Change Andrzej Pietrasiewicz's e-mail address 2019-02-11 11:12:29 +02:00
u_os_desc.h usb: gadget: Change Andrzej Pietrasiewicz's e-mail address 2019-02-11 11:12:29 +02:00
usbstring.c usb/gadget: Constify usb_gadget_get_string "table" argument 2018-05-15 10:06:49 +03:00