From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: barebox@lists.infradead.org
Cc: Ahmad Fatoum <a.fatoum@pengutronix.de>
Subject: [PATCH master 5/6] usb: gadget: multi: fix broken handling of USB function bind error
Date: Sat, 19 Mar 2022 12:02:45 +0100 [thread overview]
Message-ID: <20220319110246.2850396-6-a.fatoum@pengutronix.de> (raw)
In-Reply-To: <20220319110246.2850396-1-a.fatoum@pengutronix.de>
If a function of a multi gadget fails, we run into multiple bugs:
- All gadget are unbound, even those which weren't bound yet
- We deallocate functions and function instances, but don't
remove them from USB configuration, which leads to
use-after-free when doing the composite unbind later on
The correct course of action here is to undo the function instance
allocation only, like Linux does. The rest will be cleaned up later
at composite gadget unbind time.
Fixes: bfb7aa1e1916 ("USB: gadget: Add a multi function gadget")
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
drivers/usb/gadget/multi.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/drivers/usb/gadget/multi.c b/drivers/usb/gadget/multi.c
index 0eb6d049d152..cd5b529d3eba 100644
--- a/drivers/usb/gadget/multi.c
+++ b/drivers/usb/gadget/multi.c
@@ -218,28 +218,28 @@ static int multi_bind(struct usb_composite_dev *cdev)
printf("%s: creating Fastboot function\n", __func__);
ret = multi_bind_fastboot(cdev);
if (ret)
- goto out;
+ return ret;
}
if (gadget_multi_opts->dfu_opts.files) {
printf("%s: creating DFU function\n", __func__);
ret = multi_bind_dfu(cdev);
if (ret)
- goto out;
+ goto unbind_fastboot;
}
if (gadget_multi_opts->ums_opts.files) {
printf("%s: creating USB Mass Storage function\n", __func__);
ret = multi_bind_ums(cdev);
if (ret)
- goto out;
+ goto unbind_dfu;
}
if (gadget_multi_opts->create_acm) {
printf("%s: creating ACM function\n", __func__);
ret = multi_bind_acm(cdev);
if (ret)
- goto out;
+ goto unbind_ums;
}
usb_ep_autoconfig_reset(cdev->gadget);
@@ -247,8 +247,15 @@ static int multi_bind(struct usb_composite_dev *cdev)
dev_info(&gadget->dev, DRIVER_DESC "\n");
return 0;
-out:
- multi_unbind(cdev);
+unbind_ums:
+ if (gadget_multi_opts->ums_opts.files)
+ usb_put_function_instance(fi_ums);
+unbind_dfu:
+ if (gadget_multi_opts->dfu_opts.files)
+ usb_put_function_instance(fi_dfu);
+unbind_fastboot:
+ if (gadget_multi_opts->fastboot_opts.files)
+ usb_put_function_instance(fi_fastboot);
return ret;
}
--
2.30.2
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
next prev parent reply other threads:[~2022-03-19 11:04 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-19 11:02 [PATCH master 0/6] usb: gadget: multi: fix bind error path Ahmad Fatoum
2022-03-19 11:02 ` [PATCH master 1/6] usb: gadget: implement and use system_partitions_get_null Ahmad Fatoum
2022-03-19 11:02 ` [PATCH master 2/6] usb: gadget: don't register UMS with empty function Ahmad Fatoum
2022-03-19 11:02 ` [PATCH master 3/6] usb: gadget: mass-storage: fix clean up of file descriptors Ahmad Fatoum
2022-03-19 11:02 ` [PATCH master 4/6] usb: gadget: mass-storage: reference count allocations used in bthread Ahmad Fatoum
2022-03-19 11:02 ` Ahmad Fatoum [this message]
2022-03-19 11:02 ` [PATCH master 6/6] usb: gadget: multi: free UMS instance at multi_unbind time Ahmad Fatoum
2022-03-28 8:53 ` [PATCH master 0/6] usb: gadget: multi: fix bind error path Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220319110246.2850396-6-a.fatoum@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox