===============
[ Upstream commit f14e9ad17f46051b02bffffac2036486097de19e ]
ffs_closed can race with configfs_rmdir which will call config_item_release, so
add an extra check to avoid calling the unregister_gadget_item with an null
gadget item.
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
---
drivers/usb/gadget/function/f_fs.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
@@ -3400,6 +3400,7 @@ done:
static void ffs_closed(struct ffs_data *ffs)
{
struct ffs_dev *ffs_obj;
+ struct f_fs_opts *opts;
ENTER();
ffs_dev_lock();
@@ -3413,8 +3414,13 @@ static void ffs_closed(struct ffs_data *ffs)
if (ffs_obj->ffs_closed_callback)
ffs_obj->ffs_closed_callback(ffs);
- if (!ffs_obj->opts || ffs_obj->opts->no_configfs
- || !ffs_obj->opts->func_inst.group.cg_item.ci_parent)
+ if (ffs_obj->opts)
+ opts = ffs_obj->opts;
+ else
+ goto done;
+
+ if (opts->no_configfs || !opts->func_inst.group.cg_item.ci_parent
+ || !atomic_read(&opts->func_inst.group.cg_item.ci_kref.refcount))
goto done;
unregister_gadget_item(ffs_obj->opts->
From: Rui Miguel Silva <rui.silva@linaro.org> This patch has been added to the 3.18 stable tree. If you have any objections, please let us know.