usb: f_fs: Prevent race between ep0_release & reset_work

When ffs_func_disable is called the driver will call set_alt
as part of which if FFS_DEACTIVATED is set then it schedules
reset_work. It further goes and tries to call epfile_destroy
where kfree is done. If within the same time, if ep0_release
is also called, it will also go forward and call epfiles_destroy.
This is because although the driver did kfree, but did't mark NULL,
which is why the if check for epfile equals NULL will fail to prevent
and will still be able to proceed. At this point the epfile instance
is corrupted therefore when in epfile_destroy it goes into the if
check which will trigger the BUG_ON check causing crash.
Following is the illustration:

                 CPU1                      CPU2
ffs_ep0_release
ffs_data_closed
ffs->state = FFS_DEACTIVATED        (atomic context)
                                    ffs_func_disable
                                    ffs_func_set_alt
                                    schedule_work(&ffs->reset_work)
ffs_epfiles_destroy(ffs->epfiles)
(running for loop not finished)

                                    ffs_reset_work (preempts)
                                    ffs_data_reset
                                    ffs_data_clear
                                    ffs_epfiles_destroy(ffs->epfiles)

Fix this by protecting the epfile_destroy calls with mutex_lock
and also ensuring to mark epfiles NULL within it.

Signed-off-by: Udipto Goswami <ugoswami@codeaurora.org>

Bug: 183548358
Bug: 199146484
Bug: 203790673
Test: build, boot
Signed-off-by: Jimmy Hu <hhhuuu@google.com>
Signed-off-by: Peggy Chan <peichi@google.com>
Change-Id: I3f560014314d10ea1e42965290d7fbf00018dd7c
1 file changed
tree: 567559fc0b54c19b8a6a17ff46f83eea20391237
  1. android/
  2. arch/
  3. block/
  4. certs/
  5. crypto/
  6. Documentation/
  7. drivers/
  8. firmware/
  9. fs/
  10. include/
  11. init/
  12. ipc/
  13. kernel/
  14. lib/
  15. LICENSES/
  16. mm/
  17. net/
  18. samples/
  19. scripts/
  20. security/
  21. sound/
  22. techpack/
  23. tools/
  24. usr/
  25. virt/
  26. .clang-format
  27. .cocciconfig
  28. .get_maintainer.ignore
  29. .gitattributes
  30. .gitignore
  31. .mailmap
  32. Android.bp
  33. AndroidKernel.mk
  34. build.config.aarch64
  35. build.config.allmodconfig
  36. build.config.allmodconfig.aarch64
  37. build.config.allmodconfig.arm
  38. build.config.allmodconfig.x86_64
  39. build.config.arm
  40. build.config.common
  41. build.config.gki
  42. build.config.gki-debug.aarch64
  43. build.config.gki-debug.x86_64
  44. build.config.gki.aarch64
  45. build.config.gki.sm7250
  46. build.config.gki.sm8250
  47. build.config.gki.x86_64
  48. build.config.gki_kasan
  49. build.config.gki_kasan.aarch64
  50. build.config.gki_kasan.x86_64
  51. build.config.gki_kprobes
  52. build.config.gki_kprobes.aarch64
  53. build.config.gki_kprobes.x86_64
  54. build.config.goldfish.arm
  55. build.config.goldfish.arm64
  56. build.config.goldfish.mips
  57. build.config.goldfish.mips64
  58. build.config.goldfish.x86
  59. build.config.goldfish.x86_64
  60. build.config.performance
  61. build.config.redbull
  62. build.config.redbull.block_test
  63. build.config.redbull.common
  64. build.config.redbull.common.clang
  65. build.config.redbull.debug_api
  66. build.config.redbull.debug_locking
  67. build.config.redbull.debug_memory
  68. build.config.redbull.debug_memory_accounting
  69. build.config.redbull.gcc
  70. build.config.redbull.kasan
  71. build.config.redbull.no-cfi
  72. build.config.redbull.performance
  73. build.config.redbull.vintf
  74. build.config.sm7250.common
  75. build.config.sm8250.common
  76. build.config.sm8250.common.clang
  77. build.config.sm8250.no-cfi
  78. build.config.x86_64
  79. build_redbull-gki.sh
  80. build_redbull.sh
  81. build_sm7250.sh
  82. build_sm8250.sh
  83. COPYING
  84. CREDITS
  85. gen_headers_arm.bp
  86. gen_headers_arm64.bp
  87. Kbuild
  88. Kconfig
  89. kernel_headers.py
  90. MAINTAINERS
  91. Makefile
  92. PREUPLOAD.cfg
  93. README
  94. verity_dev_keys.x509