usb: gadget: Fix net_device lifecycles and configfs races

[PATCH 1/7] usb: gadget: f_subset: Fix unbalanced refcnt in geth_free

Posted by Kuen-Han Tsai 2 weeks ago

geth_alloc() increments the reference count, but geth_free() fails to
decrement it. This prevents the configuration of attributes via configfs
after unlinking the function.

Decrement the reference count in geth_free() to ensure proper cleanup.

Fixes: 02832e56f88a ("usb: gadget: f_subset: add configfs support")
Cc: stable@vger.kernel.org
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
---
 drivers/usb/gadget/function/f_subset.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/usb/gadget/function/f_subset.c b/drivers/usb/gadget/function/f_subset.c
index 076072386e5e..74dc6da5c767 100644
--- a/drivers/usb/gadget/function/f_subset.c
+++ b/drivers/usb/gadget/function/f_subset.c
@@ -6,6 +6,7 @@
  * Copyright (C) 2008 Nokia Corporation
  */
 
+#include <linux/cleanup.h>
 #include <linux/slab.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
@@ -449,8 +450,13 @@ static struct usb_function_instance *geth_alloc_inst(void)
 static void geth_free(struct usb_function *f)
 {
 	struct f_gether *eth;
+	struct f_gether_opts *opts;
+
+	opts = container_of(f->fi, struct f_gether_opts, func_inst);
 
 	eth = func_to_geth(f);
+	scoped_guard(mutex, &opts->lock)
+		opts->refcnt--;
 	kfree(eth);
 }
 

-- 
2.53.0.959.g497ff81fa9-goog

[PATCH 1/7] usb: gadget: f_subset: Fix unbalanced refcnt in geth_free
[PATCH 2/7] usb: gadget: f_rndis: Protect RNDIS options with mutex
[PATCH 3/7] usb: gadget: u_ncm: Add kernel-doc comments for struct f_ncm_opts
[PATCH 4/7] usb: gadget: f_ecm: Fix net_device lifecycle with device_move
[PATCH 5/7] usb: gadget: f_eem: Fix net_device lifecycle with device_move
[PATCH 6/7] usb: gadget: f_subset: Fix net_device lifecycle with device_move
[PATCH 7/7] usb: gadget: f_rndis: Fix net_device lifecycle with device_move