ANDROID: usb: f_accessory: Fix teardown ordering in acc_release()

acc_release() attempts to synchronise with acc_open() using an atomic 'open_excl' member in 'struct acc_dev'. Unfortunately, acc_release() prematurely resets this atomic variable to zero, meaning there is a potential race on 'dev->disconnected': acc_open() acc_release() atomic_xchg(open_excl), 0) atomic_xchg(open_excl, 1) dev->disconnected = 0; dev->disconnected = 1; Fix the race by ensuring that the 'disconnected' field is written before clearing 'open_excl' in acc_release(). Bug: 173789633 Signed-off-by: Will Deacon <willdeacon@google.com> Change-Id: Ib9a21f2305f6d70de3e760da62dbfdd66889200a Signed-off-by: Giuliano Procida <gprocida@google.com>
author: Will Deacon <willdeacon@google.com> 2020-12-15 15:48:22 +0000
committer: Giuliano Procida <gprocida@google.com> 2021-01-05 15:58:52 +0000
commit: 65ab8d94757f5e5198da6584c7f94509128e333e (patch)
tree: d277775ff972b7808ba2f26a7f36d9f2ce77ffb0 /drivers
parent: 14e0c76082479f0f266d58f5584b93b54057414d (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/usb/gadget/function/f_accessory.c b/drivers/usb/gadget/function/f_accessory.c
index ce96cd060bfa..4aa4a57d0fc5 100644
--- a/drivers/usb/gadget/function/f_accessory.c
+++ b/drivers/usb/gadget/function/f_accessory.c
@@ -825,13 +825,13 @@ static int acc_release(struct inode *ip, struct file *fp)
 	if (!dev)
 		return -ENOENT;
 
-	WARN_ON(!atomic_xchg(&dev->open_excl, 0));
 	/* indicate that we are disconnected
 	 * still could be online so don't touch online flag
 	 */
 	dev->disconnected = 1;
 
 	fp->private_data = NULL;
+	WARN_ON(!atomic_xchg(&dev->open_excl, 0));
 	put_acc_dev(dev);
 	return 0;
 }
author	Will Deacon <willdeacon@google.com>	2020-12-15 15:48:22 +0000
committer	Giuliano Procida <gprocida@google.com>	2021-01-05 15:58:52 +0000
commit	65ab8d94757f5e5198da6584c7f94509128e333e (patch)
tree	d277775ff972b7808ba2f26a7f36d9f2ce77ffb0 /drivers
parent	14e0c76082479f0f266d58f5584b93b54057414d (diff)