From: Greg Kroah-Hartman Date: Wed, 21 Jan 2026 17:21:16 +0000 (+0100) Subject: Revert "functionfs: fix the open/removal races" X-Git-Tag: v6.18.7~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2d1bf4a7b8ed87ab32adaa40f53dfe332755451d;p=thirdparty%2Fkernel%2Fstable.git Revert "functionfs: fix the open/removal races" This reverts commit b49c766856fb5901490de577e046149ebf15e39d which is commit e5bf5ee266633cb18fff6f98f0b7d59a62819eee upstream. It has been reported to cause test problems in Android devices. As the other functionfs changes were not also backported at the same time, something is out of sync. So just revert this one for now and it can come back in the future as a patch series if it is tested. Cc: Al Viro Cc: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 69f6e3c0f7e0..47cfbe41fdff 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -640,22 +640,13 @@ done_mutex: static int ffs_ep0_open(struct inode *inode, struct file *file) { - struct ffs_data *ffs = inode->i_sb->s_fs_info; - int ret; + struct ffs_data *ffs = inode->i_private; - /* Acquire mutex */ - ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK); - if (ret < 0) - return ret; - - ffs_data_opened(ffs); - if (ffs->state == FFS_CLOSING) { - ffs_data_closed(ffs); - mutex_unlock(&ffs->mutex); + if (ffs->state == FFS_CLOSING) return -EBUSY; - } - mutex_unlock(&ffs->mutex); + file->private_data = ffs; + ffs_data_opened(ffs); return stream_open(inode, file); } @@ -1202,33 +1193,14 @@ error: static int ffs_epfile_open(struct inode *inode, struct file *file) { - struct ffs_data *ffs = inode->i_sb->s_fs_info; - struct ffs_epfile *epfile; - int ret; + struct ffs_epfile *epfile = inode->i_private; - /* Acquire mutex */ - ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK); - if (ret < 0) - return ret; - - if (!atomic_inc_not_zero(&ffs->opened)) { - mutex_unlock(&ffs->mutex); - return -ENODEV; - } - /* - * we want the state to be FFS_ACTIVE; FFS_ACTIVE alone is - * not enough, though - we might have been through FFS_CLOSING - * and back to FFS_ACTIVE, with our file already removed. - */ - epfile = smp_load_acquire(&inode->i_private); - if (unlikely(ffs->state != FFS_ACTIVE || !epfile)) { - mutex_unlock(&ffs->mutex); - ffs_data_closed(ffs); + if (WARN_ON(epfile->ffs->state != FFS_ACTIVE)) return -ENODEV; - } - mutex_unlock(&ffs->mutex); file->private_data = epfile; + ffs_data_opened(epfile->ffs); + return stream_open(inode, file); } @@ -1360,7 +1332,7 @@ static void ffs_dmabuf_put(struct dma_buf_attachment *attach) static int ffs_epfile_release(struct inode *inode, struct file *file) { - struct ffs_epfile *epfile = file->private_data; + struct ffs_epfile *epfile = inode->i_private; struct ffs_dmabuf_priv *priv, *tmp; struct ffs_data *ffs = epfile->ffs; @@ -2380,11 +2352,6 @@ static int ffs_epfiles_create(struct ffs_data *ffs) return 0; } -static void clear_one(struct dentry *dentry) -{ - smp_store_release(&dentry->d_inode->i_private, NULL); -} - static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count) { struct ffs_epfile *epfile = epfiles; @@ -2392,7 +2359,7 @@ static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count) for (; count; --count, ++epfile) { BUG_ON(mutex_is_locked(&epfile->mutex)); if (epfile->dentry) { - simple_recursive_removal(epfile->dentry, clear_one); + simple_recursive_removal(epfile->dentry, NULL); epfile->dentry = NULL; } }