Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f2eff0ef authored by Vijayavardhan Vennapusa's avatar Vijayavardhan Vennapusa
Browse files

USB: f_fs: Avoid NULL pointer dereference during epfile_io() 



If composition switch happens while epfile_io() is in progress,
there is a chance that gadget pointer is accessed after unbind(),
which could be NULL. This could cause accessing NULL pointer and
results in panic. Fix the issue by accessing member variables from
local copy instead of directly accessing from ffs->gadget.

Change-Id: Iec61725da9c82e8c06e66acb8a6bdbc98ff9444a
Signed-off-by: default avatarVijayavardhan Vennapusa <vvreddy@codeaurora.org>
parent e4fab30e

drivers/usb/gadget/function/f_fs.c

+1 −2
Original line number Diff line number Diff line
@@ -997,7 +997,6 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) 
	struct ffs_epfile *epfile = file->private_data;

	struct usb_request *req;

	struct ffs_ep *ep;

	struct ffs_data *ffs = epfile->ffs;

	char *data = NULL;

	ssize_t ret, data_len = -EINVAL;

	int halt;
@@ -1096,7 +1095,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) 
			data_len = usb_ep_align_maybe(gadget, ep->ep, data_len);

		spin_unlock_irq(&epfile->ffs->eps_lock);



		extra_buf_alloc = ffs->gadget->extra_buf_alloc;

		extra_buf_alloc = gadget->extra_buf_alloc;

		if (!io_data->read)

			data = kmalloc(data_len + extra_buf_alloc,

					GFP_KERNEL);