Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3a85476e authored by Vamsi Krishna Samavedam's avatar Vamsi Krishna Samavedam Committed by Gerrit - the friendly Code Review server
Browse files

usb: gadget: ffs: Use local copy of descriptors for userspace copy 



USB cable can be disconnected (function disable) and function
descriptors can be freed while userspace daemon requesting for
descriptors copy to userspace. Avoid stale pointer copy by always
copying only local copy of desctiptors.

Change-Id: I16c01d22058e7148546f1ffbc5017520402eda97
Signed-off-by: default avatarVamsi Krishna Samavedam <vskrishn@codeaurora.org>
parent 16a51893

drivers/usb/gadget/function/f_fs.c

+4 −2
Original line number Diff line number Diff line
@@ -1324,7 +1324,7 @@ static long ffs_epfile_ioctl(struct file *file, unsigned code, 
	case FUNCTIONFS_ENDPOINT_DESC:

	{

		int desc_idx;

		struct usb_endpoint_descriptor *desc;

		struct usb_endpoint_descriptor desc1, *desc;



		switch (epfile->ffs->gadget->speed) {

		case USB_SPEED_SUPER:
@@ -1336,10 +1336,12 @@ static long ffs_epfile_ioctl(struct file *file, unsigned code, 
		default:

			desc_idx = 0;

		}



		desc = epfile->ep->descs[desc_idx];

		memcpy(&desc1, desc, desc->bLength);



		spin_unlock_irq(&epfile->ffs->eps_lock);

		ret = copy_to_user((void __user *)value, desc, desc->bLength);

		ret = copy_to_user((void __user *)value, &desc1, desc1.bLength);

		if (ret)

			ret = -EFAULT;

		return ret;