Commit 971a8577 authored May 05, 2021 by Pratham Pratap

usb: f_fs: Fix use-after-free for epfile



Commit 1c3b63b8 ("usb: f_fs: Avoid use-after-free of
epfile") fixed use-after-free in ffs_func_eps_disable but
there is still a possiblilty of ffs_epfile_release going
ahead and freeing the buffer while ffs_func_eps_disable has
acquired the spin_lock and initialized local copy of epfile.
Since ffs_epfile_release doesn't have spin_lock protection
for freeing up the read buffer, fix this by putting it under
spin_lock protection as well.

Change-Id: I85b1a0aea88c0033fbeef4c5db5104caac211540
Signed-off-by: Pratham Pratap <prathampratap@codeaurora.org>

parent 336a29e7

drivers/usb/gadget/function/f_fs.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -1424,10 +1424,13 @@ ffs_epfile_release(struct inode inode, struct file file)
		{
		struct ffs_epfile *epfile = inode->i_private;
		struct ffs_data *ffs = epfile->ffs;
		unsigned long flags;

		ENTER();

		spin_lock_irqsave(&epfile->ffs->eps_lock, flags);
		__ffs_epfile_read_buffer_free(epfile);
		spin_unlock_irqrestore(&epfile->ffs->eps_lock, flags);
		ffs_log("%s: state %d setup_state %d flag %lu opened %u",
		epfile->name, epfile->ffs->state, epfile->ffs->setup_state,
		epfile->ffs->flags, atomic_read(&epfile->opened));