Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 67a1b84a authored by Pratham Pratap's avatar Pratham Pratap
Browse files

usb: f_fs: Free descriptors in func_unbind 



Commit 2df1806a ("usb: f_fs: Avoid use-after-free of
ffs_data") added an early return from the ffs_func_unbind
if refcount becomes zero without actually freeing the
descriptors and the eps. Now during next connect, func_bind
fails as the eps are not marked NULL. Fix this by removing
the early return and adding a judgement for refcount to
avoid ffs_data pointer use-after-free.

Change-Id: I95648335bd14ab65909c9598eca3bf72a1cc8d5e
Signed-off-by: default avatarPratham Pratap <prathampratap@codeaurora.org>
parent a20716bf

drivers/usb/gadget/function/f_fs.c

+5 −4
Original line number Diff line number Diff line
@@ -3779,7 +3779,6 @@ static void ffs_func_unbind(struct usb_configuration *c, 
	if (!--opts->refcnt) {

		ffs_event_add(ffs, FUNCTIONFS_UNBIND);

		functionfs_unbind(ffs);

		return;

	}



	/* cleanup after autoconfig */
@@ -3803,11 +3802,13 @@ static void ffs_func_unbind(struct usb_configuration *c, 
	func->function.ssp_descriptors = NULL;

	func->interfaces_nums = NULL;



	if (opts->refcnt) {

		ffs_event_add(ffs, FUNCTIONFS_UNBIND);



		ffs_log("exit: state %d setup_state %d flag %lu", ffs->state,

			ffs->setup_state, ffs->flags);

	}

}



static struct usb_function *ffs_alloc(struct usb_function_instance *fi)

{