Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6b76c336 authored by Vamsi Krishna Samavedam's avatar Vamsi Krishna Samavedam Committed by Jack Pham
Browse files

usb: gadget: ffs: Use local copy of descriptors for userspace copy 



USB cable can be disconnected (function disable) and function
descriptors can be freed while userspace daemon requesting for
descriptors copy to userspace. Avoid stale pointer copy by always
copying only local copy of desctiptors.

Change-Id: I16c01d22058e7148546f1ffbc5017520402eda97
Signed-off-by: default avatarVamsi Krishna Samavedam <vskrishn@codeaurora.org>
parent c17dc46a

drivers/usb/gadget/function/f_fs.c

+4 −2
Original line number Diff line number Diff line
@@ -1346,7 +1346,7 @@ static long ffs_epfile_ioctl(struct file *file, unsigned code, 
	case FUNCTIONFS_ENDPOINT_DESC:

	{

		int desc_idx;

		struct usb_endpoint_descriptor *desc;

		struct usb_endpoint_descriptor desc1, *desc;



		switch (epfile->ffs->gadget->speed) {

		case USB_SPEED_SUPER:
@@ -1358,10 +1358,12 @@ static long ffs_epfile_ioctl(struct file *file, unsigned code, 
		default:

			desc_idx = 0;

		}



		desc = epfile->ep->descs[desc_idx];

		memcpy(&desc1, desc, desc->bLength);



		spin_unlock_irq(&epfile->ffs->eps_lock);

		ret = copy_to_user((void __user *)value, desc, desc->bLength);

		ret = copy_to_user((void __user *)value, &desc1, desc1.bLength);

		if (ret)

			ret = -EFAULT;

		return ret;