Commit 3290d93a authored Jan 16, 2019 by Chandana Kishori Chiluveru Committed by Gerrit - the friendly Code Review server May 08, 2019

usb: gadget: f_fs: Fix NULL pointer issues in ffs driver

commit e4ed11d6 ("usb: gadget: f_fs: Support multi-instance IPC
logging") moved the ipc_log context create from functionfs_init to
ffs_data_new, ffs_data_new() function will be called from the userspace
to mount the ffs function. In case of mount happening multiple times
from the userspace on same device node. ipc_log context destroyed
from the second mount failure path and causing crashes by using freed
ipc_log context for ffs_log().

Hence fix this issue by adding proper check in ffs_data_new() before
mounting the device node so that driver can fail the second time mount
happens from userspace on same device node.

Change-Id: Icb80c69222cd2b15aba612e2624756afd8dde803
Signed-off-by: Chandana Kishori Chiluveru <cchiluve@codeaurora.org>

parent c17dc46a

drivers/usb/gadget/function/f_fs.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -1792,10 +1792,18 @@ static void ffs_data_closed(struct ffs_data *ffs)
		static struct ffs_data ffs_data_new(const char dev_name)
		{
		char ipcname[24] = "usb_ffs_";
		struct ffs_dev *ffs_dev;
		struct ffs_data ffs = kzalloc(sizeof ffs, GFP_KERNEL);
		if (unlikely(!ffs))
		return NULL;

		ffs_dev = _ffs_find_dev(dev_name);
		if (ffs_dev && ffs_dev->mounted) {
		pr_info("%s(): %s Already mounted\n", __func__, dev_name);
		kfree(ffs);
		return ERR_PTR(-EBUSY);
		}

		ENTER();

		ffs->io_completion_wq = alloc_ordered_workqueue("%s", 0, dev_name);