Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit faf47215 authored by Manu Gautam's avatar Manu Gautam
Browse files

USB: f_fs: Fix use-after-free when unbind races with epfile_io() 



EPs freed as part of unbind could be accessed by ffs_epfile_io().
Fix this by moving ffs_log() under disconnect or composition
switch check for similar race with data transfer.

Change-Id: I3ba268577541bd60ec915094fa4f6898d20706ad
Signed-off-by: default avatarManu Gautam <mgautam@codeaurora.org>
parent 71eb1ca6

drivers/usb/gadget/function/f_fs.c

+3 −3
Original line number Diff line number Diff line
@@ -1101,8 +1101,6 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) 
			}

		}



		ffs_log("ep status %d for req %pK", ep->status, req);



		if (interrupted) {

			ret = -EINTR;

			goto error_mutex;
@@ -1115,8 +1113,10 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) 
		 * disabled (disconnect) or changed

		 * (composition switch) ?

		 */

		if (epfile->ep == ep)

		if (epfile->ep == ep) {

			ret = ep->status;

			ffs_log("ep status %d for req %pK", ep->status, req);

		}

		spin_unlock_irq(&epfile->ffs->eps_lock);

		if (io_data->read && ret > 0)

			ret = __ffs_epfile_read_data(epfile, data, ep->status,