Commita4b98a7

Vamsi Krishna Samavedam

authored and

gregkh

committed

usb: gadget: f_fs: Use local copy of descriptors for userspace copy

The function may be unbound causing the ffs_ep and its descriptorsto be freed while userspace is in the middle of an ioctl requestingthe same descriptors. Avoid dangling pointer reference by firstmaking a local copy of desctiptors before releasing the spinlock.Fixes:c559a35 ("usb: gadget: f_fs: add ioctl returning ep descriptor")Reviewed-by: Peter Chen <peter.chen@nxp.com>Signed-off-by: Vamsi Krishna Samavedam <vskrishn@codeaurora.org>Signed-off-by: Jack Pham <jackp@codeaurora.org>Cc: stable <stable@vger.kernel.org>Link:https://lore.kernel.org/r/20201130203453.28154-1-jackp@codeaurora.orgSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

1 parent45c5775 commita4b98a7Copy full SHA for a4b98a7

File tree

1 file changed

-2

lines changed

drivers/usb/gadget/function
- f_fs.c

1 file changed

-2

lines changed

`‎drivers/usb/gadget/function/f_fs.c‎`

Lines changed: 4 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1324,7 +1324,7 @@ static long ffs_epfile_ioctl(struct file *file, unsigned code,`
`1324`	`1324`	`caseFUNCTIONFS_ENDPOINT_DESC:`
`1325`	`1325`	`{`
`1326`	`1326`	`intdesc_idx;`
`1327`		`-structusb_endpoint_descriptor*desc;`
	`1327`	`+structusb_endpoint_descriptordesc1,*desc;`
`1328`	`1328`
`1329`	`1329`	`switch (epfile->ffs->gadget->speed) {`
`1330`	`1330`	`caseUSB_SPEED_SUPER:`
`@@ -1336,10 +1336,12 @@ static long ffs_epfile_ioctl(struct file *file, unsigned code,`
`1336`	`1336`	`default:`
`1337`	`1337`	`desc_idx=0;`
`1338`	`1338`	`}`
	`1339`	`+`
`1339`	`1340`	`desc=epfile->ep->descs[desc_idx];`
	`1341`	`+memcpy(&desc1,desc,desc->bLength);`
`1340`	`1342`
`1341`	`1343`	`spin_unlock_irq(&epfile->ffs->eps_lock);`
`1342`		`-ret=copy_to_user((void__user*)value,desc,desc->bLength);`
	`1344`	`+ret=copy_to_user((void__user*)value,&desc1,desc1.bLength);`
`1343`	`1345`	`if (ret)`
`1344`	`1346`	`ret=-EFAULT;`
`1345`	`1347`	`returnret;`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commita4b98a7

File tree

1 file changed

1 file changed

`‎drivers/usb/gadget/function/f_fs.c‎`

0 commit comments