| From 54a3e998b1b7522de68a9caed3e3d500eff13c86 Mon Sep 17 00:00:00 2001 |
| From: Sriharsha Allenki <sallenki@codeaurora.org> |
| Date: Thu, 26 Mar 2020 17:26:20 +0530 |
| Subject: [PATCH] usb: gadget: f_fs: Fix use after free issue as part of queue |
| failure |
| |
| commit f63ec55ff904b2f2e126884fcad93175f16ab4bb upstream. |
| |
| In AIO case, the request is freed up if ep_queue fails. |
| However, io_data->req still has the reference to this freed |
| request. In the case of this failure if there is aio_cancel |
| call on this io_data it will lead to an invalid dequeue |
| operation and a potential use after free issue. |
| Fix this by setting the io_data->req to NULL when the request |
| is freed as part of queue failure. |
| |
| Fixes: 2e4c7553cd6f ("usb: gadget: f_fs: add aio support") |
| Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org> |
| CC: stable <stable@vger.kernel.org> |
| Reviewed-by: Peter Chen <peter.chen@nxp.com> |
| Link: https://lore.kernel.org/r/20200326115620.12571-1-sallenki@codeaurora.org |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c |
| index 265e3e523ef3..fbde4c0709a7 100644 |
| --- a/drivers/usb/gadget/function/f_fs.c |
| +++ b/drivers/usb/gadget/function/f_fs.c |
| @@ -1119,6 +1119,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) |
| |
| ret = usb_ep_queue(ep->ep, req, GFP_ATOMIC); |
| if (unlikely(ret)) { |
| + io_data->req = NULL; |
| usb_ep_free_request(ep->ep, req); |
| goto error_lock; |
| } |
| -- |
| 2.7.4 |
| |
