commit a4b98a7512f18534ce33a7e98e49115af59ffa00 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

usb: gadget: f_fs: Use local copy of descriptors for userspace copy

The function may be unbound causing the ffs_ep and its descriptors
to be freed while userspace is in the middle of an ioctl requesting
the same descriptors. Avoid dangling pointer reference by first
making a local copy of desctiptors before releasing the spinlock.

Fixes: c559a3534109 ("usb: gadget: f_fs: add ioctl returning ep descriptor")
Reviewed-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Vamsi Krishna Samavedam <vskrishn@codeaurora.org>
Signed-off-by: Jack Pham <jackp@codeaurora.org>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20201130203453.28154-1-jackp@codeaurora.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by Vamsi Krishna Samavedam and committed by Greg Kroah-Hartman 5 years ago a4b98a75 45c57754

options

unified split

Changed files

+4 -2

drivers

usb

gadget

function

f_fs.c

+4 -2

drivers/usb/gadget/function/f_fs.c

··· 1324 1324 case FUNCTIONFS_ENDPOINT_DESC: 1325 1325 { 1326 1326 int desc_idx; 1327 - struct usb_endpoint_descriptor *desc; 1327 + struct usb_endpoint_descriptor desc1, *desc; 1328 1328 1329 1329 switch (epfile->ffs->gadget->speed) { 1330 1330 case USB_SPEED_SUPER: ··· 1336 1336 default: 1337 1337 desc_idx = 0; 1338 1338 } 1339 + 1339 1340 desc = epfile->ep->descs[desc_idx]; 1341 + memcpy(&desc1, desc, desc->bLength); 1340 1342 1341 1343 spin_unlock_irq(&epfile->ffs->eps_lock); 1342 - ret = copy_to_user((void __user *)value, desc, desc->bLength); 1344 + ret = copy_to_user((void __user *)value, &desc1, desc1.bLength); 1343 1345 if (ret) 1344 1346 ret = -EFAULT; 1345 1347 return ret;