On 20-11-30 12:34:53, Jack Pham wrote:
> From: Vamsi Krishna Samavedam <vskrishn@xxxxxxxxxxxxxx>
>
> The function may be unbound causing the ffs_ep and its descriptors
> to be freed while userspace is in the middle of an ioctl requesting
> the same descriptors. Avoid dangling pointer reference by first
> making a local copy of desctiptors before releasing the spinlock.
>
> Fixes: c559a3534109 ("usb: gadget: f_fs: add ioctl returning ep descriptor")
> Signed-off-by: Vamsi Krishna Samavedam <vskrishn@xxxxxxxxxxxxxx>
> Signed-off-by: Jack Pham <jackp@xxxxxxxxxxxxxx>
> ---
> drivers/usb/gadget/function/f_fs.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
> index 046f770a76da..c727cb5de871 100644
> --- a/drivers/usb/gadget/function/f_fs.c
> +++ b/drivers/usb/gadget/function/f_fs.c
> @@ -1324,7 +1324,7 @@ static long ffs_epfile_ioctl(struct file *file, unsigned code,
> case FUNCTIONFS_ENDPOINT_DESC:
> {
> int desc_idx;
> - struct usb_endpoint_descriptor *desc;
> + struct usb_endpoint_descriptor desc1, *desc;
>
> switch (epfile->ffs->gadget->speed) {
> case USB_SPEED_SUPER:
> @@ -1336,10 +1336,12 @@ static long ffs_epfile_ioctl(struct file *file, unsigned code,
> default:
> desc_idx = 0;
> }
> +
> desc = epfile->ep->descs[desc_idx];
> + memcpy(&desc1, desc, desc->bLength);
>
> spin_unlock_irq(&epfile->ffs->eps_lock);
> - ret = copy_to_user((void __user *)value, desc, desc->bLength);
> + ret = copy_to_user((void __user *)value, &desc1, desc1.bLength);
> if (ret)
> ret = -EFAULT;
> return ret;
> --
Do you have any backtrace to show the problems? I see ffs->ref will be
increased at .open, and the .unbind should not free memory if ffs->ref
is still two.
--
Thanks,
Peter Chen
