On Thu, Jan 27, 2022 at 09:39:55AM +0530, Udipto Goswami wrote:
> Consider a case where ffs_func_eps_disable is called from
> ffs_func_disable as part of composition switch and at the
> same time ffs_epfile_release get called from userspace.
> ffs_epfile_release will free up the read buffer and call
> ffs_data_closed which in turn destroys ffs->epfiles and
> mark it as NULL. While this was happening the driver has
> already initialized the local epfile in ffs_func_eps_disable
> which is now freed and waiting to acquire the spinlock. Once
> spinlock is acquired the driver proceeds with the stale value
> of epfile and tries to free the already freed read buffer
> causing use-after-free.
>
> Following is the illustration of the race:
>
> CPU1 CPU2
>
> ffs_func_eps_disable
> epfiles (local copy)
> ffs_epfile_release
> ffs_data_closed
> if (last file closed)
> ffs_data_reset
> ffs_data_clear
> ffs_epfiles_destroy
> spin_lock
> dereference epfiles
>
> Fix this races by taking epfiles local copy & assigning it under
> spinlock and if epfiles(local) is null then update it in ffs->epfiles
> then finally destroy it.
> Extending the scope further from the race, protecting the ep related
> structures, and concurrent accesses.
>
> Fixes: a9e6f83c2df (usb: gadget: f_fs: stop sleeping in ffs_func_eps_disable)
Nit, this should have been:
Fixes: a9e6f83c2df1 ("usb: gadget: f_fs: stop sleeping in ffs_func_eps_disable")
I've fixed it up now, thanks.
greg k-h
