shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-10 12:57:06 +09:00
Code Issues Packages Projects Releases Wiki Activity

usb: use-after-free in ffs_epfile_io+0x1c0/0x9b8

Browse Source 
PD#174155: the io_data pointer have kfree in ffs_epfile_async_io_complete,
it can't use after that such as (if (io_data->aio)),
and this judgment is changed to if (data_flag>0).

Change-Id: I3b620b69bbf4e8040a43bd2435fdb836e11cc512
Signed-off-by: he.he <he.he@amlogic.com>
This commit is contained in:
he.he
2018-09-26 14:47:27 +08:00
committed by Jianxin Pan
parent 9c31a64401
commit 09c5d469c3
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
drivers/usb/gadget/function/f_fs.c
View File

@@ -952,6 +952,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
#ifdef CONFIG_AMLOGIC_USB
struct ffs_ep *ep = epfile->ep;
struct ffs_data_buffer *buffer = NULL;
int data_flag = -1;
#else
struct ffs_ep *ep;
#endif
@@ -1036,6 +1037,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
if (io_data->aio) {
spin_unlock_irq(&epfile->ffs->eps_lock);
data = kmalloc(data_len, GFP_KERNEL);
data_flag = 1;
if (unlikely(!data)) {
ret = -ENOMEM;
goto error_mutex;
@@ -1060,6 +1062,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
* been released in kill_sb.
*/
buffer = assign_ffs_buffer(epfile->ffs);
data_flag = -1;
if (unlikely(!buffer)) {
ret = -ENOMEM;
spin_unlock_irq(&epfile->ffs->eps_lock);
@@ -1174,7 +1177,7 @@ error_mutex:
mutex_unlock(&epfile->mutex);
error:
#ifdef CONFIG_AMLOGIC_USB
if (io_data->aio) {
if (data_flag > 0) {
kfree(data);
data = NULL;
} else {