usb: gadget: f_fs: Fix use after free issue as part of queue failure

Sriharsha Allenki · gregkh · commit f63ec55ff904 · 2020-03-26T15:05:44.000+01:00
In AIO case, the request is freed up if ep_queue fails. However, io_data->req still has the reference to this freed request. In the case of this failure if there is aio_cancel call on this io_data it will lead to an invalid dequeue operation and a potential use after free issue. Fix this by setting the io_data->req to NULL when the request is freed as part of queue failure. Fixes: 2e4c755 ("usb: gadget: f_fs: add aio support") Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org> CC: stable <stable@vger.kernel.org> Reviewed-by: Peter Chen <peter.chen@nxp.com> Link: https://lore.kernel.org/r/20200326115620.12571-1-sallenki@codeaurora.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
@@ -1120,6 +1120,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
 
 		ret = usb_ep_queue(ep->ep, req, GFP_ATOMIC);
 		if (unlikely(ret)) {
+			io_data->req = NULL;
 			usb_ep_free_request(ep->ep, req);
 			goto error_lock;
 		}

Original file line number	Diff line number	Diff line change
`@@ -1120,6 +1120,7 @@ static ssize_t ffs_epfile_io(struct file file, struct ffs_io_data io_data)`
`1120`	`1120`
`1121`	`1121`	`ret = usb_ep_queue(ep->ep, req, GFP_ATOMIC);`
`1122`	`1122`	`if (unlikely(ret)) {`
	`1123`	`+ io_data->req = NULL;`
`1123`	`1124`	`usb_ep_free_request(ep->ep, req);`
`1124`	`1125`	`goto error_lock;`
`1125`	`1126`	`}`