Commit 830fa755 authored by Rohith Kollalsi's avatar Rohith Kollalsi Committed by Shrirang Bagul
Browse files

usb: gadget: f_cdev: Fix use after free of port in f_cdev

BugLink: https://bugs.launchpad.net/bugs/1931727



With the configfs filesystem it’s possible to manipulate kernel
object by creating/deleting folders into /config path. Here port
object is created by a mkdir and leads to allocate this object,
while the rmdir system call leads to free this object.
If one thread does these two operations of creation and deletion
of the folder and one tries to open it, it can lead to a
race condition where port object can be freed by the time
it is used in f_cdev_open leading to use after free error.

Fix this by using embedded struct device and the refcounting
mechanism built-in which increases and decreases refcount upon
creation and deletion of port and port will be freed when
reference count is zero ensuring that "port" object survives
until the last user releases it.

Change-Id: I88701ef161c9f3215631da81c3a8d4c980d12b25
Signed-off-by: default avatarRohith Kollalsi <rkollals@codeaurora.org>
(cherry picked from commit fbe8136024f51215a5a4559e79297d914ee3409e)
Signed-off-by: default avatarShrirang Bagul <shrirang.bagul@canonical.com>
parent 24ece1a3
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment