usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait
While performing fast composition switch, there is a possibility that the process of ffs_ep0_write/ffs_ep0_read get into a race condition due to ep0req being freed up from functionfs_unbind. Consider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait by taking a lock &ffs->ev.waitq.lock. However, the functionfs_unbind isn't bounded so it can go ahead and mark the ep0req to NULL, and since there is no NULL check in ffs_ep0_queue_wait we will end up in use-after-free. Fix this by making a serialized execution between the two functions using a mutex_lock(ffs->mutex). Fixes: ddf8abd2 ("USB: f_fs: the FunctionFS driver") Signed-off-by:Udipto Goswami <quic_ugoswami@quicinc.com> Tested-by:
Krishna Kurapati <quic_kriskura@quicinc.com> Link: https://lore.kernel.org/r/20221215052906.8993-2-quic_ugoswami@quicinc.com Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Loading
-
mentioned in commit eab6a6ae
-
mentioned in commit 81e42353
-
mentioned in commit a18b0c03
-
mentioned in commit 03eef2e9
-
mentioned in commit 3e73a7de
-
mentioned in commit e8e8b24a
-
mentioned in commit 29a1d5a3
-
mentioned in commit a224c1fd
-
mentioned in commit ab25d94e
-
mentioned in commit a40bcba1
-
mentioned in commit 4dc28fe9
-
mentioned in commit 4023c364
Please sign in to comment