[PATCH 3.16 292/306] usb: gadget: f_fs: Fix use-after-free
From: Ben Hutchings
Date: Wed Feb 15 2017 - 19:17:28 EST
3.16.40-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lars-Peter Clausen <lars@xxxxxxxxxx>
commit 38740a5b87d53ceb89eb2c970150f6e94e00373a upstream.
When using asynchronous read or write operations on the USB endpoints the
issuer of the IO request is notified by calling the ki_complete() callback
of the submitted kiocb when the URB has been completed.
Calling this ki_complete() callback will free kiocb. Make sure that the
structure is no longer accessed beyond that point, otherwise undefined
behaviour might occur.
Fixes: 2e4c7553cd6f ("usb: gadget: f_fs: add aio support")
Signed-off-by: Lars-Peter Clausen <lars@xxxxxxxxxx>
Signed-off-by: Felipe Balbi <felipe.balbi@xxxxxxxxxxxxxxx>
[bwh: Backported to 3.16:
- Adjust filename
- We only use kiocb::private, not kiocb::ki_flags]
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
---
--- a/drivers/usb/gadget/f_fs.c
+++ b/drivers/usb/gadget/f_fs.c
@@ -669,7 +669,6 @@ static void ffs_user_copy_worker(struct
usb_ep_free_request(io_data->ep, io_data->req);
- io_data->kiocb->private = NULL;
if (io_data->read)
kfree(io_data->iovec);
kfree(io_data->buf);