usb: gadget: f_hid: fix: Prevent accessing released memory

commit aa65d11aa008f4de58a9cee7e121666d9d68505e upstream. When we unlock our spinlock to copy data to user we may get disabled by USB host and free the whole list of completed out requests including the one from which we are copying the data to user memory. To prevent from this let's remove our working element from the list and place it back only if there is sth left when we finish with it. Fixes: 99c515005857 ("usb: gadget: hidg: register OUT INT endpoint for SET_REPORT") Tested-by: David Lechner <david@lechnology.com> Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Krzysztof Opasiak <kopasiak90@gmail.com> 2017-01-19 12:55:28 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-03-12 00:41:49 -0500
commit: d3acd94c0f79387b0d1855bdd4690f1596eb3f25 (patch)
tree: a216f6ea6c4eee38a7626a38942f01118211fe8a
parent: b6092a57150c1641dffb6bfeebbe2cbde7275d1f (diff)
1 files changed, 20 insertions, 4 deletions
diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
index ceb1d0cc5c90..b914e5725387 100644
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -223,6 +223,13 @@ static ssize_t f_hidg_read(struct file *file, char __user *buffer,
        /* pick the first one */
        list = list_first_entry(&hidg->completed_out_req,
                                struct f_hidg_req_list, list);
+        /*
+         * Remove this from list to protect it from beign free()
+         * while host disables our function
+         */
+        list_del(&list->list);
        req = list->req;
        count = min_t(unsigned int, count, req->actual - list->pos);
        spin_unlock_irqrestore(&hidg->spinlock, flags);
@@ -238,15 +245,20 @@ static ssize_t f_hidg_read(struct file *file, char __user *buffer,
         * call, taking into account its current read position.
         */
        if (list->pos == req->actual) {
-                spin_lock_irqsave(&hidg->spinlock, flags);
-                list_del(&list->list);
                kfree(list);
-                spin_unlock_irqrestore(&hidg->spinlock, flags);
                req->length = hidg->report_length;
                ret = usb_ep_queue(hidg->out_ep, req, GFP_KERNEL);
-                if (ret < 0)
+                if (ret < 0) {
+                        free_ep_req(hidg->out_ep, req);
                        return ret;
+                }
+        } else {
+                spin_lock_irqsave(&hidg->spinlock, flags);
+                list_add(&list->list, &hidg->completed_out_req);
+                spin_unlock_irqrestore(&hidg->spinlock, flags);
+                wake_up(&hidg->read_queue);
        }
        return count;
@@ -506,14 +518,18 @@ static void hidg_disable(struct usb_function *f)
 {
        struct f_hidg *hidg = func_to_hidg(f);
        struct f_hidg_req_list *list, *next;
+        unsigned long flags;
        usb_ep_disable(hidg->in_ep);
        usb_ep_disable(hidg->out_ep);
+        spin_lock_irqsave(&hidg->spinlock, flags);
        list_for_each_entry_safe(list, next, &hidg->completed_out_req, list) {
+                free_ep_req(hidg->out_ep, list->req);
                list_del(&list->list);
                kfree(list);
        }
+        spin_unlock_irqrestore(&hidg->spinlock, flags);
 }
 static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
author	Krzysztof Opasiak <kopasiak90@gmail.com>	2017-01-19 12:55:28 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-03-12 00:41:49 -0500
commit	d3acd94c0f79387b0d1855bdd4690f1596eb3f25 (patch)
tree	a216f6ea6c4eee38a7626a38942f01118211fe8a
parent	b6092a57150c1641dffb6bfeebbe2cbde7275d1f (diff)