usb: use-after-free in ffs_epfile_io+0x1c0/0x9b8

PD#174155: the io_data pointer have kfree in ffs_epfile_async_io_complete,
it can't use after that such as (if (io_data->aio)),
and this judgment is changed to if (data_flag>0).

Change-Id: I3b620b69bbf4e8040a43bd2435fdb836e11cc512
Signed-off-by: he.he <he.he@amlogic.com>

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index ca41f19..055c03a 100644 (file)
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -952,6 +952,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
 #ifdef CONFIG_AMLOGIC_USB
        struct ffs_ep *ep = epfile->ep;
        struct ffs_data_buffer *buffer = NULL;
+       int data_flag = -1;
 #else
        struct ffs_ep *ep;
 #endif
@@ -1036,6 +1037,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
                if (io_data->aio) {
                        spin_unlock_irq(&epfile->ffs->eps_lock);
                        data = kmalloc(data_len, GFP_KERNEL);
+                       data_flag = 1;
                        if (unlikely(!data)) {
                                ret = -ENOMEM;
                                goto error_mutex;
@@ -1060,6 +1062,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
                 * been released in kill_sb.
                 */
                        buffer = assign_ffs_buffer(epfile->ffs);
+                       data_flag = -1;
                        if (unlikely(!buffer)) {
                                ret = -ENOMEM;
                                spin_unlock_irq(&epfile->ffs->eps_lock);
@@ -1174,7 +1177,7 @@ error_mutex:
        mutex_unlock(&epfile->mutex);
 error:
 #ifdef CONFIG_AMLOGIC_USB
-       if (io_data->aio) {
+       if (data_flag > 0) {
                kfree(data);
                data = NULL;
        } else {