usb: use-after-free in ffs_epfile_io+0x1c0/0x9b8

PD#174155: the io_data pointer have kfree in ffs_epfile_async_io_complete,
it can't use after that such as (if (io_data->aio)),
and this judgment is changed to if (data_flag>0).

Change-Id: I3b620b69bbf4e8040a43bd2435fdb836e11cc512
Signed-off-by: he.he <he.he@amlogic.com>

1 files changed, 4 insertions, 1 deletions

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index ca41f19..055c03a 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -952,6 +952,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
 #ifdef CONFIG_AMLOGIC_USB
 	struct ffs_ep *ep = epfile->ep;
 	struct ffs_data_buffer *buffer = NULL;
+	int data_flag = -1;
 #else
 	struct ffs_ep *ep;
 #endif
@@ -1036,6 +1037,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
 		if (io_data->aio) {
 			spin_unlock_irq(&epfile->ffs->eps_lock);
 			data = kmalloc(data_len, GFP_KERNEL);
+			data_flag = 1;
 			if (unlikely(!data)) {
 				ret = -ENOMEM;
 				goto error_mutex;
@@ -1060,6 +1062,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
 		 * been released in kill_sb.
 		 */
 			buffer = assign_ffs_buffer(epfile->ffs);
+			data_flag = -1;
 			if (unlikely(!buffer)) {
 				ret = -ENOMEM;
 				spin_unlock_irq(&epfile->ffs->eps_lock);
@@ -1174,7 +1177,7 @@ error_mutex:
 	mutex_unlock(&epfile->mutex);
 error:
 #ifdef CONFIG_AMLOGIC_USB
-	if (io_data->aio) {
+	if (data_flag > 0) {
 		kfree(data);
 		data = NULL;
 	} else {