Re: [PATCH] usb: gadget: f_fs: Fix NULL pointer dereference in ffs_epfile_async_io_complete()

From: Jens Axboe
Date: Fri Feb 23 2024 - 09:44:58 EST

Next message: Andy Shevchenko: "Re: [PATCH v15 2/3] iio: adc: ad_sigma_delta: Add optional irq selection"
Previous message: Wenjia Zhang: "Re: [PATCH net-next 14/15] net/smc: introduce loopback-ism DMB data copy control"
In reply to: Greg KH: "Re: [PATCH] usb: gadget: f_fs: Fix NULL pointer dereference in ffs_epfile_async_io_complete()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2/23/24 4:35 AM, Selvarasu Ganesan wrote:
> Here?s what the code might look like with a new lock:
>
> static void ffs_epfile_async_io_complete(struct usb_ep *_ep,
> struct usb_request *req)
> {
> ....
> spin_lock(&ffs->new_lock);
> if (ffs && ffs->io_completion_wq)
> queue_work(ffs->io_completion_wq, &io_data->work);
> spin_unlock(&ffs->new_lock);
> ....
> }
>
>
>
> static void ffs_data_put(struct ffs_data *ffs) {
> ...
> destroy_workqueue(ffs->io_completion_wq);
> kfree(ffs->dev_name);
> spin_lock(&ffs->new_lock);
> kfree(ffs);
> spin_unlock(&ffs->new_lock);
> ...
> }

This obviously won't work at all, and it's not the right way to fix it
at all. It needs a ref count.

--
Jens Axboe

Next message: Andy Shevchenko: "Re: [PATCH v15 2/3] iio: adc: ad_sigma_delta: Add optional irq selection"
Previous message: Wenjia Zhang: "Re: [PATCH net-next 14/15] net/smc: introduce loopback-ism DMB data copy control"
In reply to: Greg KH: "Re: [PATCH] usb: gadget: f_fs: Fix NULL pointer dereference in ffs_epfile_async_io_complete()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]