[PATCH 4.14 05/31] usb: gadget: f_fs: Use local copy of descriptors for userspace copy

[Greg Kroah-Hartman]

From: Vamsi Krishna Samavedam <vskri...@codeaurora.org>

commit a4b98a7512f18534ce33a7e98e49115af59ffa00 upstream.

The function may be unbound causing the ffs_ep and its descriptors
to be freed while userspace is in the middle of an ioctl requesting
the same descriptors. Avoid dangling pointer reference by first
making a local copy of desctiptors before releasing the spinlock.

Fixes: c559a3534109 ("usb: gadget: f_fs: add ioctl returning ep descriptor")
Reviewed-by: Peter Chen <peter.c...@nxp.com>
Signed-off-by: Vamsi Krishna Samavedam <vskri...@codeaurora.org>
Signed-off-by: Jack Pham <ja...@codeaurora.org>
Cc: stable <sta...@vger.kernel.org>
Link: https://lore.kernel.org/r/20201130203453.28154-1-ja...@codeaurora.org
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---
 drivers/usb/gadget/function/f_fs.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1244,7 +1244,7 @@ static long ffs_epfile_ioctl(struct file
        case FUNCTIONFS_ENDPOINT_DESC:
        {
                int desc_idx;
-               struct usb_endpoint_descriptor *desc;
+               struct usb_endpoint_descriptor desc1, *desc;
 
                switch (epfile->ffs->gadget->speed) {
                case USB_SPEED_SUPER:
@@ -1256,10 +1256,12 @@ static long ffs_epfile_ioctl(struct file
                default:
                        desc_idx = 0;
                }
+
                desc = epfile->ep->descs[desc_idx];
+               memcpy(&desc1, desc, desc->bLength);
 
                spin_unlock_irq(&epfile->ffs->eps_lock);
-               ret = copy_to_user((void *)value, desc, desc->bLength);
+               ret = copy_to_user((void *)value, &desc1, desc1.bLength);
                if (ret)
                        ret = -EFAULT;
                return ret;