usb: gadget: f_fs: Fix use-after-free
When using asynchronous read or write operations on the USB endpoints the issuer of the IO request is notified by calling the ki_complete() callback of the submitted kiocb when the URB has been completed. Calling this ki_complete() callback will free kiocb. Make sure that the structure is no longer accessed beyond that point, otherwise undefined behaviour might occur. Fixes: 2e4c7553 ("usb: gadget: f_fs: add aio support") Cc: <stable@vger.kernel.org> # v3.15+ Signed-off-by: NLars-Peter Clausen <lars@metafoo.de> Signed-off-by: NFelipe Balbi <felipe.balbi@linux.intel.com>
Showing
想要评论请 注册 或 登录