[PATCH v3 36/50] functionfs: switch to simple_remove_by_name()
bot+bpf-ci at kernel.org
bot+bpf-ci at kernel.org
Tue Nov 11 18:53:16 AEDT 2025
> diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
> index 47cfbe41f..43dcd39b7 100644
> --- a/drivers/usb/gadget/function/f_fs.c
> +++ b/drivers/usb/gadget/function/f_fs.c
[ ... ]
> @@ -2323,6 +2316,7 @@ static int ffs_epfiles_create(struct ffs_data *ffs)
> {
> struct ffs_epfile *epfile, *epfiles;
> unsigned i, count;
> + int err;
>
> count = ffs->eps_count;
> epfiles = kcalloc(count, sizeof(*epfiles), GFP_KERNEL);
> @@ -2339,12 +2333,11 @@ static int ffs_epfiles_create(struct ffs_data *ffs)
> sprintf(epfile->name, "ep%02x", ffs->eps_addrmap[i]);
> else
> sprintf(epfile->name, "ep%u", i);
> - epfile->dentry = ffs_sb_create_file(ffs->sb, epfile->name,
> - epfile,
> - &ffs_epfile_operations);
> - if (!epfile->dentry) {
> + err = ffs_sb_create_file(ffs->sb, epfile->name,
> + epfile, &ffs_epfile_operations);
> + if (err) {
> ffs_epfiles_destroy(epfiles, i - 1);
> - return -ENOMEM;
> + return err;
> }
> }
>
> @@ -2355,13 +2348,11 @@ static int ffs_epfiles_create(struct ffs_data *ffs)
> static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count)
> {
> struct ffs_epfile *epfile = epfiles;
> + struct dentry *root = epfile->ffs->sb->s_root;
Can this dereference uninitialized memory in ffs_epfiles_destroy()?
When ffs_epfiles_create() calls ffs_epfiles_destroy(epfiles, i - 1) after
the first ffs_sb_create_file() call fails (when i=1), it passes count=0.
The initialization loop starts at i=1, so epfiles[0].ffs is never
initialized. The kcalloc() zeros the memory, making epfiles[0].ffs NULL.
The new code unconditionally dereferences epfile->ffs->sb->s_root before
the loop, causing a NULL pointer dereference when count=0. The old code
was safe because the dereference only happened inside the loop.
>
> for (; count; --count, ++epfile) {
> BUG_ON(mutex_is_locked(&epfile->mutex));
> - if (epfile->dentry) {
> - simple_recursive_removal(epfile->dentry, NULL);
> - epfile->dentry = NULL;
> - }
> + simple_remove_by_name(root, epfile->name, NULL);
> }
>
> kfree(epfiles);
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/19257803162
More information about the Linuxppc-dev
mailing list