Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()

bot+bpf-ci Mon, 10 Nov 2025 23:53:34 -0800

> diff --git a/drivers/usb/gadget/function/f_fs.c 
> b/drivers/usb/gadget/function/f_fs.c
> index 47cfbe41f..43dcd39b7 100644
> --- a/drivers/usb/gadget/function/f_fs.c
> +++ b/drivers/usb/gadget/function/f_fs.c


[ ... ]

> @@ -2323,6 +2316,7 @@ static int ffs_epfiles_create(struct ffs_data *ffs)
>  {
>       struct ffs_epfile *epfile, *epfiles;
>       unsigned i, count;
> +     int err;
>
>       count = ffs->eps_count;
>       epfiles = kcalloc(count, sizeof(*epfiles), GFP_KERNEL);
> @@ -2339,12 +2333,11 @@ static int ffs_epfiles_create(struct ffs_data *ffs)
>                       sprintf(epfile->name, "ep%02x", ffs->eps_addrmap[i]);
>               else
>                       sprintf(epfile->name, "ep%u", i);
> -             epfile->dentry = ffs_sb_create_file(ffs->sb, epfile->name,
> -                                              epfile,
> -                                              &ffs_epfile_operations);
> -             if (!epfile->dentry) {
> +             err = ffs_sb_create_file(ffs->sb, epfile->name,
> +                                      epfile, &ffs_epfile_operations);
> +             if (err) {
>                       ffs_epfiles_destroy(epfiles, i - 1);
> -                     return -ENOMEM;
> +                     return err;
>               }
>       }
>
> @@ -2355,13 +2348,11 @@ static int ffs_epfiles_create(struct ffs_data *ffs)
>  static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count)
>  {
>       struct ffs_epfile *epfile = epfiles;
> +     struct dentry *root = epfile->ffs->sb->s_root;

Can this dereference uninitialized memory in ffs_epfiles_destroy()?

When ffs_epfiles_create() calls ffs_epfiles_destroy(epfiles, i - 1) after
the first ffs_sb_create_file() call fails (when i=1), it passes count=0.
The initialization loop starts at i=1, so epfiles[0].ffs is never
initialized. The kcalloc() zeros the memory, making epfiles[0].ffs NULL.

The new code unconditionally dereferences epfile->ffs->sb->s_root before
the loop, causing a NULL pointer dereference when count=0. The old code
was safe because the dereference only happened inside the loop.

>
>       for (; count; --count, ++epfile) {
>               BUG_ON(mutex_is_locked(&epfile->mutex));
> -             if (epfile->dentry) {
> -                     simple_recursive_removal(epfile->dentry, NULL);
> -                     epfile->dentry = NULL;
> -             }
> +             simple_remove_by_name(root, epfile->name, NULL);
>       }
>
>       kfree(epfiles);


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/19257803162

Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()

Reply via email to