Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3bfb7867 authored by Vijayavardhan Vennapusa's avatar Vijayavardhan Vennapusa Committed by Mayank Rana
Browse files

USB: gadget: mass_storage: Fix Null pointer access during disconnect 



There is a chance that completion handler and ep disable race each other
and it might happen that completion handler gets called after driver_data
is set to NULL as part of function disable. This results in crash. Hence
add check in completion handler to check if driver_data is NULL or not
to fix the issue.

CRs-Fixed: 891650
Change-Id: I79ce3967533d2a7cb7591ccfe50b095a540e9884
Signed-off-by: default avatarVijayavardhan Vennapusa <vvreddy@codeaurora.org>
parent c5021b3d

drivers/usb/gadget/function/f_mass_storage.c

+11 −1
Original line number Diff line number Diff line
@@ -450,13 +450,23 @@ static void bulk_in_complete(struct usb_ep *ep, struct usb_request *req) 
	struct fsg_buffhd	*bh = req->context;



	if (req->status || req->actual != req->length)

		DBG(common, "%s --> %d, %u/%u\n", __func__,

		pr_debug("%s --> %d, %u/%u\n", __func__,

		    req->status, req->actual, req->length);

	if (req->status == -ECONNRESET)		/* Request was cancelled */

		usb_ep_fifo_flush(ep);



	/* Hold the lock while we update the request and buffer states */

	smp_wmb();

	/*

	 * Disconnect and completion might race each other and driver data

	 * is set to NULL during ep disable. So, add a check if that is case.

	 */

	if (!common) {

		bh->inreq_busy = 0;

		bh->state = BUF_STATE_EMPTY;

		return;

	}



	spin_lock(&common->lock);

	bh->inreq_busy = 0;

	bh->state = BUF_STATE_EMPTY;