Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3cdaa366 authored by Saket Saurabh's avatar Saket Saurabh Committed by Gerrit - the friendly Code Review server
Browse files

USB: u_ether: Fix race between gether_disconnect and rx_submit 



Race is happening when both rx_submit() and gether_disconnect()
executes in parallel. When rndis is disabled, in
gether_disconnect() dev port_usb is set to NULL. On other side,
rx_sumit() executes in parallel and dev port_usb is accesed
leading to NULL pointer dereference.

Fix the issue by extending the spin_lock protection for the
dev port_usb in rx_submit().

Change-Id: Ie788cde9dac56230046503be68ad3ab8a9839eec
Signed-off-by: default avatarSaket Saurabh <ssaurabh@codeaurora.org>
Signed-off-by: default avatarAjay Agarwal <ajaya@codeaurora.org>
parent fdafb970

drivers/usb/gadget/function/u_ether.c

+4 −3
Original line number Diff line number Diff line
@@ -239,11 +239,11 @@ rx_submit(struct eth_dev *dev, struct usb_request *req, gfp_t gfp_flags) 
		out = dev->port_usb->out_ep;

	else

		out = NULL;

	spin_unlock_irqrestore(&dev->lock, flags);



	if (!out)

	if (!out) {

		spin_unlock_irqrestore(&dev->lock, flags);

		return -ENOTCONN;



	}



	/* Padding up to RX_EXTRA handles minor disagreements with host.

	 * Normally we use the USB "terminate on short read" convention;
@@ -267,6 +267,7 @@ rx_submit(struct eth_dev *dev, struct usb_request *req, gfp_t gfp_flags) 


	if (dev->port_usb->is_fixed)

		size = max_t(size_t, size, dev->port_usb->fixed_out_len);

	spin_unlock_irqrestore(&dev->lock, flags);



	DBG(dev, "%s: size: %zd\n", __func__, size);

	skb = alloc_skb(size + NET_IP_ALIGN, gfp_flags);