Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c5021b3d authored by Vijayavardhan Vennapusa's avatar Vijayavardhan Vennapusa Committed by Mayank Rana
Browse files

USB: gadget: mass_storage: Fix Null pointer access during disconnect 



There is a chance that completion handler and ep disable race each other
and it might happen that completion handler gets called after driver_data
is set to NULL as part of function disable. This results in crash. Hence
add check in completion handler to check if driver_data is NULL or not
to fix the issue.

Change-Id: I3496811f52af79e8dccb701b2753a81f5d5a2340
Signed-off-by: default avatarVijayavardhan Vennapusa <vvreddy@codeaurora.org>
parent f842ad22

drivers/usb/gadget/function/f_mass_storage.c

+11 −2
Original line number Diff line number Diff line
@@ -469,15 +469,24 @@ static void bulk_out_complete(struct usb_ep *ep, struct usb_request *req) 
	struct fsg_common	*common = ep->driver_data;

	struct fsg_buffhd	*bh = req->context;



	dump_msg(common, "bulk-out", req->buf, req->actual);

	if (req->status || req->actual != bh->bulk_out_intended_length)

		DBG(common, "%s --> %d, %u/%u\n", __func__,

		pr_debug("%s --> %d, %u/%u\n", __func__,

		    req->status, req->actual, bh->bulk_out_intended_length);

	if (req->status == -ECONNRESET)		/* Request was cancelled */

		usb_ep_fifo_flush(ep);



	/* Hold the lock while we update the request and buffer states */

	smp_wmb();

	/*

	 * Disconnect and completion might race each other and driver data

	 * is set to NULL during ep disable. So, add a check if that is case.

	 */

	if (!common) {

		bh->outreq_busy = 0;

		return;

	}



	dump_msg(common, "bulk-out", req->buf, req->actual);

	spin_lock(&common->lock);

	bh->outreq_busy = 0;

	bh->state = BUF_STATE_FULL;