USB: gadget: ether: Fix memory corruption issues with multi_pkt_xfers (f8afc31a) · Commits · e / devices / android_kernel_fairphone_FP3

drivers/usb/gadget/function/u_ether.c

+18 −2

Original line number	Diff line number	Diff line
		@@ -543,7 +543,7 @@ static void tx_complete(struct usb_ep ep, struct usb_request req)
		spin_lock(&dev->req_lock);
		list_add_tail(&req->list, &dev->tx_reqs);

		if (dev->port_usb->multi_pkt_xfer) {
		if (dev->port_usb->multi_pkt_xfer && !req->context) {
		dev->no_tx_req_used--;
		req->length = 0;
		in = dev->port_usb->in_ep;
		@@ -608,6 +608,14 @@ static void tx_complete(struct usb_ep ep, struct usb_request req)
		spin_unlock(&dev->req_lock);
		}
		} else {
		/* Is aggregation already enabled and buffers allocated ? */
		if (dev->port_usb->multi_pkt_xfer && dev->tx_req_bufsize) {
		req->buf = kzalloc(dev->tx_req_bufsize, GFP_ATOMIC);
		req->context = NULL;
		} else {
		req->buf = NULL;
		}

		spin_unlock(&dev->req_lock);
		dev_kfree_skb_any(skb);
		}
		@@ -641,6 +649,9 @@ static int alloc_tx_buffer(struct eth_dev *dev)

		if (!req->buf)
		goto free_buf;

		/* req->context is not used for multi_pkt_xfers */
		req->context = NULL;
		}
		return 0;

		@@ -684,11 +695,16 @@ static netdev_tx_t eth_start_xmit(struct sk_buff *skb,
		}

		/* Allocate memory for tx_reqs to support multi packet transfer */
		spin_lock_irqsave(&dev->req_lock, flags);
		if (multi_pkt_xfer && !dev->tx_req_bufsize) {
		retval = alloc_tx_buffer(dev);
		if (retval < 0)
		if (retval < 0) {
		spin_unlock_irqrestore(&dev->req_lock, flags);
		return -ENOMEM;
		}
		}

		spin_unlock_irqrestore(&dev->req_lock, flags);

		/* apply outgoing CDC or RNDIS filters */
		if (skb && !is_promisc(cdc_filter)) {