Commit 49e25df1 authored Jun 26, 2018 by Chandana Kishori Chiluveru Committed by Gerrit - the friendly Code Review server Feb 23, 2020

usb: gadget: Mark notify_modem as NULL on usb_cser_disconnect



On some targets, f_serial switches transport path from
char_bridge to TTY in DUN+SoftAP scenario. As a part of that,
we call usb_cser_disconnect but notify_modem callback is still
marked as usb_cser_notify_modem. Then on getting a SETUP req
from host PC, usb_cser_notify_modem is called which can lead
to NULL pointer dereference because port_usb is NULL.

Fix this by marking notify_modem callback as NULL on
usb_cser_disconnect.

Change-Id: I4470030cde6f38b905f7a88e16ed9f261a8954d6
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>
Signed-off-by: Chandana Kishori Chiluveru <cchiluve@codeaurora.org>

parent 79419aed

drivers/usb/gadget/function/f_cdev.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -1551,8 +1551,10 @@ int usb_cser_connect(struct f_cdev *port)

		void usb_cser_disconnect(struct f_cdev *port)
		{
		struct cserial *cser;
		unsigned long flags;

		cser = &port->port_usb;
		usb_cser_stop_io(port);

		/* lower DTR to modem */
		@@ -1560,6 +1562,7 @@ void usb_cser_disconnect(struct f_cdev *port)

		spin_lock_irqsave(&port->port_lock, flags);
		port->is_connected = false;
		cser->notify_modem = NULL;
		port->nbytes_from_host = port->nbytes_to_host = 0;
		port->nbytes_to_port_bridge = 0;
		spin_unlock_irqrestore(&port->port_lock, flags);