Commit a603aa8d authored Mar 02, 2017 by Vijayavardhan Vennapusa Committed by Jack Pham Jan 30, 2018

USB: composite: Check return value before composite_setup_complete()

Currently driver is calling composite_setup_complete() when request
queuing to control endpoint fails. During disconnect or composition switch,
ep_queue() fails with -ESHUTDOWN return value. In this case also, driver is
calling composite_setup_complete(), which leads to invalid pointer
dereference. Fix it by not calling composite_setup_complete() in case of
return value of -ESHUTDOWN as anyhow composite_unbind() will take care of
clearing pending flags before freeing request buffers.

Change-Id: I87ea6ecb1e925c6b36dede59486e49ba3a4e90c7
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
Signed-off-by: Jack Pham <jackp@codeaurora.org>

parent c4877f1b

drivers/usb/gadget/composite.c

+5 −3

Original line number	Diff line number	Diff line
		@@ -2010,8 +2010,9 @@ composite_setup(struct usb_gadget gadget, const struct usb_ctrlrequest ctrl)
		if (value < 0) {
		DBG(cdev, "ep_queue --> %d\n", value);
		req->status = 0;
		composite_setup_complete(gadget->ep0,
		req);
		if (value != -ESHUTDOWN)
		composite_setup_complete(
		gadget->ep0, req);
		}
		}
		return value;
		@@ -2097,6 +2098,7 @@ composite_setup(struct usb_gadget gadget, const struct usb_ctrlrequest ctrl)
		if (value < 0) {
		DBG(cdev, "ep_queue --> %d\n", value);
		req->status = 0;
		if (value != -ESHUTDOWN)
		composite_setup_complete(gadget->ep0, req);
		}
		} else if (value == USB_GADGET_DELAYED_STATUS && w_length != 0) {