Commit 3e920c48 authored Apr 11, 2014 by Sujeet Kumar

USB: u_bam: Avoid NULL pointer dereference in gbam_connect_work



In gbam_connect_work the port_usb may be NULL
as this might have been freed from gbam_free_requests
as part of gbam_disconnect. This is because
gbam_connect and rmnet_disable can run in parallel.
When back to back rmnet connect and disconnect happens,
this issue occurs.

Protect NULL pointer dereference by adding a NULL
check for port_usb. This pointer is already protected
under spinlock.

Also, if gbam_start_io fails for rx requests allocation
then free the tx requests, not the rx.

CRs-Fixed: 647073
Change-Id: I9d3a15ab2523d30365ac7ab8ce021fe513269b32
Signed-off-by: Sujeet Kumar <ksujeet@codeaurora.org>

parent 707fd824

drivers/usb/gadget/u_bam.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -920,7 +920,9 @@ static void gbam_start_io(struct gbam_port *port)

		if (_gbam_start_io(port, false)) {
		spin_lock_irqsave(&port->port_lock_dl, flags);
		gbam_free_requests(port->port_usb->in, &port->data_ch.rx_idle);
		if (port->port_usb)
		gbam_free_requests(port->port_usb->in,
		&port->data_ch.tx_idle);
		spin_unlock_irqrestore(&port->port_lock_dl, flags);
		return;
		}