Commit 4f13ea7d authored Feb 18, 2014 by Jack Pham

usb: gadget: android: Save/restore ep0 completion function



The android_setup() function currently gives the f_accessory
setup function first opportunity to handle control requests
in order to support Android Open Accessory (AOA) hosts. That
function makes use of cdev->req and overrides its completion
function, but not in all cases. Thus, if a later request uses
the same request pointer but doesn't (re)set req->complete it
could result in the wrong completion function being called and
causing invalid memory access.

One way to fix this would be to explicitly set req->complete in
all cases but that might require auditing all function drivers
that have ep0 handling. Instead, note that the composite device
had already initially set cdev->req->complete and simply cache
and restore that pointer at the start of android_setup().

CRs-fixed: 601818
Change-Id: I33bcd17bd20687a349d537d1013b52a2afef6996
Signed-off-by: Jack Pham <jackp@codeaurora.org>

parent ce80330c

drivers/usb/gadget/android.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -174,6 +174,9 @@ struct android_dev {
		struct usb_composite_dev *cdev;
		struct device *dev;

		void (setup_complete)(struct usb_ep ep,
		struct usb_request *req);

		bool enabled;
		int disable_depth;
		struct mutex mutex;
		@@ -3166,6 +3169,9 @@ static int android_bind(struct usb_composite_dev *cdev)

		dev->cdev = cdev;

		/* Save the default handler */
		dev->setup_complete = cdev->req->complete;

		/*
		* Start disconnected. Userspace will connect the gadget once
		* it is done configuring the functions.
		@@ -3245,6 +3251,7 @@ android_setup(struct usb_gadget gadget, const struct usb_ctrlrequest c)

		req->zero = 0;
		req->length = 0;
		req->complete = dev->setup_complete;
		gadget->ep0->driver_data = cdev;

		list_for_each_entry(conf, &dev->configs, list_item)