usb: gadget: mbim: protect packets queue corruption (bd1d89b3) · Commits · e / devices / android_kernel_sony_msm8994

drivers/usb/gadget/f_mbim.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -1695,8 +1695,10 @@ mbim_read(struct file fp, char __user buf, size_t count, loff_t *pos)
		return -EIO;
		}

		spin_lock(&dev->lock);
		while (list_empty(&dev->cpkt_req_q)) {
		pr_debug("Requests list is empty. Wait.\n");
		spin_unlock(&dev->lock);
		ret = wait_event_interruptible(dev->read_wq,
		!list_empty(&dev->cpkt_req_q));
		if (ret < 0) {
		@@ -1705,11 +1707,13 @@ mbim_read(struct file fp, char __user buf, size_t count, loff_t *pos)
		return -ERESTARTSYS;
		}
		pr_debug("Received request packet\n");
		spin_lock(&dev->lock);
		}

		cpkt = list_first_entry(&dev->cpkt_req_q, struct ctrl_pkt,
		list);
		if (cpkt->len > count) {
		spin_unlock(&dev->lock);
		mbim_unlock(&dev->read_excl);
		pr_err("cpkt size too big:%d > buf size:%d\n",
		cpkt->len, count);
		@@ -1719,6 +1723,7 @@ mbim_read(struct file fp, char __user buf, size_t count, loff_t *pos)
		pr_debug("cpkt size:%d\n", cpkt->len);

		list_del(&cpkt->list);
		spin_unlock(&dev->lock);
		mbim_unlock(&dev->read_excl);

		ret = copy_to_user(buf, cpkt->buf, cpkt->len);