Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c6658c2c authored by Linux Build Service Account's avatar Linux Build Service Account Committed by Gerrit - the friendly Code Review server
Browse files

Merge "usb: gadget: mbim: protect packets queue corruption"

parents 6f141ab0 bd1d89b3

drivers/usb/gadget/f_mbim.c

+5 −0
Original line number Diff line number Diff line
@@ -1695,8 +1695,10 @@ mbim_read(struct file *fp, char __user *buf, size_t count, loff_t *pos) 
		return -EIO;

	}



	spin_lock(&dev->lock);

	while (list_empty(&dev->cpkt_req_q)) {

		pr_debug("Requests list is empty. Wait.\n");

		spin_unlock(&dev->lock);

		ret = wait_event_interruptible(dev->read_wq,

			!list_empty(&dev->cpkt_req_q));

		if (ret < 0) {
@@ -1705,11 +1707,13 @@ mbim_read(struct file *fp, char __user *buf, size_t count, loff_t *pos) 
			return -ERESTARTSYS;

		}

		pr_debug("Received request packet\n");

		spin_lock(&dev->lock);

	}



	cpkt = list_first_entry(&dev->cpkt_req_q, struct ctrl_pkt,

							list);

	if (cpkt->len > count) {

		spin_unlock(&dev->lock);

		mbim_unlock(&dev->read_excl);

		pr_err("cpkt size too big:%d > buf size:%d\n",

				cpkt->len, count);
@@ -1719,6 +1723,7 @@ mbim_read(struct file *fp, char __user *buf, size_t count, loff_t *pos) 
	pr_debug("cpkt size:%d\n", cpkt->len);



	list_del(&cpkt->list);

	spin_unlock(&dev->lock);

	mbim_unlock(&dev->read_excl);



	ret = copy_to_user(buf, cpkt->buf, cpkt->len);