Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4a445e58 authored by Vijayavardhan Vennapusa's avatar Vijayavardhan Vennapusa
Browse files

USB: gadget: f_qc_rndis: Add check before queuing notification available 



There is a chance that rndis_response_available() and unbind() race each
other due to which request's buffer might have freed and could cause
accessing freed buffer pointer. Hence add check before accessing buffer
pointer of USB request for interrupt endpoint.

CRs-Fixed: 973943
Change-Id: I34af9cd7bbce89507c6b424aad2786f758ddc1e6
Signed-off-by: default avatarVijayavardhan Vennapusa <vvreddy@codeaurora.org>
parent 1c10389d

drivers/usb/gadget/function/f_qc_rndis.c

+3 −0
Original line number Diff line number Diff line
@@ -472,6 +472,9 @@ static void rndis_qc_response_available(void *_rndis) 
	if (atomic_inc_return(&rndis->notify_count) != 1)

		return;



	if (!rndis->notify->driver_data)

		return;



	/* Send RNDIS RESPONSE_AVAILABLE notification; a

	 * USB_CDC_NOTIFY_RESPONSE_AVAILABLE "should" work too

	 *