Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 634d9594 authored by Manu Gautam's avatar Manu Gautam Committed by Jack Pham
Browse files

usb: gadget: f_mbim: Fix cpkt_resp_q list corruption on disconnect 



mbim_write drops lock before queuing the request to controller.
If USB gets disconnected or composition switch happens before
lock is acquired again then ep_queue fails and driver tries to
delete cpkt_list which is already deleted and freed, causing
corruption. Add dev->online check after acquiring the spin_lock
to check USB connection state.

CRs-fixed: 849289
Change-Id: I1de570e45b3ceff3e3af61e4a78682ef8dac77ad
Signed-off-by: default avatarManu Gautam <mgautam@codeaurora.org>
parent 6b4066e4

drivers/usb/gadget/function/f_mbim.c

+7 −4
Original line number Diff line number Diff line
@@ -1871,12 +1871,15 @@ mbim_write(struct file *fp, const char __user *buf, size_t count, loff_t *pos) 
			   req, GFP_ATOMIC);

	if (ret == -ENOTSUPP || (ret < 0 && ret != -EAGAIN)) {

		spin_lock_irqsave(&dev->lock, flags);

		/* check if device disconnected while we dropped lock */

		if (atomic_read(&dev->online)) {

			list_del(&cpkt->list);

		spin_unlock_irqrestore(&dev->lock, flags);

		dev->cpkt_drop_cnt++;

			atomic_dec(&dev->not_port.notify_count);

		pr_err("drop ctrl pkt of len %d error %d\n", cpkt->len, ret);

			mbim_free_ctrl_pkt(cpkt);

		}

		dev->cpkt_drop_cnt++;

		spin_unlock_irqrestore(&dev->lock, flags);

		pr_err("drop ctrl pkt of len %d error %d\n", cpkt->len, ret);

	} else {

		ret = 0;

	}