USB: gadget: mass_storage: Fix Null pointer access during disconnect
There is a chance that completion handler and ep disable race each other and it might happen that completion handler gets called after driver_data is set to NULL as part of function disable. This results in crash. Hence add check in completion handler to check if driver_data is NULL or not to fix the issue. CRs-Fixed: 891650 Change-Id: I79ce3967533d2a7cb7591ccfe50b095a540e9884 Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
This commit is contained in:
Vijayavardhan Vennapusa
Gerrit - the friendly Code Review server
parent
fdddc49ef2
commit
2e83ddb8b7
1 changed files with 11 additions and 1 deletions
|
|
@ -454,13 +454,23 @@ static void bulk_in_complete(struct usb_ep *ep, struct usb_request *req)
|
|||
struct fsg_buffhd *bh = req->context;
|
||||
|
||||
if (req->status || req->actual != req->length)
|
||||
DBG(common, "%s --> %d, %u/%u\n", __func__,
|
||||
pr_debug("%s --> %d, %u/%u\n", __func__,
|
||||
req->status, req->actual, req->length);
|
||||
if (req->status == -ECONNRESET) /* Request was cancelled */
|
||||
usb_ep_fifo_flush(ep);
|
||||
|
||||
/* Hold the lock while we update the request and buffer states */
|
||||
smp_wmb();
|
||||
/*
|
||||
* Disconnect and completion might race each other and driver data
|
||||
* is set to NULL during ep disable. So, add a check if that is case.
|
||||
*/
|
||||
if (!common) {
|
||||
bh->inreq_busy = 0;
|
||||
bh->state = BUF_STATE_EMPTY;
|
||||
return;
|
||||
}
|
||||
|
||||
spin_lock(&common->lock);
|
||||
bh->inreq_busy = 0;
|
||||
bh->state = BUF_STATE_EMPTY;
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue