USB: composite: Check return value before composite_setup_complete()

Currently driver is calling composite_setup_complete() when request queuing to control endpoint fails. During disconnect or composition switch, ep_queue() fails with -ESHUTDOWN return value. In this case also, driver is calling composite_setup_complete(), which leads to invalid pointer dereference. Fix it by not calling composite_setup_complete() in case of return value of -ESHUTDOWN as anyhow composite_unbind() will take care of clearing pending flags before freeing request buffers. Change-Id: I87ea6ecb1e925c6b36dede59486e49ba3a4e90c7 Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
2017-03-02 16:07:13 +05:30 · 2017-03-02 16:07:13 +05:30 · 399fa239e4
commit 399fa239e4
parent 3a7e752617
1 changed files with 5 additions and 2 deletions
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@ -1942,7 +1942,9 @@ unknown:
 			if (value < 0) {
 				DBG(cdev, "ep_queue --> %d\n", value);
 				req->status = 0;
-				composite_setup_complete(gadget->ep0, req);
+				if (value != -ESHUTDOWN)
+					composite_setup_complete(gadget->ep0,
+									req);
 			}
 			return value;
 		}
@ -2031,6 +2033,7 @@ try_fun_setup:
 		if (value < 0) {
 			DBG(cdev, "ep_queue --> %d\n", value);
 			req->status = 0;
+			if (value != -ESHUTDOWN)
 				composite_setup_complete(gadget->ep0, req);
 		}
 	} else if (value == USB_GADGET_DELAYED_STATUS && w_length != 0) {