From 8b5f119fba94e61fdc271fc555a7357e34192704 Mon Sep 17 00:00:00 2001 From: Sujeet Kumar Date: Thu, 28 Jan 2016 10:27:44 -0800 Subject: [PATCH] USB: f_fs: Fix epfile crash during composition switch epfile's ep pointer may be NULL during adb transfer and composition switch happening in parallel. As part of composition switch, first it is set to NONE. Setting sys.usb.config to NONE stops adb and disables the composition. stop adb is not blocking call and adb still might be doing epfile read/write for some time when function unbind is ongoing making the data structures NULL. To fix this crash, call usb_ep_dequeue only if ep->ep is valid. Similarly in success case, return ep->status only if ep->ep is valid otherwise return -ENODEV. Change-Id: Ic152fc1db31cad6f97b8d16d91350dad857a4bf9 Signed-off-by: Sujeet Kumar Signed-off-by: Mayank Rana --- drivers/usb/gadget/function/f_fs.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 214c19de2589..c7adc17c1b30 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -833,8 +833,11 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) /* nop */ } else if (unlikely( wait_for_completion_interruptible(&done))) { + spin_lock_irq(&epfile->ffs->eps_lock); + if (ep->ep) + usb_ep_dequeue(ep->ep, req); + spin_unlock_irq(&epfile->ffs->eps_lock); ret = -EINTR; - usb_ep_dequeue(ep->ep, req); } else { /* * XXX We may end up silently droping data @@ -843,7 +846,12 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) * to maxpacketsize), we may end up with more * data then user space has space for. */ - ret = ep->status; + spin_lock_irq(&epfile->ffs->eps_lock); + if (ep->ep) + ret = ep->status; + else + ret = -ENODEV; + spin_unlock_irq(&epfile->ffs->eps_lock); if (io_data->read && ret > 0) { ret = copy_to_iter(data, ret, &io_data->data); if (!ret)