AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2025-03-31 13:01:47 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity

usb: gadget: forbid queuing request to a disabled ep

Browse Source 
Queue a request to disabled ep  doesn't make sense, and induce caller
make mistakes.

Here is a example for the android mtp gadget function driver. A mem
corruption can happen on below senario.
1) On disconnect, mtp driver disable its EPs,
2) During send_file_work and receive_file_work, mtp queues a request
   to ep. (The mtp driver need improve its synchronization logic!)
3) mtp_function_unbind is invoked and all mtp requests are freed.
4) when udc process the request queued on step 2, will cause kernel
   NULL pointer dereference exception.

Signed-off-by: Du, Changbin <changbin.du@intel.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
This commit is contained in:
Du, Changbin 2015-12-18 15:36:40 +08:00 committed by Felipe Balbi
parent 6d76c92c2f
commit 8a0859b65b
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
include/linux/usb/gadget.h
View File

@ -402,6 +402,9 @@ static inline void usb_ep_free_request(struct usb_ep *ep,
static inline int usb_ep_queue(struct usb_ep *ep,
struct usb_request *req, gfp_t gfp_flags)
{
if (WARN_ON_ONCE(!ep->enabled && ep->address))
return -ESHUTDOWN;
return ep->ops->queue(ep, req, gfp_flags);
}