diff options
author | Krzysztof Opasiak <k.opasiak@samsung.com> | 2017-01-31 18:12:31 +0100 |
---|---|---|
committer | Felipe Balbi <felipe.balbi@linux.intel.com> | 2017-03-22 10:21:10 +0100 |
commit | 25cd9721c2b16ee0d775e36ec3af31f392003f80 (patch) | |
tree | f374f081506004e4c0e1208b5f1f069b0d9006c0 | |
parent | usb: gadget: udc: remove pointer dereference after free (diff) | |
download | linux-25cd9721c2b16ee0d775e36ec3af31f392003f80.tar.xz linux-25cd9721c2b16ee0d775e36ec3af31f392003f80.zip |
usb: gadget: f_hid: fix: Don't access hidg->req without spinlock held
hidg->req should be accessed only with write_spinlock held as it is
set to NULL when we get disabled by host.
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
-rw-r--r-- | drivers/usb/gadget/function/f_hid.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c index 89b48bcc377a..5eea44823ca0 100644 --- a/drivers/usb/gadget/function/f_hid.c +++ b/drivers/usb/gadget/function/f_hid.c @@ -367,7 +367,7 @@ try_again: count = min_t(unsigned, count, hidg->report_length); spin_unlock_irqrestore(&hidg->write_spinlock, flags); - status = copy_from_user(hidg->req->buf, buffer, count); + status = copy_from_user(req->buf, buffer, count); if (status != 0) { ERROR(hidg->func.config->cdev, @@ -378,9 +378,9 @@ try_again: spin_lock_irqsave(&hidg->write_spinlock, flags); - /* we our function has been disabled by host */ + /* when our function has been disabled by host */ if (!hidg->req) { - free_ep_req(hidg->in_ep, hidg->req); + free_ep_req(hidg->in_ep, req); /* * TODO * Should we fail with error here? @@ -394,7 +394,7 @@ try_again: req->complete = f_hidg_req_complete; req->context = hidg; - status = usb_ep_queue(hidg->in_ep, hidg->req, GFP_ATOMIC); + status = usb_ep_queue(hidg->in_ep, req, GFP_ATOMIC); if (status < 0) { ERROR(hidg->func.config->cdev, "usb_ep_queue error on int endpoint %zd\n", status); |