ANDROID: usb: gadget: f_accessory: Mitgate handling of non-existent USB request

Prevents mishandling USB requests that are no longer present.

Bug: 161010552
Fixes: 483cb5629ea78 ("ANDROID: usb: gadget: f_accessory: Add Android Accessory function")
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: I8ff24d6d49214c3bd10a1b5d5e72814ec2a91c61

diff --git a/drivers/usb/gadget/function/f_accessory.c b/drivers/usb/gadget/function/f_accessory.c
index 718e01e3190fbdcd3f6d89a24fc0feeb4202013c..b6adf7d803efe0e143cc8cccd504583f1fd3b9df 100644 (file)
--- a/drivers/usb/gadget/function/f_accessory.c
+++ b/drivers/usb/gadget/function/f_accessory.c
@@ -601,8 +601,11 @@ fail:
        pr_err("acc_bind() could not allocate requests\n");
        while ((req = req_get(dev, &dev->tx_idle)))
                acc_request_free(req, dev->ep_in);
-       for (i = 0; i < RX_REQ_MAX; i++)
+       for (i = 0; i < RX_REQ_MAX; i++) {
                acc_request_free(dev->rx_req[i], dev->ep_out);
+               dev->rx_req[i] = NULL;
+       }
+
        return -1;
 }
 
@@ -634,6 +637,12 @@ static ssize_t acc_read(struct file *fp, char __user *buf,
                goto done;
        }
 
+       if (!dev->rx_req[0]) {
+               pr_warn("acc_read: USB request already handled/freed");
+               r = -EINVAL;
+               goto done;
+       }
+
        /*
         * Calculate the data length by considering termination character.
         * Then compansite the difference of rounding up to
@@ -1098,8 +1107,10 @@ acc_function_unbind(struct usb_configuration *c, struct usb_function *f)
 
        while ((req = req_get(dev, &dev->tx_idle)))
                acc_request_free(req, dev->ep_in);
-       for (i = 0; i < RX_REQ_MAX; i++)
+       for (i = 0; i < RX_REQ_MAX; i++) {
                acc_request_free(dev->rx_req[i], dev->ep_out);
+               dev->rx_req[i] = NULL;
+       }
 
        acc_hid_unbind(dev);
 }