From 22de2e1bc2e6ebff2e6deeaebf26bfe4064ba920 Mon Sep 17 00:00:00 2001 From: Lee Jones Date: Thu, 25 Nov 2021 11:52:14 +0000 Subject: [PATCH] ANDROID: usb: gadget: f_accessory: Mitgate handling of non-existent USB request Prevents mishandling USB requests that are no longer present. Bug: 161010552 Fixes: 483cb5629ea78 ("ANDROID: usb: gadget: f_accessory: Add Android Accessory function") Signed-off-by: Lee Jones Change-Id: I8ff24d6d49214c3bd10a1b5d5e72814ec2a91c61 --- drivers/usb/gadget/function/f_accessory.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/drivers/usb/gadget/function/f_accessory.c b/drivers/usb/gadget/function/f_accessory.c index 718e01e3190f..b6adf7d803ef 100644 --- a/drivers/usb/gadget/function/f_accessory.c +++ b/drivers/usb/gadget/function/f_accessory.c @@ -601,8 +601,11 @@ fail: pr_err("acc_bind() could not allocate requests\n"); while ((req = req_get(dev, &dev->tx_idle))) acc_request_free(req, dev->ep_in); - for (i = 0; i < RX_REQ_MAX; i++) + for (i = 0; i < RX_REQ_MAX; i++) { acc_request_free(dev->rx_req[i], dev->ep_out); + dev->rx_req[i] = NULL; + } + return -1; } @@ -634,6 +637,12 @@ static ssize_t acc_read(struct file *fp, char __user *buf, goto done; } + if (!dev->rx_req[0]) { + pr_warn("acc_read: USB request already handled/freed"); + r = -EINVAL; + goto done; + } + /* * Calculate the data length by considering termination character. * Then compansite the difference of rounding up to @@ -1098,8 +1107,10 @@ acc_function_unbind(struct usb_configuration *c, struct usb_function *f) while ((req = req_get(dev, &dev->tx_idle))) acc_request_free(req, dev->ep_in); - for (i = 0; i < RX_REQ_MAX; i++) + for (i = 0; i < RX_REQ_MAX; i++) { acc_request_free(dev->rx_req[i], dev->ep_out); + dev->rx_req[i] = NULL; + } acc_hid_unbind(dev); } -- 2.20.1