usb: gadget: f_hid: fix: Don't access hidg->req without spinlock held
authorKrzysztof Opasiak <k.opasiak@samsung.com>
Tue, 31 Jan 2017 17:12:31 +0000 (18:12 +0100)
committerFelipe Balbi <felipe.balbi@linux.intel.com>
Wed, 22 Mar 2017 09:21:10 +0000 (11:21 +0200)
hidg->req should be accessed only with write_spinlock held as it is
set to NULL when we get disabled by host.

Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
drivers/usb/gadget/function/f_hid.c

index 89b48bcc377a16d426d6f5826a2e1ce5301124b6..5eea44823ca06d06955eb2bc51782cac6cd345ec 100644 (file)
@@ -367,7 +367,7 @@ try_again:
        count  = min_t(unsigned, count, hidg->report_length);
 
        spin_unlock_irqrestore(&hidg->write_spinlock, flags);
-       status = copy_from_user(hidg->req->buf, buffer, count);
+       status = copy_from_user(req->buf, buffer, count);
 
        if (status != 0) {
                ERROR(hidg->func.config->cdev,
@@ -378,9 +378,9 @@ try_again:
 
        spin_lock_irqsave(&hidg->write_spinlock, flags);
 
-       /* we our function has been disabled by host */
+       /* when our function has been disabled by host */
        if (!hidg->req) {
-               free_ep_req(hidg->in_ep, hidg->req);
+               free_ep_req(hidg->in_ep, req);
                /*
                 * TODO
                 * Should we fail with error here?
@@ -394,7 +394,7 @@ try_again:
        req->complete = f_hidg_req_complete;
        req->context  = hidg;
 
-       status = usb_ep_queue(hidg->in_ep, hidg->req, GFP_ATOMIC);
+       status = usb_ep_queue(hidg->in_ep, req, GFP_ATOMIC);
        if (status < 0) {
                ERROR(hidg->func.config->cdev,
                        "usb_ep_queue error on int endpoint %zd\n", status);