Merge "usb: gadget: f_cdev: Fix NULL ptr dereference in usb_cser_notify"

author: Linux Build Service Account <lnxbuild@localhost> 2016-08-03 04:58:31 -0700
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2016-08-03 04:58:30 -0700
commit: ba8f953e3f26ffbc571fa8985c7ebfbf43909e5a (patch)
tree: 0ffa47f4848b83900cb673447b950efc6679d284
parent: d80ef4e79661383c2d75f12d5f16e51989edc0e7 (diff)
parent: d5ccebfe354149e263b380c2958aa452a80c3ef9 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/drivers/usb/gadget/function/f_cdev.c b/drivers/usb/gadget/function/f_cdev.c
index 0a9a3afd72dd..b22ea656367e 100644
--- a/drivers/usb/gadget/function/f_cdev.c
+++ b/drivers/usb/gadget/function/f_cdev.c
@@ -529,6 +529,14 @@ static int usb_cser_notify(struct f_cdev *port, u8 type, u16 value,
 	const unsigned			len = sizeof(*notify) + length;
 	void				*buf;
 	int				status;
+	unsigned long			flags;
+
+	spin_lock_irqsave(&port->port_lock, flags);
+	if (!port->is_connected) {
+		spin_unlock_irqrestore(&port->port_lock, flags);
+		pr_debug("%s: port disconnected\n", __func__);
+		return -ENODEV;
+	}
 
 	req = port->port_usb.notify_req;
 	port->port_usb.notify_req = NULL;
@@ -544,7 +552,9 @@ static int usb_cser_notify(struct f_cdev *port, u8 type, u16 value,
 	notify->wValue = cpu_to_le16(value);
 	notify->wIndex = cpu_to_le16(port->port_usb.data_id);
 	notify->wLength = cpu_to_le16(length);
+	/* 2 byte data copy */
 	memcpy(buf, data, length);
+	spin_unlock_irqrestore(&port->port_lock, flags);
 
 	status = usb_ep_queue(ep, req, GFP_ATOMIC);
 	if (status < 0) {
author	Linux Build Service Account <lnxbuild@localhost>	2016-08-03 04:58:31 -0700
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2016-08-03 04:58:30 -0700
commit	ba8f953e3f26ffbc571fa8985c7ebfbf43909e5a (patch)
tree	0ffa47f4848b83900cb673447b950efc6679d284
parent	d80ef4e79661383c2d75f12d5f16e51989edc0e7 (diff)
parent	d5ccebfe354149e263b380c2958aa452a80c3ef9 (diff)