[PATCH] usb: gadget: serial: fix oops when data rx'd after close

From: Stephen Warren
Date: Wed Aug 16 2017 - 16:30:51 EST

Next message: kbuild test robot: "Re: [PATCH v2] watchdog: dw_wdt: fix overflow issue in dw_wdt_top_in_seconds"
Previous message: Linus Torvalds: "Re: [PATCH 0/1] devpts: use dynamic_dname() to generate proc name"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Stephen Warren <swarren@xxxxxxxxxx>

When the gadget serial device has no associated TTY, do not pass any
received data into the TTY layer for processing; simply drop it instead.
This prevents the TTY layer from calling back into the gadget serial
driver, which will then crash in e.g. gs_write_room() due to lack of
gadget serial device to TTY association (i.e. a NULL pointer dereference).

Signed-off-by: Stephen Warren <swarren@xxxxxxxxxx>
---
drivers/usb/gadget/function/u_serial.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/function/u_serial.c b/drivers/usb/gadget/function/u_serial.c
index 9b0805f55ad7..16bb24a047d9 100644
--- a/drivers/usb/gadget/function/u_serial.c
+++ b/drivers/usb/gadget/function/u_serial.c
@@ -537,7 +537,7 @@ static void gs_rx_push(unsigned long _port)
}

/* push data to (open) tty */
- if (req->actual) {
+ if (req->actual & tty) {
char *packet = req->buf;
unsigned size = req->actual;
unsigned n;
--
2.14.1

Next message: kbuild test robot: "Re: [PATCH v2] watchdog: dw_wdt: fix overflow issue in dw_wdt_top_in_seconds"
Previous message: Linus Torvalds: "Re: [PATCH 0/1] devpts: use dynamic_dname() to generate proc name"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]