USB: gadget: mass_storage: Fix Null pointer access during disconnect

There is a chance that completion handler and ep disable race each other
and it might happen that completion handler gets called after driver_data
is set to NULL as part of function disable. This results in crash. Hence
add check in completion handler to check if driver_data is NULL or not
to fix the issue.

CRs-Fixed: 891650
Change-Id: I79ce3967533d2a7cb7591ccfe50b095a540e9884
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>

diff --git a/drivers/usb/gadget/function/f_mass_storage.c b/drivers/usb/gadget/function/f_mass_storage.c
index f3715d8..9683a5e 100644 (file)
--- a/drivers/usb/gadget/function/f_mass_storage.c
+++ b/drivers/usb/gadget/function/f_mass_storage.c
@@ -454,13 +454,23 @@ static void bulk_in_complete(struct usb_ep *ep, struct usb_request *req)
        struct fsg_buffhd       *bh = req->context;
 
        if (req->status || req->actual != req->length)
-               DBG(common, "%s --> %d, %u/%u\n", __func__,
+               pr_debug("%s --> %d, %u/%u\n", __func__,
                    req->status, req->actual, req->length);
        if (req->status == -ECONNRESET)         /* Request was cancelled */
                usb_ep_fifo_flush(ep);
 
        /* Hold the lock while we update the request and buffer states */
        smp_wmb();
+       /*
+        * Disconnect and completion might race each other and driver data
+        * is set to NULL during ep disable. So, add a check if that is case.
+        */
+       if (!common) {
+               bh->inreq_busy = 0;
+               bh->state = BUF_STATE_EMPTY;
+               return;
+       }
+
        spin_lock(&common->lock);
        bh->inreq_busy = 0;
        bh->state = BUF_STATE_EMPTY;