Currently driver is calling composite_setup_complete() when request
queuing to control endpoint fails. During disconnect or composition switch,
ep_queue() fails with -ESHUTDOWN return value. In this case also, driver is
calling composite_setup_complete(), which leads to invalid pointer
dereference. Fix it by not calling composite_setup_complete() in case of
return value of -ESHUTDOWN as anyhow composite_unbind() will take care of
clearing pending flags before freeing request buffers.
Change-Id: I87ea6ecb1e925c6b36dede59486e49ba3a4e90c7
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
if (value < 0) {
DBG(cdev, "ep_queue --> %d\n", value);
req->status = 0;
- composite_setup_complete(gadget->ep0, req);
+ if (value != -ESHUTDOWN)
+ composite_setup_complete(gadget->ep0,
+ req);
}
return value;
}
if (value < 0) {
DBG(cdev, "ep_queue --> %d\n", value);
req->status = 0;
- composite_setup_complete(gadget->ep0, req);
+ if (value != -ESHUTDOWN)
+ composite_setup_complete(gadget->ep0, req);
}
} else if (value == USB_GADGET_DELAYED_STATUS && w_length != 0) {
WARN(cdev,
OSDN Git Service
