3.16.76-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kiruthika Varadarajan Kiruthika.Varadarajan@harman.com
commit d29fcf7078bc8be2b6366cbd4418265b53c94fac upstream.
On spin lock release in rx_submit, gether_disconnect get a chance to run, it makes port_usb NULL, rx_submit access NULL port USB, hence null pointer crash.
Fixed by releasing the lock in rx_submit after port_usb is used.
Fixes: 2b3d942c4878 ("usb ethernet gadget: split out network core") Signed-off-by: Kiruthika Varadarajan Kiruthika.Varadarajan@harman.com Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/gadget/u_ether.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/usb/gadget/u_ether.c +++ b/drivers/usb/gadget/u_ether.c @@ -202,11 +202,12 @@ rx_submit(struct eth_dev *dev, struct us out = dev->port_usb->out_ep; else out = NULL; - spin_unlock_irqrestore(&dev->lock, flags);
if (!out) + { + spin_unlock_irqrestore(&dev->lock, flags); return -ENOTCONN; - + }
/* Padding up to RX_EXTRA handles minor disagreements with host. * Normally we use the USB "terminate on short read" convention; @@ -227,6 +228,7 @@ rx_submit(struct eth_dev *dev, struct us
if (dev->port_usb->is_fixed) size = max_t(size_t, size, dev->port_usb->fixed_out_len); + spin_unlock_irqrestore(&dev->lock, flags);
skb = alloc_skb(size + NET_IP_ALIGN, gfp_flags); if (skb == NULL) {