usb: adb reboot and then adb disconnect[1/1]

PD#174155: complete_ep 0xffffffc05bed2858, ep->queue empty! Problem: 1. After adb process be killed, data buffer is freed and this memory is allocated for the other. But the address is hold by the controller. 2. Adbd in PC is running. So, the controller receive the data and write to this memory. 3.The value of this memory is modified by the controller. This could cause the memory problem. Solution: whenever io_data->aio equals 1, the data buffer is from a fixed array. Verify: verified by huang xiaojing Change-Id: I2055ea013021c8411bf626ce170e6b32164bef4a Signed-off-by: he.he <he.he@amlogic.com> Conflicts: drivers/usb/gadget/function/f_fs.c
2026-06-10 04:48:04 +09:00 · 2018-10-16 19:20:23 +08:00
parent abc5ce3fe6
commit 62a7c96841
1 changed files with 3 additions and 19 deletions
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -900,13 +900,7 @@ static void ffs_user_copy_worker(struct work_struct *work)

 	if (io_data->read)
 		kfree(io_data->to_free);
-
-#ifdef CONFIG_AMLOGIC_USB
-	if (io_data->aio) {
-		if (buffer)
-			release_ffs_buffer(io_data->ffs, buffer);
-	}
-#else
+#ifndef CONFIG_AMLOGIC_USB
 	kfree(io_data->buf);
 #endif
 	kfree(io_data);
@@ -1012,7 +1006,6 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
 #ifdef CONFIG_AMLOGIC_USB
 	struct ffs_ep *ep = epfile->ep;
 	struct ffs_data_buffer *buffer = NULL;
-	int data_aio_flag = -1;
 #else
 	struct ffs_ep *ep;
 #endif
@@ -1114,7 +1107,6 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
 		 *reboot adb disconnect,so buffer aways used assign_ffs_buffer.
 		 */
 			buffer = assign_ffs_buffer(epfile->ffs);
-			data_aio_flag = 1;
 			if (unlikely(!buffer)) {
 				ret = -ENOMEM;
 				spin_unlock_irq(&epfile->ffs->eps_lock);
@@ -1161,9 +1153,6 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
 		DECLARE_COMPLETION_ONSTACK(done);
 #endif
 		bool interrupted = false;
-#ifdef CONFIG_AMLOGIC_USB
-		data_aio_flag = 1;
-#endif
 		req = ep->req;
 		req->buf      = data;
 		req->length   = data_len;
@@ -1201,9 +1190,6 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
 	} else if (!(req = usb_ep_alloc_request(ep->ep, GFP_ATOMIC))) {
 		ret = -ENOMEM;
 	} else {
-#ifdef CONFIG_AMLOGIC_USB
-		data_aio_flag = -1;
-#endif
 		req->buf      = data;
 		req->length   = data_len;

@@ -1235,10 +1221,8 @@ error_mutex:
 	mutex_unlock(&epfile->mutex);
 error:
 #ifdef CONFIG_AMLOGIC_USB
-	if (data_aio_flag > 0) {
-		if (buffer)
-			release_ffs_buffer(epfile->ffs, buffer);
-	}
+	if (buffer)
+		release_ffs_buffer(epfile->ffs, buffer);
 #else
 	kfree(data);
 #endif