From 71fc5f91d20ea6466fd6e45235257bec6eb5f413 Mon Sep 17 00:00:00 2001 From: Troy Kisky Date: Wed, 25 Sep 2013 18:41:05 -0700 Subject: [PATCH 1/1] usb: gadget: ether: return error from rx_submit if no request This prevents a crash if tftpboot is given a bad filename. rx_req will be released by eth_reset_config which is called by eth_disconnect, which is called using the .disconnect member of usb_gadget_driver by mv_pullup in mv_udc which is called using the .pullup member of usb_gadget_ops by usb_gadget_disconnect which is called by usb_eth_halt which is called using the .halt member of eth_device by eth_halt which is called by TftpHandler when TFTP_ERR_FILE_NOT_FOUND or TFTP_ERR_ACCESS_DENIED occurs I trigger this with the following commands setenv ipaddr 10.0.0.2 && setenv netmask 255.255.255.0 && setenv serverip 10.0.0.1 setenv usbnet_devaddr 00:11:22:33:44:55 && setenv usbnet_hostaddr 00:aa:bb:cc:dd:ee setenv ethprime usb_ether && setenv ethact usb_ether && setenv ncip 10.0.0.1 tftpboot 10800000 10.0.0.1:missing_file Signed-off-by: Troy Kisky --- drivers/usb/gadget/ether.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/gadget/ether.c b/drivers/usb/gadget/ether.c index 988cffb31c..cc6cc1f32a 100644 --- a/drivers/usb/gadget/ether.c +++ b/drivers/usb/gadget/ether.c @@ -1536,6 +1536,8 @@ static int rx_submit(struct eth_dev *dev, struct usb_request *req, */ debug("%s\n", __func__); + if (!req) + return -EINVAL; size = (ETHER_HDR_SIZE + dev->mtu + RX_EXTRA); size += dev->out_ep->maxpacket - 1; -- 2.39.2