Commit 505d1f69 authored by Yauheni Kaliuta's avatar Yauheni Kaliuta Committed by Greg Kroah-Hartman

usb: gadget: eem: fix echo command processing

During processing of bunch of eem frames if "echo" command is found
skb is cloned and the cloned version should be used to send reply.
Unfortunately, the data of the original skb were actually used and
the cloned skb is never freed.

Using the cloned skb and freeing the skb in the completion callback
for usb request.
Signed-off-by: default avatarYauheni Kaliuta <yauheni.kaliuta@nokia.com>
Reviewed-by: default avatarFelipe Balbi <balbi@ti.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 5a9443f0
...@@ -314,6 +314,9 @@ eem_unbind(struct usb_configuration *c, struct usb_function *f) ...@@ -314,6 +314,9 @@ eem_unbind(struct usb_configuration *c, struct usb_function *f)
static void eem_cmd_complete(struct usb_ep *ep, struct usb_request *req) static void eem_cmd_complete(struct usb_ep *ep, struct usb_request *req)
{ {
struct sk_buff *skb = (struct sk_buff *)req->context;
dev_kfree_skb_any(skb);
} }
/* /*
...@@ -428,10 +431,11 @@ static int eem_unwrap(struct gether *port, ...@@ -428,10 +431,11 @@ static int eem_unwrap(struct gether *port,
skb_trim(skb2, len); skb_trim(skb2, len);
put_unaligned_le16(BIT(15) | BIT(11) | len, put_unaligned_le16(BIT(15) | BIT(11) | len,
skb_push(skb2, 2)); skb_push(skb2, 2));
skb_copy_bits(skb, 0, req->buf, skb->len); skb_copy_bits(skb2, 0, req->buf, skb2->len);
req->length = skb->len; req->length = skb2->len;
req->complete = eem_cmd_complete; req->complete = eem_cmd_complete;
req->zero = 1; req->zero = 1;
req->context = skb2;
if (usb_ep_queue(port->in_ep, req, GFP_ATOMIC)) if (usb_ep_queue(port->in_ep, req, GFP_ATOMIC))
DBG(cdev, "echo response queue fail\n"); DBG(cdev, "echo response queue fail\n");
break; break;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment