diff options
author | Vijayavardhan Vennapusa <vvreddy@codeaurora.org> | 2016-05-06 13:25:11 +0530 |
---|---|---|
committer | Hemant Kumar <hemantk@codeaurora.org> | 2016-09-06 11:52:23 -0700 |
commit | 7b82923158dad0688ad3848ae3bbb092ad12cb1b (patch) | |
tree | b8566b345787f38f05fa618158eb6bb7d915bd0e /drivers/usb/gadget | |
parent | 11d6060fffff4b7e87d1cadb5f65dfc7f74332cc (diff) |
USB: f_accessory: Fix NULL pointer dereference in acc_read()
If user tries to read /dev/usb_accessory node, it results in calling
acc_read() callback. If accessory interface is not present in current
USB composition, it will lead to crash as dev->ep_out is NULL. Fix
the issue by moving problematic code down after device becomes online.
Change-Id: I6441f6dc3cbe3a84a384fa3e8a6583f65a74659d
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
Diffstat (limited to 'drivers/usb/gadget')
-rw-r--r-- | drivers/usb/gadget/function/f_accessory.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/usb/gadget/function/f_accessory.c b/drivers/usb/gadget/function/f_accessory.c index 3908bc151c2b..d10808aeeb91 100644 --- a/drivers/usb/gadget/function/f_accessory.c +++ b/drivers/usb/gadget/function/f_accessory.c @@ -622,8 +622,6 @@ static ssize_t acc_read(struct file *fp, char __user *buf, if (count > BULK_BUFFER_SIZE) count = BULK_BUFFER_SIZE; - len = ALIGN(count, dev->ep_out->maxpacket); - /* we will block until we're online */ pr_debug("acc_read: waiting for online\n"); ret = wait_event_interruptible(dev->read_wq, dev->online); @@ -632,6 +630,8 @@ static ssize_t acc_read(struct file *fp, char __user *buf, goto done; } + len = ALIGN(count, dev->ep_out->maxpacket); + if (dev->rx_done) { // last req cancelled. try to get it. req = dev->rx_req[0]; |