USB: f_accessory: Fix NULL pointer dereference in acc_read()

If user tries to read /dev/usb_accessory node, it results in calling acc_read() callback. If accessory interface is not present in current USB composition, it will lead to crash as dev->ep_out is NULL. Fix the issue by moving problematic code down after device becomes online. Change-Id: I6441f6dc3cbe3a84a384fa3e8a6583f65a74659d Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
author: Vijayavardhan Vennapusa <vvreddy@codeaurora.org> 2016-05-06 13:25:11 +0530
committer: Hemant Kumar <hemantk@codeaurora.org> 2016-09-06 11:52:23 -0700
commit: 7b82923158dad0688ad3848ae3bbb092ad12cb1b (patch)
tree: b8566b345787f38f05fa618158eb6bb7d915bd0e /drivers/usb/gadget
parent: 11d6060fffff4b7e87d1cadb5f65dfc7f74332cc (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/usb/gadget/function/f_accessory.c b/drivers/usb/gadget/function/f_accessory.c
index 3908bc151c2b..d10808aeeb91 100644
--- a/drivers/usb/gadget/function/f_accessory.c
+++ b/drivers/usb/gadget/function/f_accessory.c
@@ -622,8 +622,6 @@ static ssize_t acc_read(struct file *fp, char __user *buf,
 	if (count > BULK_BUFFER_SIZE)
 		count = BULK_BUFFER_SIZE;
 
-	len = ALIGN(count, dev->ep_out->maxpacket);
-
 	/* we will block until we're online */
 	pr_debug("acc_read: waiting for online\n");
 	ret = wait_event_interruptible(dev->read_wq, dev->online);
@@ -632,6 +630,8 @@ static ssize_t acc_read(struct file *fp, char __user *buf,
 		goto done;
 	}
 
+	len = ALIGN(count, dev->ep_out->maxpacket);
+
 	if (dev->rx_done) {
 		// last req cancelled. try to get it.
 		req = dev->rx_req[0];
author	Vijayavardhan Vennapusa <vvreddy@codeaurora.org>	2016-05-06 13:25:11 +0530
committer	Hemant Kumar <hemantk@codeaurora.org>	2016-09-06 11:52:23 -0700
commit	7b82923158dad0688ad3848ae3bbb092ad12cb1b (patch)
tree	b8566b345787f38f05fa618158eb6bb7d915bd0e /drivers/usb/gadget
parent	11d6060fffff4b7e87d1cadb5f65dfc7f74332cc (diff)