ANDROID: usb: gadget: fix NULL pointer issue in mtp_read()

pointer dev->ep_out->desc is set to NULL if MTP function
is disabled during read operation. So we need to do pointer check
before access it and add spin lock protection in case it's modified
at another place in future.

Patchset: mtp

Change-Id: I96d3d685e93276c9065a1aa7b0cbbdc2e159aa6f
Signed-off-by: Jiebing Li <jiebing.li@intel.com>
Signed-off-by: Wang, Yu <yu.y.wang@intel.com>
Signed-off-by: Russ Weight <russell.h.weight@intel.com>

diff --git a/drivers/usb/gadget/function/f_mtp.c b/drivers/usb/gadget/function/f_mtp.c
index 87ec420df0a67e7ed5986137064889ee2be9b4c7..b25cb3594d01b4549f55eaf10b3cb242f40af585 100644 (file)
--- a/drivers/usb/gadget/function/f_mtp.c
+++ b/drivers/usb/gadget/function/f_mtp.c
@@ -541,14 +541,10 @@ static ssize_t mtp_read(struct file *fp, char __user *buf,
        ssize_t r = count;
        unsigned xfer;
        int ret = 0;
-       size_t len;
+       size_t len = 0;
 
        DBG(cdev, "mtp_read(%zu)\n", count);
 
-       len = usb_ep_align_maybe(cdev->gadget, dev->ep_out, count);
-       if (len > MTP_BULK_BUFFER_SIZE)
-               return -EINVAL;
-
        /* we will block until we're online */
        DBG(cdev, "mtp_read: waiting for online state\n");
        ret = wait_event_interruptible(dev->read_wq,
@@ -558,6 +554,14 @@ static ssize_t mtp_read(struct file *fp, char __user *buf,
                goto done;
        }
        spin_lock_irq(&dev->lock);
+       if (dev->ep_out->desc) {
+               len = usb_ep_align_maybe(cdev->gadget, dev->ep_out, count);
+               if (len > MTP_BULK_BUFFER_SIZE) {
+                       spin_unlock_irq(&dev->lock);
+                       return -EINVAL;
+               }
+       }
+
        if (dev->state == STATE_CANCELED) {
                /* report cancelation to userspace */
                dev->state = STATE_READY;