From 4966fb00ef5226cee28c0fb768fed7f5707be158 Mon Sep 17 00:00:00 2001 From: Jiebing Li Date: Tue, 10 Mar 2015 11:25:50 +0800 Subject: [PATCH] ANDROID: usb: gadget: fix NULL pointer issue in mtp_read() pointer dev->ep_out->desc is set to NULL if MTP function is disabled during read operation. So we need to do pointer check before access it and add spin lock protection in case it's modified at another place in future. Patchset: mtp Change-Id: I96d3d685e93276c9065a1aa7b0cbbdc2e159aa6f Signed-off-by: Jiebing Li Signed-off-by: Wang, Yu Signed-off-by: Russ Weight --- drivers/usb/gadget/function/f_mtp.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/drivers/usb/gadget/function/f_mtp.c b/drivers/usb/gadget/function/f_mtp.c index 87ec420df0a6..b25cb3594d01 100644 --- a/drivers/usb/gadget/function/f_mtp.c +++ b/drivers/usb/gadget/function/f_mtp.c @@ -541,14 +541,10 @@ static ssize_t mtp_read(struct file *fp, char __user *buf, ssize_t r = count; unsigned xfer; int ret = 0; - size_t len; + size_t len = 0; DBG(cdev, "mtp_read(%zu)\n", count); - len = usb_ep_align_maybe(cdev->gadget, dev->ep_out, count); - if (len > MTP_BULK_BUFFER_SIZE) - return -EINVAL; - /* we will block until we're online */ DBG(cdev, "mtp_read: waiting for online state\n"); ret = wait_event_interruptible(dev->read_wq, @@ -558,6 +554,14 @@ static ssize_t mtp_read(struct file *fp, char __user *buf, goto done; } spin_lock_irq(&dev->lock); + if (dev->ep_out->desc) { + len = usb_ep_align_maybe(cdev->gadget, dev->ep_out, count); + if (len > MTP_BULK_BUFFER_SIZE) { + spin_unlock_irq(&dev->lock); + return -EINVAL; + } + } + if (dev->state == STATE_CANCELED) { /* report cancelation to userspace */ dev->state = STATE_READY; -- 2.34.1