Commit 63e7d79c authored May 02, 2016 by Hemant Kumar Committed by Mayank Rana Feb 06, 2017

usb: gadget: f_mtp: Fix issue of NULL pointer access in mtp_read



MTP usb device node created as a part of mtp function init call.
Userspace can read/write to MTP device using this node. If MTP is
not enabled in the composition and trying to read mtp_usb dev node
from the userspace leading to null pointer access in mtp_read.

Do not access ep OUT maxpacket size in mtp_read. First block on mtp_read
until the state become online which doesn't wakeup from the thread and
expecting for the read completion or state change which occurs as
a part of set_alt.

Change-Id: Icbee5fe7ae2c02b2bca185a0dc7587eb4940058a
Signed-off-by: ChandanaKishori Chiluveru <cchilu@codeaurora.org>
Signed-off-by: Azhar Shaikh <azhars@codeaurora.org>
Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>

parent 83d6a26a

drivers/usb/gadget/function/f_mtp.c

+5 −4

Original line number	Diff line number	Diff line
		@@ -578,10 +578,6 @@ static ssize_t mtp_read(struct file fp, char __user buf,

		DBG(cdev, "mtp_read(%zu)\n", count);

		len = ALIGN(count, dev->ep_out->maxpacket);
		if (len > mtp_rx_req_len)
		return -EINVAL;

		/* we will block until we're online */
		DBG(cdev, "mtp_read: waiting for online state\n");
		ret = wait_event_interruptible(dev->read_wq,
		@@ -590,6 +586,11 @@ static ssize_t mtp_read(struct file fp, char __user buf,
		r = ret;
		goto done;
		}

		len = ALIGN(count, dev->ep_out->maxpacket);
		if (len > mtp_rx_req_len)
		return -EINVAL;

		spin_lock_irq(&dev->lock);
		if (dev->state == STATE_CANCELED) {
		/* report cancelation to userspace */