Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c8ce252f authored by Vijayavardhan Vennapusa's avatar Vijayavardhan Vennapusa Committed by Gerrit - the friendly Code Review server
Browse files

USB: f_fs: Avoid NULL pointer dereference during epfile_io() 



If composition switch happens while epfile_io() is in progress,
there is a chance that gadget pointer is accessed after unbind(),
which could be NULL. This could cause accessing NULL pointer and
results in panic. Fix the issue by accessing member variables from
local copy instead of directly accessing from ffs->gadget.

Change-Id: Iec61725da9c82e8c06e66acb8a6bdbc98ff9444a
Signed-off-by: default avatarVijayavardhan Vennapusa <vvreddy@codeaurora.org>
parent 500a177d

drivers/usb/gadget/function/f_fs.c

+1 −1
Original line number Diff line number Diff line
@@ -1025,7 +1025,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data) 
			data_len = usb_ep_align_maybe(gadget, ep->ep, data_len);

		spin_unlock_irq(&epfile->ffs->eps_lock);



		extra_buf_alloc = ffs->gadget->extra_buf_alloc;

		extra_buf_alloc = gadget->extra_buf_alloc;

		if (!io_data->read)

			data = kmalloc(data_len + extra_buf_alloc,

					GFP_KERNEL);