Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 614aa86d authored by Hemant Kumar's avatar Hemant Kumar
Browse files

usb: gadget: f_gsi: Get rid of unneeded NULL check in gsi_ctrl_dev_write 



c_port will always be allocated as long as gsi is allocated. struct gsi
is getting allocated before char device node is created. usb request and
usb request buffer pointers are not accessed in this function. It is
getting accessed in gsi_ctrl_send_notification() which has a check for
gsi->connected which will not be set until set_alt. Hence get rid of NULL
checks for all these pointers. This helps to reduce the window of use
after free in case write() gets called after driver unbind.

Change-Id: I05ee1d12c8c394a0f62407944eb5ff28092e3d39
Signed-off-by: default avatarHemant Kumar <hemantk@codeaurora.org>
parent dabca6e5

drivers/usb/gadget/function/f_gsi.c

+0 −8
Original line number Diff line number Diff line
@@ -1339,7 +1339,6 @@ static ssize_t gsi_ctrl_dev_write(struct file *fp, const char __user *buf, 
	unsigned long flags;

	struct gsi_ctrl_pkt *cpkt;

	struct gsi_ctrl_port *c_port;

	struct usb_request *req;

	enum ipa_usb_teth_prot prot_id =

		*(enum ipa_usb_teth_prot *)(fp->private_data);

	struct gsi_inst_status *inst_cur = &inst_status[prot_id];
@@ -1358,13 +1357,6 @@ static ssize_t gsi_ctrl_dev_write(struct file *fp, const char __user *buf, 


	gsi = inst_cur->opts->gsi;

	c_port = &gsi->c_port;

	req = c_port->notify_req;



	if (!c_port || !req || !req->buf) {

		log_event_err("%s: c_port %pK req %p req->buf %p",

			__func__, c_port, req, req ? req->buf : req);

		return -ENODEV;

	}



	if (!count || count > GSI_MAX_CTRL_PKT_SIZE) {

		log_event_err("error: ctrl pkt length %zu", count);