Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 15b5ff20 authored by Vijayavardhan Vennapusa's avatar Vijayavardhan Vennapusa
Browse files

USB: f_accessory: Fix NULL pointer dereference in acc_read() 



If user tries to read /dev/usb_accessory node, it results in calling
acc_read() callback. If accessory interface is not present in current
USB composition, it will lead to crash as dev->ep_out is NULL. Fix
the issue by moving problematic code down after device becomes online.

Change-Id: I6441f6dc3cbe3a84a384fa3e8a6583f65a74659d
Signed-off-by: default avatarVijayavardhan Vennapusa <vvreddy@codeaurora.org>
parent b2b64139

drivers/usb/gadget/function/f_accessory.c

+2 −2
Original line number Diff line number Diff line
@@ -625,8 +625,6 @@ static ssize_t acc_read(struct file *fp, char __user *buf, 
	if (count > BULK_BUFFER_SIZE)

		count = BULK_BUFFER_SIZE;



	len = ALIGN(count, dev->ep_out->maxpacket);



	/* we will block until we're online */

	pr_debug("acc_read: waiting for online\n");

	ret = wait_event_interruptible(dev->read_wq, dev->online);
@@ -635,6 +633,8 @@ static ssize_t acc_read(struct file *fp, char __user *buf, 
		goto done;

	}



	len = ALIGN(count, dev->ep_out->maxpacket);



	if (dev->rx_done) {

		// last req cancelled. try to get it.

		req = dev->rx_req[0];