usb: gadget: f_mtp: Fix issue of NULL pointer access in mtp_read
MTP usb device node created as a part of mtp function init call. Userspace can read/write to MTP device using this node. If MTP is not enabled in the composition and trying to read mtp_usb dev node from the userspace leading to null pointer access in mtp_read. Do not access ep OUT maxpacket size in mtp_read. First block on mtp_read until the state become online which doesn't wakeup from the thread and expecting for the read completion or state change which occurs as a part of set_alt. Change-Id: Icbee5fe7ae2c02b2bca185a0dc7587eb4940058a Signed-off-by: ChandanaKishori Chiluveru <cchilu@codeaurora.org> Signed-off-by: Azhar Shaikh <azhars@codeaurora.org> Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
This commit is contained in:
ChandanaKishori Chiluveru
Roman Rihter
parent
60387c575c
commit
911dfa4a9d
|
|
@ -563,11 +563,6 @@ static ssize_t mtp_read(struct file *fp, char __user *buf,
|
|||
|
||||
DBG(cdev, "mtp_read(%d)\n", count);
|
||||
|
||||
len = ALIGN(count, dev->ep_out->maxpacket);
|
||||
|
||||
if (len > mtp_rx_req_len)
|
||||
return -EINVAL;
|
||||
|
||||
/* we will block until we're online */
|
||||
DBG(cdev, "mtp_read: waiting for online state\n");
|
||||
ret = wait_event_interruptible(dev->read_wq,
|
||||
|
|
@ -576,6 +571,11 @@ static ssize_t mtp_read(struct file *fp, char __user *buf,
|
|||
r = ret;
|
||||
goto done;
|
||||
}
|
||||
len = ALIGN(count, dev->ep_out->maxpacket);
|
||||
|
||||
if (len > mtp_rx_req_len)
|
||||
return -EINVAL;
|
||||
|
||||
spin_lock_irq(&dev->lock);
|
||||
if (dev->state == STATE_CANCELED) {
|
||||
/* report cancelation to userspace */
|
||||
|
|
|
|||
Loading…
Reference in New Issue