usb: gadget: f_mtp: Fix issue of NULL pointer access in mtp_read

MTP usb device node created as a part of mtp function init call. Userspace can read/write to MTP device using this node. If MTP is not enabled in the composition and trying to read mtp_usb dev node from the userspace leading to null pointer access in mtp_read. Do not access ep OUT maxpacket size in mtp_read. First block on mtp_read until the state become online which doesn't wakeup from the thread and expecting for the read completion or state change which occurs as a part of set_alt. Change-Id: Icbee5fe7ae2c02b2bca185a0dc7587eb4940058a Signed-off-by: ChandanaKishori Chiluveru <cchilu@codeaurora.org> Signed-off-by: Azhar Shaikh <azhars@codeaurora.org> Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
2024-11-07 03:47:13 +00:00 · 2015-04-28 10:48:47 +05:30 · 2015-04-28 10:48:47 +05:30 · 911dfa4a9d
commit 911dfa4a9d
parent 60387c575c
1 changed files with 5 additions and 5 deletions
--- a/drivers/usb/gadget/f_mtp.c
+++ b/drivers/usb/gadget/f_mtp.c
@ -563,11 +563,6 @@ static ssize_t mtp_read(struct file *fp, char __user *buf,

 	DBG(cdev, "mtp_read(%d)\n", count);

-	len = ALIGN(count, dev->ep_out->maxpacket);
-
-	if (len > mtp_rx_req_len)
-		return -EINVAL;
-
 	/* we will block until we're online */
 	DBG(cdev, "mtp_read: waiting for online state\n");
 	ret = wait_event_interruptible(dev->read_wq,
@ -576,6 +571,11 @@ static ssize_t mtp_read(struct file *fp, char __user *buf,
 		r = ret;
 		goto done;
 	}
+	len = ALIGN(count, dev->ep_out->maxpacket);
+
+	if (len > mtp_rx_req_len)
+		return -EINVAL;
+
 	spin_lock_irq(&dev->lock);
 	if (dev->state == STATE_CANCELED) {
 		/* report cancelation to userspace */