usb: gadget: f_mtp: Fix issue of NULL pointer access in mtp_read · 9f9acf870f - evie/android_kernel_oneplus_msm8998 - Gay Catgirls Forgejo: gay catgirls having sex

evie/android_kernel_oneplus_msm8998

usb: gadget: f_mtp: Fix issue of NULL pointer access in mtp_read

MTP usb device node created as a part of mtp function init call.
Userspace can read/write to MTP device using this node. If MTP is
not enabled in the composition and trying to read mtp_usb dev node
from the userspace leading to null pointer access in mtp_read.

Do not access ep OUT maxpacket size in mtp_read. First block on mtp_read
until the state become online which doesn't wakeup from the thread and
expecting for the read completion or state change which occurs as
a part of set_alt.

Change-Id: Icbee5fe7ae2c02b2bca185a0dc7587eb4940058a
Signed-off-by: ChandanaKishori Chiluveru <cchilu@codeaurora.org>
Signed-off-by: Azhar Shaikh <azhars@codeaurora.org>
Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>

This commit is contained in:

Hemant Kumar

2016-05-02 11:09:00 -07:00

• committed by

Kyle Yan

parent ff1259b38e

commit 9f9acf870f

1 changed files with 5 additions and 4 deletions

									
										9

drivers/usb/gadget/function/f_mtp.c
									
										View file
										
				@ -586,10 +586,6 @@ static ssize_t mtp_read(struct file *fp, char __user *buf,

					DBG(cdev, "mtp_read(%zu)\n", count);

					len = ALIGN(count, dev->ep_out->maxpacket);

					if (len > mtp_rx_req_len)

						return -EINVAL;

					/* we will block until we're online */

					DBG(cdev, "mtp_read: waiting for online state\n");

					ret = wait_event_interruptible(dev->read_wq,

				@ -598,6 +594,11 @@ static ssize_t mtp_read(struct file *fp, char __user *buf,

						r = ret;

						goto done;

					}

					len = ALIGN(count, dev->ep_out->maxpacket);

					if (len > mtp_rx_req_len)

						return -EINVAL;

					spin_lock_irq(&dev->lock);

					if (dev->state == STATE_CANCELED) {

						/* report cancelation to userspace */