• Andrzej Pietrasiewicz's avatar
    usb: gadget: fix NULL pointer dereference · f0f42204
    Andrzej Pietrasiewicz authored
    Fix possible NULL pointer dereference introduced in
    commit 219580e (usb: f_fs: check quirk to pad epout
    buf size when not aligned to maxpacketsize)
    
    In cases we do wait with:
    
    wait_event_interruptible(epfile->wait, (ep = epfile->ep));
    
    for endpoint to be enabled, functionfs_bind() has not been called yet
    and epfile->ffs->gadget is still NULL and the automatic variable 'gadget'
    has been initialized with NULL at the point of its definition.
    Later on it is used as a parameter to:
    
    usb_ep_align_maybe(gadget, ep->ep, len)
    
    which in turn dereferences it.
    
    This patch fixes it by moving the actual assignment to the local 'gadget'
    variable after the potential waiting has completed.
    Signed-off-by: default avatarAndrzej Pietrasiewicz <andrzej.p@samsung.com>
    Acked-by: default avatarMichal Nazarewicz <mina86@mina86.com>
    Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
    f0f42204
f_fs.c 59.3 KB