usb: gadget: fix NULL pointer dereference

Fix possible NULL pointer dereference introduced in
commit 219580e (usb: f_fs: check quirk to pad epout
buf size when not aligned to maxpacketsize)

In cases we do wait with:

wait_event_interruptible(epfile->wait, (ep = epfile->ep));

for endpoint to be enabled, functionfs_bind() has not been called yet
and epfile->ffs->gadget is still NULL and the automatic variable 'gadget'
has been initialized with NULL at the point of its definition.
Later on it is used as a parameter to:

usb_ep_align_maybe(gadget, ep->ep, len)

which in turn dereferences it.

This patch fixes it by moving the actual assignment to the local 'gadget'
variable after the potential waiting has completed.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>

1 files changed, 6 insertions, 1 deletions

diff --git a/drivers/usb/gadget/f_fs.c b/drivers/usb/gadget/f_fs.c
index 306a2b52125c..2b4334394076 100644
--- a/drivers/usb/gadget/f_fs.c
+++ b/drivers/usb/gadget/f_fs.c
@@ -585,7 +585,6 @@ static ssize_t ffs_epfile_io(struct file *file,
                              char __user *buf, size_t len, int read)
 {
         struct ffs_epfile *epfile = file->private_data;
-        struct usb_gadget *gadget = epfile->ffs->gadget;
         struct ffs_ep *ep;
         char *data = NULL;
         ssize_t ret, data_len;
@@ -622,6 +621,12 @@ static ssize_t ffs_epfile_io(struct file *file,
         /* Allocate & copy */
         if (!halt) {
                 /*
+                 * if we _do_ wait above, the epfile->ffs->gadget might be NULL
+                 * before the waiting completes, so do not assign to 'gadget' earlier
+                 */
+                struct usb_gadget *gadget = epfile->ffs->gadget;
+
+                /*
                  * Controller may require buffer size to be aligned to
                  * maxpacketsize of an out endpoint.
                  */