usb: gadget: f_fs: fix NULL pointer dereference when there are no strings

[platform/adaptation/renesas_rcar/renesas_kernel.git] / drivers / usb / gadget / f_fs.c

diff --git a/drivers/usb/gadget/f_fs.c b/drivers/usb/gadget/f_fs.c
index 306a2b5..5bcf7d0 100644 (file)
--- a/drivers/usb/gadget/f_fs.c
+++ b/drivers/usb/gadget/f_fs.c
@@ -585,7 +585,6 @@ static ssize_t ffs_epfile_io(struct file *file,
                             char __user *buf, size_t len, int read)
 {
        struct ffs_epfile *epfile = file->private_data;
-       struct usb_gadget *gadget = epfile->ffs->gadget;
        struct ffs_ep *ep;
        char *data = NULL;
        ssize_t ret, data_len;
@@ -622,6 +621,12 @@ static ssize_t ffs_epfile_io(struct file *file,
        /* Allocate & copy */
        if (!halt) {
                /*
+                * if we _do_ wait above, the epfile->ffs->gadget might be NULL
+                * before the waiting completes, so do not assign to 'gadget' earlier
+                */
+               struct usb_gadget *gadget = epfile->ffs->gadget;
+
+               /*
                 * Controller may require buffer size to be aligned to
                 * maxpacketsize of an out endpoint.
                 */
@@ -1222,11 +1227,13 @@ static int functionfs_bind(struct ffs_data *ffs, struct usb_composite_dev *cdev)
        ffs->ep0req->context = ffs;
 
        lang = ffs->stringtabs;
-       for (lang = ffs->stringtabs; *lang; ++lang) {
-               struct usb_string *str = (*lang)->strings;
-               int id = first_id;
-               for (; str->s; ++id, ++str)
-                       str->id = id;
+       if (lang) {
+               for (; *lang; ++lang) {
+                       struct usb_string *str = (*lang)->strings;
+                       int id = first_id;
+                       for (; str->s; ++id, ++str)
+                               str->id = id;
+               }
        }
 
        ffs->gadget = cdev->gadget;