usb:f_mtp: Prevent NULL pointer deferences in ioctl

It's possible that user will call mtpg_ioctl while mtp function is not
properly initialized. However this is an erroneous behavior, this change
takes it into consideration and prevents null-pointer dereferences.

Change-Id: I47d88c7cf526064a4d028b851216344c9634439d
Signed-off-by: Paweł Szewczyk <p.szewczyk@samsung.com>

diff --git a/drivers/usb/gadget/function/f_mtp.c b/drivers/usb/gadget/function/f_mtp.c
index 684abebde31d60799bb08f65096f5e7618909fab..4f5ac6b8cbded69881218f638501c9fa1cd2b45e 100644 (file)
--- a/drivers/usb/gadget/function/f_mtp.c
+++ b/drivers/usb/gadget/function/f_mtp.c
@@ -933,7 +933,7 @@ static void read_send_work(struct work_struct *work)
 static long mtpg_ioctl(struct file *fd, unsigned int code, unsigned long arg)
 {
        struct mtp_event event;
-       struct mtpg_dev *dev = fd->private_data;
+       struct mtpg_dev *dev;
        struct usb_composite_dev *cdev;
        struct usb_request *req;
        struct usb_ep *bulk_in;
@@ -945,9 +945,17 @@ static long mtpg_ioctl(struct file *fd, unsigned int code, unsigned long arg)
        void __user *ubuf = (void __user *)arg;
        char buf[USB_PTPREQUEST_GETSTATUS_SIZE + 1] = { 0 };
 
+       if (!fd) {
+               pr_info("mtpg_ioctl fail, null fd structure\n");
+               return -ENODEV;
+       }
+
+       dev = fd->private_data;
+
        DEBUG_MTPB("[%s] with cmd:[%04x]\n", __func__, code);
 
-       if (!the_mtpg) {
+       if (!the_mtpg || !the_mtpg->function.config
+                       || !the_mtpg->function.config->cdev) {
                pr_info("mtpg_ioctl fail, usb not yet enabled for MTP\n");
                return -ENODEV;
        }