USB: gadget: g_fs: possible invalid pointer reference bug fixed
During __gfs_do_config() some invalid pointers may be left in usb_configuration::interfaces array from previous calls to the __gfs_do_config() for the same configuration. This will always happen if an user space function which has a fewer then the last user space function registers itself. Composite's set_config() function that a pointer after the last interface in usb_configuration::interface is NULL unless the array is full. This patch makes the __gfs_do_config() make sure that if the usb_configuration::interface is not full then a pointer after the last interface is NULL. Signed-off-by: Michal Nazarewicz <m.nazarewicz@samsung.com> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This commit is contained in:
parent
b23097b793
commit
f588c0db39
|
@ -392,6 +392,17 @@ static int __gfs_do_config(struct usb_configuration *c,
|
|||
if (unlikely(ret < 0))
|
||||
return ret;
|
||||
|
||||
/* After previous do_configs there may be some invalid
|
||||
* pointers in c->interface array. This happens every time
|
||||
* a user space function with fewer interfaces than a user
|
||||
* space function that was run before the new one is run. The
|
||||
* compasit's set_config() assumes that if there is no more
|
||||
* then MAX_CONFIG_INTERFACES interfaces in a configuration
|
||||
* then there is a NULL pointer after the last interface in
|
||||
* c->interface array. We need to make sure this is true. */
|
||||
if (c->next_interface_id < ARRAY_SIZE(c->interface))
|
||||
c->interface[c->next_interface_id] = NULL;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue