usb: diag: Avoid NULL pointer dereference in debugfs
The debugfs entry functions used to read and clear the statistics
counters loop over the list of open diag channels. However, a
channel might not be bound to a gadget interface if diag_function_add
doesn't get called, hence its priv_usb member may be NULL. In that
case simply avoid accessing it altogether as its counters aren't used
anyway.
CRs-fixed: 346598
Change-Id: Icbd84ae0df83a5fe4c62b19fd7c95585e8e6e491
Signed-off-by: Jack Pham <jackp@codeaurora.org>
diff --git a/drivers/usb/gadget/f_diag.c b/drivers/usb/gadget/f_diag.c
index c4c7941..72bff49 100644
--- a/drivers/usb/gadget/f_diag.c
+++ b/drivers/usb/gadget/f_diag.c
@@ -664,21 +664,20 @@
struct usb_diag_ch *ch;
list_for_each_entry(ch, &usb_diag_ch_list, list) {
- struct diag_context *ctxt;
+ struct diag_context *ctxt = ch->priv_usb;
- ctxt = ch->priv_usb;
-
- temp += scnprintf(buf + temp, PAGE_SIZE - temp,
- "---Name: %s---\n"
- "endpoints: %s, %s\n"
- "dpkts_tolaptop: %lu\n"
- "dpkts_tomodem: %lu\n"
- "pkts_tolaptop_pending: %u\n",
- ch->name,
- ctxt->in->name, ctxt->out->name,
- ctxt->dpkts_tolaptop,
- ctxt->dpkts_tomodem,
- ctxt->dpkts_tolaptop_pending);
+ if (ctxt)
+ temp += scnprintf(buf + temp, PAGE_SIZE - temp,
+ "---Name: %s---\n"
+ "endpoints: %s, %s\n"
+ "dpkts_tolaptop: %lu\n"
+ "dpkts_tomodem: %lu\n"
+ "pkts_tolaptop_pending: %u\n",
+ ch->name,
+ ctxt->in->name, ctxt->out->name,
+ ctxt->dpkts_tolaptop,
+ ctxt->dpkts_tomodem,
+ ctxt->dpkts_tolaptop_pending);
}
return simple_read_from_buffer(ubuf, count, ppos, buf, temp);
@@ -690,13 +689,13 @@
struct usb_diag_ch *ch;
list_for_each_entry(ch, &usb_diag_ch_list, list) {
- struct diag_context *ctxt;
+ struct diag_context *ctxt = ch->priv_usb;
- ctxt = ch->priv_usb;
-
- ctxt->dpkts_tolaptop = 0;
- ctxt->dpkts_tomodem = 0;
- ctxt->dpkts_tolaptop_pending = 0;
+ if (ctxt) {
+ ctxt->dpkts_tolaptop = 0;
+ ctxt->dpkts_tomodem = 0;
+ ctxt->dpkts_tolaptop_pending = 0;
+ }
}
return count;