USB: gadget: f_fs: even zero-length packets require a buffer

Some UDC drivers fails to queue a request if req->buf == NULL even for
ZLP requests. This patch adds a poisoned pointer instead of NULL to
make the code compliant with the gadget specification and catches
possible bug in the UDC driver if it tries to dereference buffer pointer
on ZLP request.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/usb/gadget/f_fs.c b/drivers/usb/gadget/f_fs.c
index 1499f9e4afa83a70392efb794962c9577a5e5a1c..19fffccc370d3af1e368b5ccd8a98b844c89fa1d 100644 (file)
--- a/drivers/usb/gadget/f_fs.c
+++ b/drivers/usb/gadget/f_fs.c
@@ -368,6 +368,14 @@ static int __ffs_ep0_queue_wait(struct ffs_data *ffs, char *data, size_t len)
        req->buf      = data;
        req->length   = len;
 
+       /*
+        * UDC layer requires to provide a buffer even for ZLP, but should
+        * not use it at all. Let's provide some poisoned pointer to catch
+        * possible bug in the driver.
+        */
+       if (req->buf == NULL)
+               req->buf = (void *)0xDEADBABE;
+
        INIT_COMPLETION(ffs->ep0req_completion);
 
        ret = usb_ep_queue(ffs->gadget->ep0, req, GFP_ATOMIC);