diff options
author | Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com> | 2015-11-18 06:33:35 +0100 |
---|---|---|
committer | Felipe Balbi <balbi@ti.com> | 2015-11-19 21:48:48 +0100 |
commit | c9eb29503e9655e70448bbbf3697d08a56d24854 (patch) | |
tree | 4f71dac568833c1992a68c84e68873b8c68792f8 | |
parent | usb: kconfig: fix warning of select USB_OTG (diff) | |
download | linux-c9eb29503e9655e70448bbbf3697d08a56d24854.tar.xz linux-c9eb29503e9655e70448bbbf3697d08a56d24854.zip |
usb: renesas_usbhs: gadget: Fix NULL pointer dereference in usbhsg_ep_dequeue()
This patch fixes an issue that NULL pointer dereference happens when
a gadget driver calls usb_ep_dequeue() for ep0 after disconnected
a usb cable. This is because that usbhsg_try_stop() will call
usbhsg_ep_disable(&dcp->ep) when a usb cable is disconnected and
the pipe of dcp (ep0) is set to NULL.
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
-rw-r--r-- | drivers/usb/renesas_usbhs/mod_gadget.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c index de4f97d84a82..8f7a78e70975 100644 --- a/drivers/usb/renesas_usbhs/mod_gadget.c +++ b/drivers/usb/renesas_usbhs/mod_gadget.c @@ -131,7 +131,8 @@ static void __usbhsg_queue_pop(struct usbhsg_uep *uep, struct device *dev = usbhsg_gpriv_to_dev(gpriv); struct usbhs_priv *priv = usbhsg_gpriv_to_priv(gpriv); - dev_dbg(dev, "pipe %d : queue pop\n", usbhs_pipe_number(pipe)); + if (pipe) + dev_dbg(dev, "pipe %d : queue pop\n", usbhs_pipe_number(pipe)); ureq->req.status = status; spin_unlock(usbhs_priv_to_lock(priv)); @@ -685,7 +686,13 @@ static int usbhsg_ep_dequeue(struct usb_ep *ep, struct usb_request *req) struct usbhsg_request *ureq = usbhsg_req_to_ureq(req); struct usbhs_pipe *pipe = usbhsg_uep_to_pipe(uep); - usbhs_pkt_pop(pipe, usbhsg_ureq_to_pkt(ureq)); + if (pipe) + usbhs_pkt_pop(pipe, usbhsg_ureq_to_pkt(ureq)); + + /* + * To dequeue a request, this driver should call the usbhsg_queue_pop() + * even if the pipe is NULL. + */ usbhsg_queue_pop(uep, ureq, -ECONNRESET); return 0; |