[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20211129181711.962700580@linuxfoundation.org>
Date: Mon, 29 Nov 2021 19:17:20 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, Jack Pham <quic_jackp@...cinc.com>,
Albert Wang <albertccwang@...gle.com>
Subject: [PATCH 5.10 009/121] usb: dwc3: gadget: Fix null pointer exception
From: Albert Wang <albertccwang@...gle.com>
commit 26288448120b28af1dfd85a6fa6b6d55a16c7f2f upstream.
In the endpoint interrupt functions
dwc3_gadget_endpoint_transfer_in_progress() and
dwc3_gadget_endpoint_trbs_complete() will dereference the endpoint
descriptor. But it could be cleared in __dwc3_gadget_ep_disable()
when accessory disconnected. So we need to check whether it is null
or not before dereferencing it.
Fixes: f09ddcfcb8c5 ("usb: dwc3: gadget: Prevent EP queuing while stopping transfers")
Cc: stable <stable@...r.kernel.org>
Reviewed-by: Jack Pham <quic_jackp@...cinc.com>
Signed-off-by: Albert Wang <albertccwang@...gle.com>
Link: https://lore.kernel.org/r/20211109092642.3507692-1-albertccwang@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
drivers/usb/dwc3/gadget.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -2918,6 +2918,9 @@ static bool dwc3_gadget_endpoint_trbs_co
struct dwc3 *dwc = dep->dwc;
bool no_started_trb = true;
+ if (!dep->endpoint.desc)
+ return no_started_trb;
+
dwc3_gadget_ep_cleanup_completed_requests(dep, event, status);
if (dep->flags & DWC3_EP_END_TRANSFER_PENDING)
@@ -2965,6 +2968,9 @@ static void dwc3_gadget_endpoint_transfe
{
int status = 0;
+ if (!dep->endpoint.desc)
+ return;
+
if (usb_endpoint_xfer_isoc(dep->endpoint.desc))
dwc3_gadget_endpoint_frame_from_event(dep, event);
Powered by blists - more mailing lists