diff mbox

[1/3] usb: renesas_usbhs: gadget: Fix NULL pointer dereference in usbhsg_ep_dequeue()

Message ID 1447307130-6072-2-git-send-email-yoshihiro.shimoda.uh@renesas.com (mailing list archive)
State Superseded
Delegated to: Geert Uytterhoeven
Headers show

Commit Message

Yoshihiro Shimoda Nov. 12, 2015, 5:45 a.m. UTC 
This patch fixes an issue that NULL pointer dereference happens when
a gadget driver calls usb_ep_dequeue() after usb_ep_disable().

Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
---
 drivers/usb/renesas_usbhs/mod_gadget.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

Comments

Felipe Balbi Nov. 17, 2015, 3:31 p.m. UTC | #1 
Hi,

Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com> writes:
> This patch fixes an issue that NULL pointer dereference happens when
> a gadget driver calls usb_ep_dequeue() after usb_ep_disable().
>
> Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>

and which gadget driver is that ? Let's fix it. We should _not_ call
usb_ep_dequeue() after usb_ep_disable().
Yoshihiro Shimoda Nov. 18, 2015, 2:30 a.m. UTC | #2 
Hi,

> From: Felipe Balbi [mailto:balbi@ti.com]
> Sent: Wednesday, November 18, 2015 12:32 AM
> 
> Hi,
> 
> Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com> writes:
> > This patch fixes an issue that NULL pointer dereference happens when
> > a gadget driver calls usb_ep_dequeue() after usb_ep_disable().
> >
> > Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
> 
> and which gadget driver is that ? Let's fix it. We should _not_ call
> usb_ep_dequeue() after usb_ep_disable().

Thank you for your comment.
I assumed that a gadget driver called usb_ep_dequeue() after usb_ep_disable().
However, it was wrong. This driver will call usbhsg_ep_dequeue() in usbhsg_try_stop().
So, if I disconnect a usb cable, and I uninstall a gadget driver, this issue happens
because the dcp->pipe is NULL after disconnected a usb cable.

So, I will revise the commit log as v2.
(Also I would like to fix this issue fundamentally, but it is tough because behavior of
 start/stop and connect/disconnect in this driver is complicated.)

Best regards,
Yoshihiro Shimoda

> --
> balbi
--
To unsubscribe from this list: send the line "unsubscribe linux-sh" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c
index de4f97d..8f7a78e 100644
--- a/drivers/usb/renesas_usbhs/mod_gadget.c
+++ b/drivers/usb/renesas_usbhs/mod_gadget.c
@@ -131,7 +131,8 @@  static void __usbhsg_queue_pop(struct usbhsg_uep *uep,
 	struct device *dev = usbhsg_gpriv_to_dev(gpriv);
 	struct usbhs_priv *priv = usbhsg_gpriv_to_priv(gpriv);
 
-	dev_dbg(dev, "pipe %d : queue pop\n", usbhs_pipe_number(pipe));
+	if (pipe)
+		dev_dbg(dev, "pipe %d : queue pop\n", usbhs_pipe_number(pipe));
 
 	ureq->req.status = status;
 	spin_unlock(usbhs_priv_to_lock(priv));
@@ -685,7 +686,13 @@  static int usbhsg_ep_dequeue(struct usb_ep *ep, struct usb_request *req)
 	struct usbhsg_request *ureq = usbhsg_req_to_ureq(req);
 	struct usbhs_pipe *pipe = usbhsg_uep_to_pipe(uep);
 
-	usbhs_pkt_pop(pipe, usbhsg_ureq_to_pkt(ureq));
+	if (pipe)
+		usbhs_pkt_pop(pipe, usbhsg_ureq_to_pkt(ureq));
+
+	/*
+	 * To dequeue a request, this driver should call the usbhsg_queue_pop()
+	 * even if the pipe is NULL.
+	 */
 	usbhsg_queue_pop(uep, ureq, -ECONNRESET);
 
 	return 0;