From patchwork Thu Apr 26 12:47:13 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Bin Liu <b-liu@ti.com>
X-Patchwork-Id: 10365937
Return-Path: <linux-usb-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	9A237601BE for <patchwork-linux-usb@patchwork.kernel.org>;
	Thu, 26 Apr 2018 12:47:19 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8ABDC29088
	for <patchwork-linux-usb@patchwork.kernel.org>;
	Thu, 26 Apr 2018 12:47:19 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 7FA5729119; Thu, 26 Apr 2018 12:47:19 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1CB8E29088
	for <patchwork-linux-usb@patchwork.kernel.org>;
	Thu, 26 Apr 2018 12:47:19 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755844AbeDZMrQ (ORCPT
	<rfc822;patchwork-linux-usb@patchwork.kernel.org>);
	Thu, 26 Apr 2018 08:47:16 -0400
Received: from fllnx210.ext.ti.com ([198.47.19.17]:55316 "EHLO
	fllnx210.ext.ti.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754516AbeDZMrO (ORCPT
	<rfc822; linux-usb@vger.kernel.org>); Thu, 26 Apr 2018 08:47:14 -0400
Received: from dflxv15.itg.ti.com ([128.247.5.124])
	by fllnx210.ext.ti.com (8.15.1/8.15.1) with ESMTP id w3QClEto004359
	for <linux-usb@vger.kernel.org>; Thu, 26 Apr 2018 07:47:14 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ti.com;
	s=ti-com-17Q1; t=1524746834;
	bh=qwrL8atrE20ovTnqX9LnHLS78cp8i5Z1vEfSwYuPkWo=;
	h=From:To:CC:Subject:Date:In-Reply-To:References;
	b=NVG6IVMeKaa7CXgtois7Umh+WBv8a6/J7XfGNaT90LUXRujRYVVYhg81g9kXvR5X5
	F/krQCwl5kJFwDpRzd2InWiN1ncGGOkP9GYrJIlXmrh2j/mDbyQ1J0Sz2wgXCNpJbq
	/pblIgpTz6R+cTZjpJl7ceFstWKYTnSILrCk7anI=
Received: from DLEE110.ent.ti.com (dlee110.ent.ti.com [157.170.170.21])
	by dflxv15.itg.ti.com (8.14.3/8.13.8) with ESMTP id w3QClDY0028033
	for <linux-usb@vger.kernel.org>; Thu, 26 Apr 2018 07:47:13 -0500
Received: from DLEE115.ent.ti.com (157.170.170.26) by DLEE110.ent.ti.com
	(157.170.170.21) with Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3;
	Thu, 26 Apr 2018 07:47:13 -0500
Received: from dlep33.itg.ti.com (157.170.170.75) by DLEE115.ent.ti.com
	(157.170.170.26) with Microsoft SMTP Server (version=TLS1_0,
	cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.1466.3 via Frontend
	Transport; Thu, 26 Apr 2018 07:47:13 -0500
Received: from uda0271908.am.dhcp.ti.com (ileax41-snat.itg.ti.com
	[10.172.224.153])
	by dlep33.itg.ti.com (8.14.3/8.13.8) with ESMTP id w3QClDBY013473;
	Thu, 26 Apr 2018 07:47:13 -0500
From: Bin Liu <b-liu@ti.com>
To: <linux-usb@vger.kernel.org>
CC: Sekhar Nori <nsekhar@ti.com>, Bin Liu <b-liu@ti.com>
Subject: [PATCH 3/3] usb: musb: host: fix potential NULL pointer dereference
Date: Thu, 26 Apr 2018 07:47:13 -0500
Message-ID: <1524746833-19565-3-git-send-email-b-liu@ti.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1524746833-19565-1-git-send-email-b-liu@ti.com>
References: <1524746833-19565-1-git-send-email-b-liu@ti.com>
MIME-Version: 1.0
X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180
Sender: linux-usb-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-usb.vger.kernel.org>
X-Mailing-List: linux-usb@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

musb_start_urb() doesn't check the 3rd pass-in parameter if it is NULL.
But in musb_bulk_nak_timeout() the parameter passed to musb_start_urb()
is returned from first_qh(), which could be NULL.

So wrap the musb_start_urb() call here with a if condition check to
avoid the potential NULL pointer dereference.

Signed-off-by: Bin Liu <b-liu@ti.com>
---
v2: no changes.

 drivers/usb/musb/musb_host.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c
index e50438ae241e..218aadef5bbf 100644
--- a/drivers/usb/musb/musb_host.c
+++ b/drivers/usb/musb/musb_host.c
@@ -990,7 +990,9 @@ static void musb_bulk_nak_timeout(struct musb *musb, struct musb_hw_ep *ep,
 			/* set tx_reinit and schedule the next qh */
 			ep->tx_reinit = 1;
 		}
-		musb_start_urb(musb, is_in, next_qh);
+
+		if (next_qh)
+			musb_start_urb(musb, is_in, next_qh);
 	}
 }