Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d223be4a authored Jun 07, 2017 by Mayank Rana

dwc3: gadget: Add NULL check against endpoint desc



dwc3_ep0_inspect_setup() API inspects received setup packet, and USB
function driver or composite driver tries to provide response to host
using ep0 endpoint. This shall fail if ep0 is already being disabled.
With this failure case, dwc3_ep0_inspect_setup() tries to clear ep0
endpoint halt. This result into NULL pointer crash if ep0 is already
disabled. Hence check ep0 endpoint descriptor against NULL with
__dwc3_gadget_ep_set_halt() API.

Also don't try to halt ep0 endpoint if setup packet's response queueing
is failed on ep0 by checking ret value against -ESHUTDOWN.

CRs-Fixed: 2057291
Change-Id: I7d3b8e46afb845c1b6cdf76e5d0d6b793ba6c854
Signed-off-by: Mayank Rana <mrana@codeaurora.org>

parent 7529b53b

drivers/usb/dwc3/ep0.c

+7 −1

Original line number	Diff line number	Diff line
		@@ -815,7 +815,13 @@ static void dwc3_ep0_inspect_setup(struct dwc3 *dwc,
		dwc->delayed_status = true;

		out:
		if (ret < 0) {
		/*
		* Don't try to halt ep0 if ret is -ESHUTDOWN.
		* ret as -ESHUTDOWN suggests that setup packet related response
		* is available but queueing of ep0 is failed. Possibly ep0 is
		* already disabled.
		*/
		if (ret < 0 && ret != -ESHUTDOWN) {
		dbg_event(0x0, "ERRSTAL", ret);
		dwc3_ep0_stall_and_restart(dwc);
		}

drivers/usb/dwc3/gadget.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -1443,6 +1443,11 @@ int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value, int protocol)
		struct dwc3 *dwc = dep->dwc;
		int ret;

		if (!dep->endpoint.desc) {
		dev_dbg(dwc->dev, "(%s)'s desc is NULL.\n", dep->name);
		return -EINVAL;
		}

		if (usb_endpoint_xfer_isoc(dep->endpoint.desc)) {
		dev_err(dwc->dev, "%s is of Isochronous type\n", dep->name);
		return -EINVAL;