Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 22e7e0bd authored by Sriharsha Allenki's avatar Sriharsha Allenki
Browse files

usb: xhci: Fix NULL pointer dereference as part of queue 



In the scatter gather list handling as part of queuing
on the bulk endpoints in host mode, there is a possible
case where sent_len and block_len both are zero for
non-zero number of num_sgs. This will cause the num_sgs
to loop around zero and become a non-zero value and access
sg_next for the last SG which has SG_END set leading to
NULL pointer dereference.

Fix this by accessing the properties of SG after
the NULL check.

Change-Id: Ie9c64844fd04c5e2ef5ee53d1583bf9b998649fa
Signed-off-by: default avatarSriharsha Allenki <sallenki@codeaurora.org>
parent fbad67d3

drivers/usb/host/xhci-ring.c

+2 −2
Original line number Diff line number Diff line
@@ -3305,8 +3305,8 @@ int xhci_queue_bulk_tx(struct xhci_hcd *xhci, gfp_t mem_flags, 
			/* New sg entry */

			--num_sgs;

			sent_len -= block_len;

			if (num_sgs != 0) {

			sg = sg_next(sg);

			if (num_sgs != 0 && sg) {

				block_len = sg_dma_len(sg);

				addr = (u64) sg_dma_address(sg);

				addr += sent_len;