Commit d048da8b authored Dec 05, 2017 by Pratham Pratap Committed by Hemant Kumar Mar 05, 2019

usb: dwc3: Avoid NULL pointer access



During Halt Endpoint CH9 test with RNDIS composition
NULL pointer dereference is occurring in
__dwc3_gadget_ep_set_halt function which is trying to
access trb_pool which is already freed. In this case
set_alt 0 is getting called before__dwc3_gadget_ep_set_halt.
As a part of set_alt, ipa_disconnect_handler is getting
called which is freeing the trbs. __dwc3_gadget_ep_set_halt
function is called as a part of std_request from Host side
to halt endpoint. This change adds a NULL check before accessing
trb_pool.

Change-Id: Id51494310f713b9c593e29449442661a1170ee6f
Signed-off-by: Pratham Pratap <prathampratap@codeaurora.org>

parent d8d1bc74

drivers/usb/dwc3/gadget.c

+8 −1

Original line number	Diff line number	Diff line
		@@ -1029,6 +1029,9 @@ static struct dwc3_trb dwc3_ep_prev_trb(struct dwc3_ep dep, u8 index)
		{
		u8 tmp = index;

		if (!dep->trb_pool)
		return NULL;

		if (!tmp)
		tmp = DWC3_TRB_NUM - 1;

		@@ -1696,7 +1699,11 @@ int __dwc3_gadget_ep_set_halt(struct dwc3_ep *dep, int value, int protocol)
		else
		trb = &dwc->ep0_trb[dep->trb_enqueue];

		if (trb)
		transfer_in_flight = trb->ctrl & DWC3_TRB_CTRL_HWO;
		else
		transfer_in_flight = false;

		started = !list_empty(&dep->started_list);

		if (!protocol && ((dep->direction && transfer_in_flight) \|\|