Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c9eb2950 authored by Yoshihiro Shimoda's avatar Yoshihiro Shimoda Committed by Felipe Balbi
Browse files

usb: renesas_usbhs: gadget: Fix NULL pointer dereference in usbhsg_ep_dequeue() 



This patch fixes an issue that NULL pointer dereference happens when
a gadget driver calls usb_ep_dequeue() for ep0 after disconnected
a usb cable. This is because that usbhsg_try_stop() will call
usbhsg_ep_disable(&dcp->ep) when a usb cable is disconnected and
the pipe of dcp (ep0) is set to NULL.

Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
parent ac722e30

drivers/usb/renesas_usbhs/mod_gadget.c

+9 −2
Original line number Diff line number Diff line
@@ -131,6 +131,7 @@ static void __usbhsg_queue_pop(struct usbhsg_uep *uep, 
	struct device *dev = usbhsg_gpriv_to_dev(gpriv);

	struct usbhs_priv *priv = usbhsg_gpriv_to_priv(gpriv);



	if (pipe)

		dev_dbg(dev, "pipe %d : queue pop\n", usbhs_pipe_number(pipe));



	ureq->req.status = status;
@@ -685,7 +686,13 @@ static int usbhsg_ep_dequeue(struct usb_ep *ep, struct usb_request *req) 
	struct usbhsg_request *ureq = usbhsg_req_to_ureq(req);

	struct usbhs_pipe *pipe = usbhsg_uep_to_pipe(uep);



	if (pipe)

		usbhs_pkt_pop(pipe, usbhsg_ureq_to_pkt(ureq));



	/*

	 * To dequeue a request, this driver should call the usbhsg_queue_pop()

	 * even if the pipe is NULL.

	 */

	usbhsg_queue_pop(uep, ureq, -ECONNRESET);



	return 0;