Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e75eeeb4 authored May 29, 2017 by Arumuga Durai A

USB: gadget: ci13xxx_udc: Avoid NULL pointer dereference.



There are some instances where acquire spin_lock using mEp->lock
as one of the argument without checking availability of mEp. Since
mEp is container_of "ep", input parameter 'ep' could be null this leads
to null pointer dereference. Fix this by adding proper check before
acquiring the spin_lock.

CRs-Fixed: 2053686
Change-Id: I712343915da1f838dae6930034ad959b1f3ad4cd
Signed-off-by: Arumuga Durai A <cadurai@codeaurora.org>

parent 7d7aefae

drivers/usb/gadget/ci13xxx_udc.c

+9 −2

Original line number	Diff line number	Diff line
		@@ -3079,8 +3079,11 @@ static int ep_queue(struct usb_ep ep, struct usb_request req,

		trace("%pK, %pK, %X", ep, req, gfp_flags);

		if (ep == NULL)
		return -EINVAL;

		spin_lock_irqsave(mEp->lock, flags);
		if (ep == NULL \|\| req == NULL \|\| mEp->desc == NULL) {
		if (req == NULL \|\| mEp->desc == NULL) {
		retval = -EINVAL;
		goto done;
		}
		@@ -3218,12 +3221,16 @@ static int ep_dequeue(struct usb_ep ep, struct usb_request req)
		__func__);
		return -EAGAIN;
		}

		if (ep == NULL)
		return -EINVAL;

		spin_lock_irqsave(mEp->lock, flags);
		/*
		* Only ep0 IN is exposed to composite. When a req is dequeued
		* on ep0, check both ep0 IN and ep0 OUT queues.
		*/
		if (ep == NULL \|\| req == NULL \|\| mReq->req.status != -EALREADY \|\|
		if (req == NULL \|\| mReq->req.status != -EALREADY \|\|
		mEp->desc == NULL \|\| list_empty(&mReq->queue) \|\|
		(list_empty(&mEp->qh.queue) && ((mEp->type !=
		USB_ENDPOINT_XFER_CONTROL) \|\|