From patchwork Wed Jun 8 07:32:49 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoshihiro Shimoda X-Patchwork-Id: 9163521 X-Patchwork-Delegate: geert@linux-m68k.org Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8219560832 for ; Wed, 8 Jun 2016 07:33:22 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7325728376 for ; Wed, 8 Jun 2016 07:33:22 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 67E742838D; Wed, 8 Jun 2016 07:33:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EE36428376 for ; Wed, 8 Jun 2016 07:33:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752964AbcFHHdR (ORCPT ); Wed, 8 Jun 2016 03:33:17 -0400 Received: from relmlor1.renesas.com ([210.160.252.171]:40911 "EHLO relmlie4.idc.renesas.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1422803AbcFHHdN (ORCPT ); Wed, 8 Jun 2016 03:33:13 -0400 Received: from unknown (HELO relmlir3.idc.renesas.com) ([10.200.68.153]) by relmlie4.idc.renesas.com with ESMTP; 08 Jun 2016 16:33:10 +0900 Received: from relmlac2.idc.renesas.com (relmlac2.idc.renesas.com [10.200.69.22]) by relmlir3.idc.renesas.com (Postfix) with ESMTP id CBD11474EB; Wed, 8 Jun 2016 16:33:10 +0900 (JST) Received: by relmlac2.idc.renesas.com (Postfix, from userid 0) id BCE682806E; Wed, 8 Jun 2016 16:33:10 +0900 (JST) Received: from relmlac2.idc.renesas.com (localhost [127.0.0.1]) by relmlac2.idc.renesas.com (Postfix) with ESMTP id B7A592806D; Wed, 8 Jun 2016 16:33:10 +0900 (JST) Received: from relmlii1.idc.renesas.com [10.200.68.65] by relmlac2.idc.renesas.com with ESMTP id SAB02447; Wed, 8 Jun 2016 16:33:10 +0900 X-IronPort-AV: E=Sophos;i="5.22,559,1449500400"; d="scan'208";a="212553145" Received: from mail-hk2apc01lp0210.outbound.protection.outlook.com (HELO APC01-HK2-obe.outbound.protection.outlook.com) ([65.55.88.210]) by relmlii1.idc.renesas.com with ESMTP/TLS/AES256-SHA; 08 Jun 2016 16:33:10 +0900 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=renesasgroup.onmicrosoft.com; s=selector1-renesas-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=1JJOdGwcBiAGBAgWjaBdw/ak3wRN/5cjlXdzKXp1h0Y=; b=UY7aoWeYzKduaMaXhZdGrGn+IYyUUnX1XUgOt9XmSE1PvedS5VBM+CePcJ4ez8j4Z1PMkc5vNcUjN/fJ3X6cm5kML/2pP3B88aMlJa9VkWGhNYpU9fDTvOE9kxvkYi7wgmKc/DbfgK5rveUVsELVij8po2yoTnQ4ikePAenPtFQ= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=<>; Received: from localhost (211.11.155.144) by SIXPR06MB0922.apcprd06.prod.outlook.com (10.162.173.157) with Microsoft SMTP Server (TLS) id 15.1.517.8; Wed, 8 Jun 2016 07:33:08 +0000 From: Yoshihiro Shimoda To: CC: , , , , Yoshihiro Shimoda Subject: [PATCH 1/2] usb: renesas_usbhs: fix NULL pointer dereference in xfer_work() Date: Wed, 8 Jun 2016 16:32:49 +0900 Message-ID: <1465371170-4828-2-git-send-email-yoshihiro.shimoda.uh@renesas.com> X-Mailer: git-send-email 1.9.4.msysgit.1 In-Reply-To: <1465371170-4828-1-git-send-email-yoshihiro.shimoda.uh@renesas.com> References: <1465371170-4828-1-git-send-email-yoshihiro.shimoda.uh@renesas.com> MIME-Version: 1.0 X-Originating-IP: [211.11.155.144] X-ClientProxiedBy: OS2PR01CA0022.jpnprd01.prod.outlook.com (10.161.74.160) To SIXPR06MB0922.apcprd06.prod.outlook.com (10.162.173.157) X-MS-Office365-Filtering-Correlation-Id: 31377273-6699-4955-3648-08d38f6f232f X-Microsoft-Exchange-Diagnostics: 1; SIXPR06MB0922; 2:X+0MwPsVCQwyZgHvY142fDhuKFAeRSyZYU42/KV19yZaBNBcWhXZ8UdzJ0J0zpdeM/leo6ANyQ6l1yFlvhUtk7cNv8n0X8z/9mGQFddAlU6AdSQMMo+ID6UraPBJ0dlYHLN0uKKXVsfnm1Y/tZh0wDw20KBiEsg3ogVen+a2PzTjQuk82Xm7vEs7inyRxOyf; 3:v5UNlLDYmleV3DpsoCu9PdiBC1M5gySocwjR1heANibjhGQ6dzdRstm2dW4fXUtTpRUxfeHD+EQGY/xn+ZTd3MkFEhwuIxJdpHdl+V9jbszYDcPA/r9pydr6kT8C2R5J; 25:HLqiHwTZSvsrgP9ppnVpgJozNEi8E1roKIS5I/Jswtz98ZmqVGoZjuvqvcQz5kcA8NJBLtluoc4ICM8OEyzKRqTMarlkNGGxhXHH4GcAkfxSMnhUrDO42quqo68LDJtMN/DbpTb2yxeSPCxHaj5gguODYV3RQtiuLn/IuBqNuZ5tKwDbJDcJhjCIOqgTSPayeHtMwqbb7NGq6X9HWP0O6q24B89v516hqGMMNBE/3wDn0DygJm9lOfA9Yov6BxEtfpsrqAtNqx8Hu8NrgPpOMRm9KajT3vMHVrVY9Vj9nZv1Hr8QBaeSFiGsIllCVEVofc1DXU8lT4vkT27JdV19FaA0PY6W0g+SoiDJv6HhrXnKa4XdpKA/Hl7hg3zM/QrOrSLLDm6AcroWX1iWzdrZqEXTrQY0bbDZC3sb+JYWV+o= X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:SIXPR06MB0922; X-Microsoft-Exchange-Diagnostics: 1; SIXPR06MB0922; 20:isnn2cI1HTOMO4fANIJxRjqWIPjUXjehtPrscTXL+Cg1CzLDCc6NZECGndyre9Tyq+oyATi8CaoN3535LnSKK247xMMdLHLU9bLSz/5ZzWMDGSJwe+WqWdxOdHuiDCJKuTgq06/8mr+jX1Of+eooP00e7x/mQv1j8jtW2hQMTj3VweDdjGxx0RAaaVIwUJv6lFGSd3JVoqg9XtXgOb0rhntW2f9CQjGZyl59NN3l8bmvry89C4TU0XSuwTwmwzYAytOXguP6xGacmfk1eM0l8Xt5bu3ArTtlfj6w9KeajkZsH2FR+VZgiBXOEKVtmFD5ikreVUh7cVWZP5sbiePQWTdZ3RBv/icyMiFHc0kjx/WbqIaLhIGbr31gGh+7xuhdkLc9lfab/Z1BdRoQlb2kyPGHBb4Fwh/TYVHj+bSmDBg7+GH8k4LF2nn+EF0f/VMOVvZQXnMYV1PErCww/VzNnHLp6Cfyu9dMWp/4YHmRbipy4Fu3ijvdtyWnp9RVYxye X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(9452136761055); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(6058028); SRVR:SIXPR06MB0922; BCL:0; PCL:0; RULEID:; SRVR:SIXPR06MB0922; X-Microsoft-Exchange-Diagnostics: 1; SIXPR06MB0922; 4:KrNnt4tU8tc/1SbNKQxMRyseZwzzDsk2Xeq0sFTbgwvxdTmWDrTLdYwsYG9KZ0zULHnYpdxbnVBsDy2YOHJk/nx2Il53uARwK/ELA1bBJg1sTtE5ZisGwaXMO+R4tXXhmTLoQovxTkcLFQcJfwaqrmQxKcvwrb7E3liv4cx16dbJ/++tBXYhYSSZFhq9Hz0N/Uiu7/5bCdUFCPomJel75oJqDqnWx53/kBQhJDBbj9j+Ke4a6OLRu52scCekDmkxZZmrSovMEs/buqFJ/OShiogkCWzhAhZuol75JcCDBUnegmmwwSnOgJRCsaZZrfoP95AQo/aMm3p/mEs4qZUkDkpeiwJ6ahKZvVkQSoU7Esrmen2U9hiQynjUDNuzzS6gM+cs9gsJj0MdPB0moopVGw7P1vrKvglPgcZ6mPgCteTrqAt7J3+tQy0PGMl6r8LScRfBR+R08MruP13XejRl2A== X-Forefront-PRVS: 0967749BC1 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(4630300001)(6009001)(6069001)(199003)(189002)(110136002)(107886002)(36756003)(4001430100002)(189998001)(5008740100001)(5003940100001)(76176999)(105586002)(106356001)(50986999)(5004730100002)(50466002)(48376002)(76506005)(101416001)(42186005)(97736004)(229853001)(2351001)(4326007)(81156014)(50226002)(8676002)(66066001)(81166006)(33646002)(19580395003)(78352004)(92566002)(3846002)(6116002)(19580405001)(68736007)(47776003)(77096005)(2906002)(586003)(2950100001); DIR:OUT; SFP:1102; SCL:1; SRVR:SIXPR06MB0922; H:localhost; FPR:; SPF:None; PTR:InfoNoRecords; A:0; MX:0; CAT:NONE; LANG:en; CAT:NONE; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; SIXPR06MB0922; 23:CzIH/SWCQjgnEd269hsrzZiL1gPanDjg4iiCsGNtD?= =?us-ascii?Q?gETtPmPOqFL3i+8uGQ0JjNVc97+UU8pa7ZPXTXWxkkjaNFqkZkcCMx4GXwcg?= =?us-ascii?Q?on5p5VacXyeoKUHiUFUHMqTfvE7jL0pFBwUHeHG0vXPw6Ftuq+dVetdHYZ+2?= =?us-ascii?Q?1j7RAJ9ERvFl6iEWZZwZAqnqTOE9thRjsarVSZEGEed/eULkjd/kX+KHKogJ?= =?us-ascii?Q?LbCEJK2Js2GueENtpAkwJdayg0Z/g3CFjK1bOp+sbg+J8fouIMGw+LM9J1pI?= =?us-ascii?Q?KS1pdBaqiIM2IWpjFGNVmtfG2IzqnZTi3oeKh9c+OlsTmn58tkigQm0nNhng?= =?us-ascii?Q?J+uzFzq59ycLDgTy8c3Oh1AoJsK7x+S5XUo091P8BQhNB94ucokPAn6WsqoY?= =?us-ascii?Q?mMMl8YMXJgozHgHf0xSJ+ZDV4Xb45QDQu4C6t/BxVMBD1giXgUrWSCxgSXLh?= =?us-ascii?Q?onESPlvqwhMnE1S8n50ZTaUR3A4IeUWdSJrxYg14OYlu0K9SFoKuW4m/2zKP?= =?us-ascii?Q?M4POaQOuiHMduAWeXLdtLucd1MncIdMTvRoBbMXvamj7PjsPTG1yOwbA2SXh?= =?us-ascii?Q?IxR3kNYReiZtgz1RUK6JvA3NPK/qG1Pw9f7ZaUh2wMVZIy2cITa34NwZ53Es?= =?us-ascii?Q?06PFtKj0OKe+HXo76s36dJZqPeh3tC0KDwdN1E5biAr2cWBHJLIX6caVVd69?= =?us-ascii?Q?R9lMeb9ewq+bHw7DAwNn5YMzdPGp/4tdpVJDpaRmMeqH0ImE1Xn8k5YjYggn?= =?us-ascii?Q?GE2sqyuHR9kUU2vrh9iTqhPdMFBqui9xdb/J7T0rT7eivvP52zEow4eT5cxQ?= =?us-ascii?Q?fxdvMP5Cabz+Gr0a/1QETw2I+XovhR1S6s0sCMq35wJh1KzFQd62ZslQbuv/?= =?us-ascii?Q?z39jPnGDKoh+gDgr4nMxG92Dc5yuZ9Hu5Ly41g3I4MIdzvMnPX28ITttLKfs?= =?us-ascii?Q?l/ZniGggmtqcHxXynGTQBeAwaX1gTs61ZQabQ+ckEPcoAhCF42R5sZO+CK0N?= =?us-ascii?Q?GdiUE/ZBv93GmlF3bSAgrV/3HD1A8t6FvHK0BsFf7tyTeiU7jnEQnDsWr+QD?= =?us-ascii?Q?FjXFOEMayR5lqdy3gQE2SFclvecdF/JVEkBErpaPrckIgA3dCZAxNgMbA/fM?= =?us-ascii?Q?Z5jBoE5z84XCLvpn1rHgYuGuG3ik2sl?= X-Microsoft-Exchange-Diagnostics: 1; SIXPR06MB0922; 6:L3WjTBMYzc20FrGKrNtyPlKjRLrVCZJnYwbAI2UTm3AzT6eCCgesdipo+bgTXVSMPFab4OJ/naZRTkM9/VS0K30IQcBA8ACC8u5vOTVh3ERBpfSIpvRzg1KjOtpxikA1ByRnbB8M9BFAXCv8sak7R/gX4g1SnADSN70lXtOvudCNxvFzlxfsaMm9UC3sZHTvwWvOPOcTdIL5LGAR08cf6FBUCqji4UnyD/jmTQ1aJEVVaYh8VbvU2Eu0ihUTzDX2p4GG+Bs3cD4KLl3w0y59zQUc9DMBD7969dDyOF8NZGwUclQ+XeIg+3kNjtMcv2bgK5+KKB8seby2rHGR2Bqeqw==; 5:z8btJQHlWBFAdVRyZCHmvFLyQsE4akwx9+C/7QRRvx1ZQ295B7RqPiVfEgwz9uCwnMQoOlnHeUAkUnNoD0bmgvY38+UwFD2FVPQweObpLUuC50Rv8vBbO8dYBECVMgTciSkyRuMGtVK8Cqr1OQmrog==; 24:8E96VRQi5/YF1urxjKhLb5VktFxqgvlQgrWs9mz4aKcjfxrf0jog9pZCXMLLVLLIgNeiDl9V4sGBH3h8HW9grnk343ByRS+SnnS7iLhxiK8=; 7:rG9eqiGnstudrjNXNi+2VAg5jDYktX9c9exVs62kfR4uzBP3xOyEJZ9KsAv1+rJk/yrv/bG9XMYOV+LmbAr5fOYs8kat5nxNVFURNrKv+XFlvn2tHxfTvXed3QfCgKRcHxIJwPhk11IjyIm3Knzq1gL9xKsrweVRq4UPs4v3UnTIUhQs2xZu/k/ZZXPxZFeS/a62LKO84r5RNSufpdotICew7sKr0ISW+v620v4+MOE= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; SIXPR06MB0922; 20:+fmjEH7N88ZOKtcnWM2D2owwi3gWL0j6/pbfevDQMcUcMT5YR3gGhOIonOoIl3YtXY2q4WlqhHQLoB0XWp04sQZqKcnWxQbYRonz0L1GeTQbWjMEDi/+wrFK01cvsJxzJqZyq+MJyJkvANi4UdEJGtG3Byx/SMWGPb6iQWo/rG4= X-OriginatorOrg: renesas.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Jun 2016 07:33:08.0685 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: SIXPR06MB0922 Sender: linux-renesas-soc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-renesas-soc@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This patch fixes an issue that the xfer_work() is possible to cause NULL pointer dereference if the usb cable is disconnected while data transfer is running. In such case, a gadget driver may call usb_ep_disable()) before xfer_work() is actually called. In this case, the usbhs_pkt_pop() will call usbhsf_fifo_unselect(), and then usbhs_pipe_to_fifo() in xfer_work() will return NULL. Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support") Cc: # v3.1+ Signed-off-by: Yoshihiro Shimoda --- drivers/usb/renesas_usbhs/fifo.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/drivers/usb/renesas_usbhs/fifo.c b/drivers/usb/renesas_usbhs/fifo.c index 7be4e7d..280ed5f 100644 --- a/drivers/usb/renesas_usbhs/fifo.c +++ b/drivers/usb/renesas_usbhs/fifo.c @@ -810,20 +810,27 @@ static void xfer_work(struct work_struct *work) { struct usbhs_pkt *pkt = container_of(work, struct usbhs_pkt, work); struct usbhs_pipe *pipe = pkt->pipe; - struct usbhs_fifo *fifo = usbhs_pipe_to_fifo(pipe); + struct usbhs_fifo *fifo; struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe); struct dma_async_tx_descriptor *desc; - struct dma_chan *chan = usbhsf_dma_chan_get(fifo, pkt); + struct dma_chan *chan; struct device *dev = usbhs_priv_to_dev(priv); enum dma_transfer_direction dir; + unsigned long flags; + usbhs_lock(priv, flags); + fifo = usbhs_pipe_to_fifo(pipe); + if (!fifo) + goto xfer_work_end; + + chan = usbhsf_dma_chan_get(fifo, pkt); dir = usbhs_pipe_is_dir_in(pipe) ? DMA_DEV_TO_MEM : DMA_MEM_TO_DEV; desc = dmaengine_prep_slave_single(chan, pkt->dma + pkt->actual, pkt->trans, dir, DMA_PREP_INTERRUPT | DMA_CTRL_ACK); if (!desc) - return; + goto xfer_work_end; desc->callback = usbhsf_dma_complete; desc->callback_param = pipe; @@ -831,7 +838,7 @@ static void xfer_work(struct work_struct *work) pkt->cookie = dmaengine_submit(desc); if (pkt->cookie < 0) { dev_err(dev, "Failed to submit dma descriptor\n"); - return; + goto xfer_work_end; } dev_dbg(dev, " %s %d (%d/ %d)\n", @@ -842,6 +849,9 @@ static void xfer_work(struct work_struct *work) usbhs_pipe_set_trans_count_if_bulk(pipe, pkt->trans); dma_async_issue_pending(chan); usbhs_pipe_enable(pipe); + +xfer_work_end: + usbhs_unlock(priv, flags); } /*