From patchwork Wed Nov 18 05:33:35 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoshihiro Shimoda X-Patchwork-Id: 7644531 X-Patchwork-Delegate: geert@linux-m68k.org Return-Path: X-Original-To: patchwork-linux-sh@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 0CBA5BF90C for ; Wed, 18 Nov 2015 05:33:51 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id F3BFF2060D for ; Wed, 18 Nov 2015 05:33:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C078220607 for ; Wed, 18 Nov 2015 05:33:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751029AbbKRFds (ORCPT ); Wed, 18 Nov 2015 00:33:48 -0500 Received: from relmlor4.renesas.com ([210.160.252.174]:29970 "EHLO relmlie3.idc.renesas.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750834AbbKRFdr (ORCPT ); Wed, 18 Nov 2015 00:33:47 -0500 Received: from unknown (HELO relmlir3.idc.renesas.com) ([10.200.68.153]) by relmlie3.idc.renesas.com with ESMTP; 18 Nov 2015 14:33:45 +0900 Received: from relmlac4.idc.renesas.com (relmlac4.idc.renesas.com [10.200.69.24]) by relmlir3.idc.renesas.com (Postfix) with ESMTP id 3DD574D6F0; Wed, 18 Nov 2015 14:33:45 +0900 (JST) Received: by relmlac4.idc.renesas.com (Postfix, from userid 0) id 2E9BA480A6; Wed, 18 Nov 2015 14:33:44 +0900 (JST) Received: from relmlac4.idc.renesas.com (localhost [127.0.0.1]) by relmlac4.idc.renesas.com (Postfix) with ESMTP id EB5FB480A5; Wed, 18 Nov 2015 14:33:44 +0900 (JST) Received: from relmlii1.idc.renesas.com [10.200.68.65] by relmlac4.idc.renesas.com with ESMTP id QAB04423; Wed, 18 Nov 2015 14:33:44 +0900 X-IronPort-AV: E=Sophos;i="5.20,311,1444662000"; d="scan'";a="198811625" Received: from mail-pu1apc01lp0024.outbound.protection.outlook.com (HELO APC01-PU1-obe.outbound.protection.outlook.com) ([65.55.88.24]) by relmlii1.idc.renesas.com with ESMTP/TLS/AES256-SHA; 18 Nov 2015 14:33:42 +0900 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=<>; Received: from localhost (211.11.155.144) by SIXPR06MB0924.apcprd06.prod.outlook.com (10.162.180.29) with Microsoft SMTP Server (TLS) id 15.1.325.17; Wed, 18 Nov 2015 05:33:40 +0000 From: Yoshihiro Shimoda To: , CC: , , Yoshihiro Shimoda Subject: [PATCH v2] usb: renesas_usbhs: gadget: Fix NULL pointer dereference in usbhsg_ep_dequeue() Date: Wed, 18 Nov 2015 14:33:35 +0900 Message-ID: <1447824815-4080-1-git-send-email-yoshihiro.shimoda.uh@renesas.com> X-Mailer: git-send-email 1.9.4.msysgit.1 MIME-Version: 1.0 X-Originating-IP: [211.11.155.144] X-ClientProxiedBy: HKXPR03CA0040.apcprd03.prod.outlook.com (10.141.129.30) To SIXPR06MB0924.apcprd06.prod.outlook.com (25.162.180.29) X-Microsoft-Exchange-Diagnostics: 1; SIXPR06MB0924; 2:4BEQh+6bAKfP/U2u/T+UoedSU0FO8eVA9vPczR9eCeEGdDkLGm5kdtC4yKgEkOW/hJUdeQCU+N/eu1Qb96qcJE8Xe5gYcwkZa0bqMDCka4OuASZ/v/JwsSF2TBt/KNr8PZcxvV6yWTjntE0z5MZykF5ZgqPl9OKRKqtZgUD8qq4=; 3:7v+18SGWwYXFKk36C8T0UZhhwYDGr539DvIhbYRr3McF2jlf8iCrBsJUOWUeeBeHg2ZLlK4C15iS9+R9wqJybTpnz7GUMZN/QkkkvRykoD7Jo96nqvZewqHElL3UjR+5fe+9MbKRdrxD+3I51Mi4mw==; 25:Dqj/NWPzcqka0WzfwbelX+OEpYxtARViUwRW/XDqvomJUFNNUPR7K34WhKJS6y83DBWNtybn4bcPr1Vjojha4ZTgwBI1H+/YoNC2ppYhuCdwWFPLOytscn5Quciw6UXlWtRyPnhLcplG0VFVZf3bu22WqPLylj6k1T5qw8w1tbIfluylZkCnagOOJbiHNKDWUzbWvI6COtnFn3/rBtEql5kV98cLlYQPgCA80UeOBHDrKq1aM6SzzlmoXZGckOUXhFYVFHg8D+wCoQfRAP13fA== X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:SIXPR06MB0924; X-Microsoft-Exchange-Diagnostics: 1; SIXPR06MB0924; 20:zc4Nee2Ed/dtDQFRn8iDQZwS/X2jOsqvVIumGitNkCufBbyRjAHRasUIDCzV+rjVPHvX2KMsmuDjsHRDTAGh9QUnnimVqu9cwmZhSBEV4zTmIdK2YftE3MB7MyT4rzo/YF2yq7+fBlRVnB3UPb6HLQ4kosVmC1QBougyuspoRGsSiRjIiTsVWPDtBp5U8MQGT+uZeTe6HApehDG1wqBICtuD01zY2c2RqYFPJogI/InyVYMLpx76VSoLvsyvAYee1wTVz7CJoJGASP24lVkJgEmSA+DFqbyVpQ+FAh9bHI6CLyoq5R9goRDSC9VUbL/S+aMHPx2WU4WcvCdNlwXM7ykKxhXGcsKZppEGf/x+jeuWcyfstGrZ2Q7btgG/oy61ksoxFTA9fMbMvdGICXOs2lxNDN3sEuHay0X685LT/np4TQIzhnStXMASvewsjn6IDDIV9hXO9F5d65GPC2Qd6OUgYT5RhZDNzBE424CDF1PPZNoR791VR6pw9/ST1B6O; 4:rwYIHYpgG2bvsRTEJVfUtUGINTStLMd++vBBwtoIaGJJ4YgklOeYiu6RJfAM4u6XHAyZ67t2/Gxz04s7SOMPlMnE7L1j1mDeaVEfoDkFyx2AA1wKAAfddO8tJEvXKuRwEEsYm6YxS2sz3f6yV4tCwMkDlehYeYG8evhyBQCJ6BSHzYpsxwkZrdlsv452R0GZjXnAGruM41O6j4pDWwKD8QYcIUbrR6uuIA1saBcA4R7QVFdo1MhVO1qnQ+Gqm+YlMqxVI/sHzT+g4NRTv+nvKblB4vlVxdty5ScWBkuB4EsjRDNtod4wdZLZA2jh4CQkQHoU48jH5k7wKzer1jNFtpMQq/s+PeJgYTi7Zg51tCjzCL7klGEGeNHT3478KQeN X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(85106069007906); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(2401047)(520078)(5005006)(8121501046)(10201501046)(3002001); SRVR:SIXPR06MB0924; BCL:0; PCL:0; RULEID:; SRVR:SIXPR06MB0924; X-Forefront-PRVS: 0764C4A8CD X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(6009001)(6069001)(189002)(199003)(107886002)(189998001)(48376002)(5004730100002)(78352002)(5003940100001)(50986999)(5008740100001)(42382002)(106356001)(81156007)(97736004)(87976001)(76506005)(40100003)(42186005)(19580395003)(77096005)(4001430100002)(33646002)(105586002)(5001770100001)(47776003)(50226001)(5001920100001)(122386002)(586003)(575784001)(5001960100002)(92566002)(5007970100001)(36756003)(229853001)(19580405001)(66066001)(101416001)(50466002); DIR:OUT; SFP:1102; SCL:1; SRVR:SIXPR06MB0924; H:localhost; FPR:; SPF:None; PTR:InfoNoRecords; MX:0; A:0; LANG:en; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; SIXPR06MB0924; 23:zGVRomV/dpY2UcO8VBtQb/Nhu+udMFBPu/8VE4doa?= =?us-ascii?Q?moaauU7FaG1UQGKMFeOFC5EcYMZ6p0ojqtMOxp2WbLuh8UBXONE4XLpSHl4z?= =?us-ascii?Q?mj/3+Nm7TfCOGHxPwXRnL307cx4qvttz++GXRMDVVomGRMLjnRhDsr+1on6A?= =?us-ascii?Q?7/zK7DRW5k3HKDizMCP4h3B8ZbYEaw6s0+pvLBdGAKmxhVH5aiz5iC1RJLV9?= =?us-ascii?Q?FWKl9k8Y/bF+fPrb6l63TVYgxAhqL1Y5iY20TPP/Yd3WRm62tqdpsRehkYBN?= =?us-ascii?Q?h1DMpf4f38Rgunck4vmvBTXo2f3CmYzi9mEqxbQ8AdcE7me/Mhif86qil0q0?= =?us-ascii?Q?AciFQt2Ar3aWeYE/0bvDH3jl9lAk04PvMrCVUJm0tDXox36CRNSQJhPJ0PnE?= =?us-ascii?Q?4WkagS6xLCg+V8KROWsCLme6+Zh4Fc5tfrYIOmELdPTGshy5nKiuUHJLaeWP?= =?us-ascii?Q?erjpgF+BsKbp0QyF7j3UG7HlegZrbHJ4696TGBm9tS4MZ2bpaFwfdd2FUqJn?= =?us-ascii?Q?3sdEJI2vPhKh2b+NlBvgCOE/FMrsN3BQfjdBhRHVjsD18M+0GdQivVaEL1Fk?= =?us-ascii?Q?OLl2sBbdTnmgMG5XjDtyWSNC/QV6w5AszbC3nTlzVwS9Zpt3BTKuZNq+N2SG?= =?us-ascii?Q?FqjtxzaC5eiV+4ggvL6c02FLwgVxj58hpTP1vGNuBR0SeaL/KWYgSDn29tw3?= =?us-ascii?Q?oNX15PwgC2ovJBdRCwPqCzoBZ1hLe9yZMEqg7SP2oazsGSpsDcA+bIMDht7Q?= =?us-ascii?Q?aaMzngzWlVTAlTqX3PYvPSf6YvccFwTyVdF0T8TV1Ck0HtdvX/cxOj/S7LL5?= =?us-ascii?Q?SxBggMmFVMLsjKyjS5nMwQUakjNd8kLogfu7HLa9kJ9eSQt5DHFWcXr8xh/1?= =?us-ascii?Q?0qcCrq0MQF7HxdGJKA97yZ9o0Of+FJ0zIS/Id9TeT/qWf4DNZW5L/VttNluw?= =?us-ascii?Q?5GytoCOTdEIxwsjV7Hi3L4z4yDCYqpbbaXwo2vBFd/JXwnGNEPCQ9YowKm4a?= =?us-ascii?Q?AF4KxGZL8ZNDuXL+Jz4bYgvSenhxyhJmJlEgHxva0ynSPL8g1Xnd2ZzIWd0D?= =?us-ascii?Q?TMlDJWN1fpBnONtdOomylwdULdagZBDZm3V2lthBOy9P1NBoXW8uxOFg+C2j?= =?us-ascii?Q?Z+4rDPW/BEp4VHhCC7fZvTVv9ZGuIJv?= X-Microsoft-Exchange-Diagnostics: 1; SIXPR06MB0924; 5:PCK+IPWhiZBlW39Wulfat5ny8NIP9iwt7KpHjDe+4Eg5tCbsHSAKggooClzmv4tW9HrYlGX2HDm4XwAznjNV5KJ2luE3IOp62CMWsqP6zd63TKxodj9GbePdxf+tPUGrkOjprJ/Z7oR3l4iX7Ze+2w==; 24:ju/IzvzUOvZvHGYBpVSTZitGgKh2Vs97AzCEk+r5xubwHYG/mogV0zI3CjkqlaFaT9ZHafJ+W4bZNb/Ag+HNOxeFqWwMDkuY9WPESCZSFcE=; 20:9W54VcuG5YUbsnc+8vadF4u+c4mc69+z5I7KXR5i4DYilzAfo7dEO2rI8R7iWVRv79LlITKK2GzPzYmlWCmkm2Fds2jH4OgtYDxNt6HM+kfEdFCr9Kv/xgfSgjVGOW0YkphSnJn/RBj5t6Ez3zJLk+SnOvoRajZxm0ywERoDQm4= SpamDiagnosticOutput: 1:23 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: renesas.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Nov 2015 05:33:40.6180 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: SIXPR06MB0924 Sender: linux-sh-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-sh@vger.kernel.org X-Spam-Status: No, score=-4.5 required=5.0 tests=AXB_X_OUTLOOKPROT_ENVSDR, BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This patch fixes an issue that NULL pointer dereference happens when a gadget driver calls usb_ep_dequeue() for ep0 after disconnected a usb cable. This is because that usbhsg_try_stop() will call usbhsg_ep_disable(&dcp->ep) when a usb cable is disconnected and the pipe of dcp (ep0) is set to NULL. Signed-off-by: Yoshihiro Shimoda --- This patch is based on the latest Felipe's usb.git / testing/fixes branch. (commit id = 455bfac5ad0a6394835ab10fad68f5ce3053160b) Perhaps this issue has existed from the first gadget support in this driver... Changes from v1: - Rebase the latest testing/fixes branch. - Revise the commit log. - Separate other two patches. (In other words, this is not related to isochronous support) drivers/usb/renesas_usbhs/mod_gadget.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c index de4f97d..8f7a78e 100644 --- a/drivers/usb/renesas_usbhs/mod_gadget.c +++ b/drivers/usb/renesas_usbhs/mod_gadget.c @@ -131,7 +131,8 @@ static void __usbhsg_queue_pop(struct usbhsg_uep *uep, struct device *dev = usbhsg_gpriv_to_dev(gpriv); struct usbhs_priv *priv = usbhsg_gpriv_to_priv(gpriv); - dev_dbg(dev, "pipe %d : queue pop\n", usbhs_pipe_number(pipe)); + if (pipe) + dev_dbg(dev, "pipe %d : queue pop\n", usbhs_pipe_number(pipe)); ureq->req.status = status; spin_unlock(usbhs_priv_to_lock(priv)); @@ -685,7 +686,13 @@ static int usbhsg_ep_dequeue(struct usb_ep *ep, struct usb_request *req) struct usbhsg_request *ureq = usbhsg_req_to_ureq(req); struct usbhs_pipe *pipe = usbhsg_uep_to_pipe(uep); - usbhs_pkt_pop(pipe, usbhsg_ureq_to_pkt(ureq)); + if (pipe) + usbhs_pkt_pop(pipe, usbhsg_ureq_to_pkt(ureq)); + + /* + * To dequeue a request, this driver should call the usbhsg_queue_pop() + * even if the pipe is NULL. + */ usbhsg_queue_pop(uep, ureq, -ECONNRESET); return 0;