From: <gregkh@linuxfoundation.org>
To: yoshihiro.shimoda.uh@renesas.com, felipe.balbi@linux.intel.com,
gregkh@linuxfoundation.org
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
Subject: Patch "usb: renesas_usbhs: avoid NULL pointer derefernce in usbhsf_pkt_handler()" has been added to the 4.4-stable tree
Date: Sun, 17 Apr 2016 03:32:47 -0700 [thread overview]
Message-ID: <1460889167135203@kroah.com> (raw)
This is a note to let you know that I've just added the patch titled
usb: renesas_usbhs: avoid NULL pointer derefernce in usbhsf_pkt_handler()
to the 4.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
usb-renesas_usbhs-avoid-null-pointer-derefernce-in-usbhsf_pkt_handler.patch
and it can be found in the queue-4.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From 894f2fc44f2f3f48c36c973b1123f6ab298be160 Mon Sep 17 00:00:00 2001
From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Date: Thu, 10 Mar 2016 11:30:14 +0900
Subject: usb: renesas_usbhs: avoid NULL pointer derefernce in usbhsf_pkt_handler()
From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
commit 894f2fc44f2f3f48c36c973b1123f6ab298be160 upstream.
When unexpected situation happened (e.g. tx/rx irq happened while
DMAC is used), the usbhsf_pkt_handler() was possible to cause NULL
pointer dereference like the followings:
Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = c0004000
[00000000] *pgd=00000000
Internal error: Oops: 80000007 [#1] SMP ARM
Modules linked in: usb_f_acm u_serial g_serial libcomposite
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.5.0-rc6-00842-gac57066-dirty #63
Hardware name: Generic R8A7790 (Flattened Device Tree)
task: c0729c00 ti: c0724000 task.ti: c0724000
PC is at 0x0
LR is at usbhsf_pkt_handler+0xac/0x118
pc : [<00000000>] lr : [<c03257e0>] psr: 60000193
sp : c0725db8 ip : 00000000 fp : c0725df4
r10: 00000001 r9 : 00000193 r8 : ef3ccab4
r7 : ef3cca10 r6 : eea4586c r5 : 00000000 r4 : ef19ceb4
r3 : 00000000 r2 : 0000009c r1 : c0725dc4 r0 : ef19ceb4
This patch adds a condition to avoid the dereference.
Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support")
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/renesas_usbhs/fifo.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/renesas_usbhs/fifo.c
+++ b/drivers/usb/renesas_usbhs/fifo.c
@@ -190,7 +190,8 @@ static int usbhsf_pkt_handler(struct usb
goto __usbhs_pkt_handler_end;
}
- ret = func(pkt, &is_done);
+ if (likely(func))
+ ret = func(pkt, &is_done);
if (is_done)
__usbhsf_pkt_del(pkt);
Patches currently in stable-queue which might be from yoshihiro.shimoda.uh@renesas.com are
queue-4.4/usb-renesas_usbhs-fix-to-avoid-using-a-disabled-ep-in-usbhsg_queue_done.patch
queue-4.4/usb-renesas_usbhs-avoid-null-pointer-derefernce-in-usbhsf_pkt_handler.patch
queue-4.4/usb-renesas_usbhs-disable-tx-irq-before-starting-tx-dmac-transfer.patch
reply other threads:[~2016-04-17 11:12 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1460889167135203@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=felipe.balbi@linux.intel.com \
--cc=stable-commits@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=yoshihiro.shimoda.uh@renesas.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.