From: Greg KH <gregkh@linuxfoundation.org>
To: Wentao Liang <vulab@iscas.ac.cn>
Cc: u.kleine-koenig@baylibre.com, linux-usb@vger.kernel.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] usb: gadget: udc: renesas_usb3: Add null pointer check in usb3_irq_epc_pipe0_setup()
Date: Wed, 21 May 2025 13:02:22 +0200 [thread overview]
Message-ID: <2025052142-waking-monopoly-37a6@gregkh> (raw)
In-Reply-To: <20250514095053.420-1-vulab@iscas.ac.cn>
On Wed, May 14, 2025 at 05:50:53PM +0800, Wentao Liang wrote:
> The function usb3_irq_epc_pipe0_setup() calls the function
> usb3_get_request(), but does not check its return value which
> is a null pointer if the function fails. This can result in a
> null pointer dereference.
>
> Add a null pointer check for usb3_get_request() to avoid null
> pointer dereference when the function fails.
>
> Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller")
> Cc: stable@vger.kernel.org # v4.5
> Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
> ---
> drivers/usb/gadget/udc/renesas_usb3.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/gadget/udc/renesas_usb3.c b/drivers/usb/gadget/udc/renesas_usb3.c
> index fce5c41d9f29..51f2dd8cbf91 100644
> --- a/drivers/usb/gadget/udc/renesas_usb3.c
> +++ b/drivers/usb/gadget/udc/renesas_usb3.c
> @@ -1920,11 +1920,13 @@ static void usb3_irq_epc_pipe0_setup(struct renesas_usb3 *usb3)
> {
> struct usb_ctrlrequest ctrl;
> struct renesas_usb3_ep *usb3_ep = usb3_get_ep(usb3, 0);
> + struct renesas_usb3_request *usb3_req = usb3_get_request(usb3_ep);
>
> /* Call giveback function if previous transfer is not completed */
> + if (!usb3_req)
> + return;
Why is this check below the comment? Shouldn't it be above it?
> if (usb3_ep->started)
> - usb3_request_done(usb3_ep, usb3_get_request(usb3_ep),
> - -ECONNRESET);
> + usb3_request_done(usb3_ep, usb3_req, -ECONNRESET);
>
> usb3_p0_con_clear_buffer(usb3);
> usb3_get_setup_data(usb3, &ctrl);
> --
> 2.42.0.windows.2
How was this tested?
thanks,
greg k-h
prev parent reply other threads:[~2025-05-21 11:02 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-14 9:50 [PATCH] usb: gadget: udc: renesas_usb3: Add null pointer check in usb3_irq_epc_pipe0_setup() Wentao Liang
2025-05-21 11:02 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025052142-waking-monopoly-37a6@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=u.kleine-koenig@baylibre.com \
--cc=vulab@iscas.ac.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.