[PATCH 1/3] usb: renesas_usbhs: gadget: Fix NULL pointer dereference in usbhsg_ep_dequeue()

[PATCH 1/3] usb: renesas_usbhs: gadget: Fix NULL pointer dereference in usbhsg_ep_dequeue()

[Yoshihiro Shimoda]

This patch fixes an issue that NULL pointer dereference happens when
a gadget driver calls usb_ep_dequeue() after usb_ep_disable().

Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
---
 drivers/usb/renesas_usbhs/mod_gadget.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c
index de4f97d..8f7a78e 100644
--- a/drivers/usb/renesas_usbhs/mod_gadget.c
+++ b/drivers/usb/renesas_usbhs/mod_gadget.c
@@ -131,7 +131,8 @@ static void __usbhsg_queue_pop(struct usbhsg_uep *uep,
 	struct device *dev = usbhsg_gpriv_to_dev(gpriv);
 	struct usbhs_priv *priv = usbhsg_gpriv_to_priv(gpriv);
 
-	dev_dbg(dev, "pipe %d : queue pop\n", usbhs_pipe_number(pipe));
+	if (pipe)
+		dev_dbg(dev, "pipe %d : queue pop\n", usbhs_pipe_number(pipe));
 
 	ureq->req.status = status;
 	spin_unlock(usbhs_priv_to_lock(priv));
@@ -685,7 +686,13 @@ static int usbhsg_ep_dequeue(struct usb_ep *ep, struct usb_request *req)
 	struct usbhsg_request *ureq = usbhsg_req_to_ureq(req);
 	struct usbhs_pipe *pipe = usbhsg_uep_to_pipe(uep);
 
-	usbhs_pkt_pop(pipe, usbhsg_ureq_to_pkt(ureq));
+	if (pipe)
+		usbhs_pkt_pop(pipe, usbhsg_ureq_to_pkt(ureq));
+
+	/*
+	 * To dequeue a request, this driver should call the usbhsg_queue_pop()
+	 * even if the pipe is NULL.
+	 */
 	usbhsg_queue_pop(uep, ureq, -ECONNRESET);
 
 	return 0;
-- 
1.9.1

Re: [PATCH 1/3] usb: renesas_usbhs: gadget: Fix NULL pointer dereference in usbhsg_ep_dequeue()

[Felipe Balbi]

[-- Attachment #1: Type: text/plain, Size: 411 bytes --]


Hi,

Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com> writes:
> This patch fixes an issue that NULL pointer dereference happens when
> a gadget driver calls usb_ep_dequeue() after usb_ep_disable().
>
> Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>

and which gadget driver is that ? Let's fix it. We should _not_ call
usb_ep_dequeue() after usb_ep_disable().

-- 
balbi

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

RE: [PATCH 1/3] usb: renesas_usbhs: gadget: Fix NULL pointer dereference in usbhsg_ep_dequeue()

[Yoshihiro Shimoda]

Hi,

> From: Felipe Balbi [mailto:balbi@ti.com]
> Sent: Wednesday, November 18, 2015 12:32 AM
> 
> Hi,
> 
> Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com> writes:
> > This patch fixes an issue that NULL pointer dereference happens when
> > a gadget driver calls usb_ep_dequeue() after usb_ep_disable().
> >
> > Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
> 
> and which gadget driver is that ? Let's fix it. We should _not_ call
> usb_ep_dequeue() after usb_ep_disable().

Thank you for your comment.
I assumed that a gadget driver called usb_ep_dequeue() after usb_ep_disable().
However, it was wrong. This driver will call usbhsg_ep_dequeue() in usbhsg_try_stop().
So, if I disconnect a usb cable, and I uninstall a gadget driver, this issue happens
because the dcp->pipe is NULL after disconnected a usb cable.

So, I will revise the commit log as v2.
(Also I would like to fix this issue fundamentally, but it is tough because behavior of
 start/stop and connect/disconnect in this driver is complicated.)

Best regards,
Yoshihiro Shimoda

> --
> balbi