usb: dwc3: gadget: Fix null pointer exception

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

In the endpoint interrupt functions
dwc3_gadget_endpoint_transfer_in_progress() and
dwc3_gadget_endpoint_trbs_complete() will dereference the endpoint
descriptor. But it could be cleared in __dwc3_gadget_ep_disable()
when accessory disconnected. So we need to check whether it is null
or not before dereferencing it.

Fixes: f09ddcfcb8c5 ("usb: dwc3: gadget: Prevent EP queuing while stopping transfers")
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Jack Pham <quic_jackp@quicinc.com>
Signed-off-by: Albert Wang <albertccwang@google.com>
Link: https://lore.kernel.org/r/20211109092642.3507692-1-albertccwang@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Albert Wang and committed by

Greg Kroah-Hartman 4 years ago 26288448 3b8599a6

1 changed file

expand all

drivers

usb

dwc3

gadget.c

drivers/usb/dwc3/gadget.c

··· 3263 3263 struct dwc3 *dwc = dep->dwc; 3264 3264 bool no_started_trb = true; 3265 3265 3266 + if (!dep->endpoint.desc) 3267 + return no_started_trb; 3268 + 3266 3269 dwc3_gadget_ep_cleanup_completed_requests(dep, event, status); 3267 3270 3268 3271 if (dep->flags & DWC3_EP_END_TRANSFER_PENDING) ··· 3312 3309 const struct dwc3_event_depevt *event) 3313 3310 { 3314 3311 int status = 0; 3312 + 3313 + if (!dep->endpoint.desc) 3314 + return; 3315 3315 3316 3316 if (usb_endpoint_xfer_isoc(dep->endpoint.desc)) 3317 3317 dwc3_gadget_endpoint_frame_from_event(dep, event);