| Message ID | 20250514095053.420-1-vulab@iscas.ac.cn |
|---|---|
| State | New |
| Headers | show |
| Series | usb: gadget: udc: renesas_usb3: Add null pointer check in usb3_irq_epc_pipe0_setup() | expand |
On Wed, May 14, 2025 at 05:50:53PM +0800, Wentao Liang wrote: > The function usb3_irq_epc_pipe0_setup() calls the function > usb3_get_request(), but does not check its return value which > is a null pointer if the function fails. This can result in a > null pointer dereference. > > Add a null pointer check for usb3_get_request() to avoid null > pointer dereference when the function fails. > > Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller") > Cc: stable@vger.kernel.org # v4.5 > Signed-off-by: Wentao Liang <vulab@iscas.ac.cn> > --- > drivers/usb/gadget/udc/renesas_usb3.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/usb/gadget/udc/renesas_usb3.c b/drivers/usb/gadget/udc/renesas_usb3.c > index fce5c41d9f29..51f2dd8cbf91 100644 > --- a/drivers/usb/gadget/udc/renesas_usb3.c > +++ b/drivers/usb/gadget/udc/renesas_usb3.c > @@ -1920,11 +1920,13 @@ static void usb3_irq_epc_pipe0_setup(struct renesas_usb3 *usb3) > { > struct usb_ctrlrequest ctrl; > struct renesas_usb3_ep *usb3_ep = usb3_get_ep(usb3, 0); > + struct renesas_usb3_request *usb3_req = usb3_get_request(usb3_ep); > > /* Call giveback function if previous transfer is not completed */ > + if (!usb3_req) > + return; Why is this check below the comment? Shouldn't it be above it? > if (usb3_ep->started) > - usb3_request_done(usb3_ep, usb3_get_request(usb3_ep), > - -ECONNRESET); > + usb3_request_done(usb3_ep, usb3_req, -ECONNRESET); > > usb3_p0_con_clear_buffer(usb3); > usb3_get_setup_data(usb3, &ctrl); > -- > 2.42.0.windows.2 How was this tested? thanks, greg k-h
diff --git a/drivers/usb/gadget/udc/renesas_usb3.c b/drivers/usb/gadget/udc/renesas_usb3.c index fce5c41d9f29..51f2dd8cbf91 100644 --- a/drivers/usb/gadget/udc/renesas_usb3.c +++ b/drivers/usb/gadget/udc/renesas_usb3.c @@ -1920,11 +1920,13 @@ static void usb3_irq_epc_pipe0_setup(struct renesas_usb3 *usb3) { struct usb_ctrlrequest ctrl; struct renesas_usb3_ep *usb3_ep = usb3_get_ep(usb3, 0); + struct renesas_usb3_request *usb3_req = usb3_get_request(usb3_ep); /* Call giveback function if previous transfer is not completed */ + if (!usb3_req) + return; if (usb3_ep->started) - usb3_request_done(usb3_ep, usb3_get_request(usb3_ep), - -ECONNRESET); + usb3_request_done(usb3_ep, usb3_req, -ECONNRESET); usb3_p0_con_clear_buffer(usb3); usb3_get_setup_data(usb3, &ctrl);
The function usb3_irq_epc_pipe0_setup() calls the function usb3_get_request(), but does not check its return value which is a null pointer if the function fails. This can result in a null pointer dereference. Add a null pointer check for usb3_get_request() to avoid null pointer dereference when the function fails. Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller") Cc: stable@vger.kernel.org # v4.5 Signed-off-by: Wentao Liang <vulab@iscas.ac.cn> --- drivers/usb/gadget/udc/renesas_usb3.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)