This patch fixes possible NULL pointer dereference issues in MUSB gadget code.
Signed-off-by: Maulik Mankad <x0082077@xxxxxx>
CC: Felipe Balbi <felipe.balbi@xxxxxxxxx>
CC: David Brownell <david-b@xxxxxxxxxxx>
Index: linux-2.6/drivers/usb/musb/musb_gadget.c
===================================================================
--- linux-2.6.orig/drivers/usb/musb/musb_gadget.c
+++ linux-2.6/drivers/usb/musb/musb_gadget.c
@@ -110,6 +110,9 @@ __acquires(ep->musb->lock)
req = to_musb_request(request);
+ if (!req)
+ return;
+
list_del(&request->list);
if (req->request.status == -EINPROGRESS)
req->request.status = status;
@@ -754,6 +757,9 @@ void musb_g_rx(struct musb *musb, u8 epn
request = next_request(musb_ep);
+ if (!request)
+ goto done;
+
csr = musb_readw(epio, MUSB_RXCSR);
dma = is_dma_capable() ? musb_ep->dma : NULL;
@@ -1014,6 +1020,12 @@ static int musb_gadget_disable(struct us
int status = 0;
musb_ep = to_musb_ep(ep);
+
+ if (!musb_ep) {
+ status = -EINVAL;
+ return status;
+ }
+
musb = musb_ep->musb;
epnum = musb_ep->current_epnum;
epio = musb->endpoints[epnum].regs;
@@ -1058,7 +1070,7 @@ struct usb_request *musb_alloc_request(s
struct musb_request *request = NULL;
request = kzalloc(sizeof *request, gfp_flags);
- if (request) {
+ if (request && musb_ep) {
INIT_LIST_HEAD(&request->request.list);
request->request.dma = DMA_ADDR_INVALID;
request->epnum = musb_ep->current_epnum;
@@ -1185,7 +1197,14 @@ static int musb_gadget_dequeue(struct us
struct usb_request *r;
unsigned long flags;
int status = 0;
- struct musb *musb = musb_ep->musb;
+ struct musb *musb;
+
+ if (!musb_ep) {
+ status = -EINVAL;
+ return status;
+ }
+
+ musb = musb_ep->musb;
if (!ep || !request || to_musb_request(request)->ep != musb_ep)
return -EINVAL;
@@ -1238,15 +1257,24 @@ done:
int musb_gadget_set_halt(struct usb_ep *ep, int value)
{
struct musb_ep *musb_ep = to_musb_ep(ep);
- u8 epnum = musb_ep->current_epnum;
- struct musb *musb = musb_ep->musb;
- void __iomem *epio = musb->endpoints[epnum].regs;
+ u8 epnum;
+ struct musb *musb;
+ void __iomem *epio;
void __iomem *mbase;
unsigned long flags;
u16 csr;
struct musb_request *request = NULL;
int status = 0;
+ if (!musb_ep) {
+ status = -EINVAL;
+ return status;
+ }
+
+ epnum = musb_ep->current_epnum;
+ musb = musb_ep->musb;
+ epio = musb->endpoints[epnum].regs;
+
if (!ep)
return -EINVAL;
mbase = musb->mregs;
@@ -1315,9 +1343,14 @@ done:
static int musb_gadget_fifo_status(struct usb_ep *ep)
{
struct musb_ep *musb_ep = to_musb_ep(ep);
- void __iomem *epio = musb_ep->hw_ep->regs;
+ void __iomem *epio;
int retval = -EINVAL;
+ if (!musb_ep)
+ return retval;
+
+ epio = musb_ep->hw_ep->regs;
+
if (musb_ep->desc && !musb_ep->is_in) {
struct musb *musb = musb_ep->musb;
int epnum = musb_ep->current_epnum;
@@ -1338,13 +1371,20 @@ static int musb_gadget_fifo_status(struc
static void musb_gadget_fifo_flush(struct usb_ep *ep)
{
struct musb_ep *musb_ep = to_musb_ep(ep);
- struct musb *musb = musb_ep->musb;
- u8 epnum = musb_ep->current_epnum;
- void __iomem *epio = musb->endpoints[epnum].regs;
+ struct musb *musb;
+ u8 epnum;
+ void __iomem *epio;
void __iomem *mbase;
unsigned long flags;
u16 csr, int_txe;
+ if (!musb_ep)
+ return;
+
+ musb = musb_ep->musb;
+ epnum = musb_ep->current_epnum;
+ epio = musb->endpoints[epnum].regs;
+
mbase = musb->mregs;
spin_lock_irqsave(&musb->lock, flags);
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
