* [PATCH] usb: musb: gadget: fix possible NULL pointer dereference
@ 2016-02-26 14:52 John Ogness
0 siblings, 0 replies; only message in thread
From: John Ogness @ 2016-02-26 14:52 UTC (permalink / raw)
To: Felipe Balbi, Bin Liu, Greg Kroah-Hartman, linux-usb, linux-kernel
txstate() assumes that if the request buffer is mapped, a DMA channel
is allocated. There is a case here where the DMA channel is released
and then shortly thereafter (in general PIO code) the request buffer
is unmapped. However, in this case unmap_dma_buffer() silently fails
because the DMA channel is already gone. Thus, the next time txstate()
is called, there is a NULL pointer exception because the buffer is
mapped but no DMA channel is allocated.
This patch adds an extra call unmap_dma_buffer() before releasing the
channel.
Signed-off-by: John Ogness <john.ogness@linutronix.de>
---
patch against next-20160226
drivers/usb/musb/musb_gadget.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c
index 87bd578..c518d3c 100644
--- a/drivers/usb/musb/musb_gadget.c
+++ b/drivers/usb/musb/musb_gadget.c
@@ -393,6 +393,7 @@ static void txstate(struct musb *musb, struct musb_request *req)
request->dma + request->actual,
request_size);
if (!use_dma) {
+ unmap_dma_buffer(req, musb);
c->channel_release(musb_ep->dma);
musb_ep->dma = NULL;
csr &= ~MUSB_TXCSR_DMAENAB;
--
1.7.10.4
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2016-02-26 14:52 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-02-26 14:52 [PATCH] usb: musb: gadget: fix possible NULL pointer dereference John Ogness
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.