All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v5 1/4] usb: renesas_usbhs: gadget: fix NULL pointer dereference in ep_disable()
@ 2014-10-31  4:20 Yoshihiro Shimoda
  2014-10-31 13:41 ` Felipe Balbi
  2014-11-04  1:03 ` yoshihiro shimoda
  0 siblings, 2 replies; 3+ messages in thread
From: Yoshihiro Shimoda @ 2014-10-31  4:20 UTC (permalink / raw)
  To: linux-sh

From: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>

This patch fixes an issue that the NULL pointer dereference happens
when we uses g_audio driver. Since the g_audio driver will call
usb_ep_disable() in afunc_set_alt() before it calls usb_ep_enable(),
the uep->pipe of renesas usbhs driver will be NULL. So, this patch
adds a condition to avoid the oops.

Signed-off-by: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
Signed-off-by: Takeshi Kihara <takeshi.kihara.df@renesas.com>
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Fixes: 132fcb4608 (usb: gadget: Add Audio Class 2.0 Driver)
Cc: <stable@vger.kernel.org> # v3.3+
---
 drivers/usb/renesas_usbhs/mod_gadget.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c
index 2d17c10..294d43c 100644
--- a/drivers/usb/renesas_usbhs/mod_gadget.c
+++ b/drivers/usb/renesas_usbhs/mod_gadget.c
@@ -602,6 +602,9 @@ static int usbhsg_ep_disable(struct usb_ep *ep)
 	struct usbhsg_uep *uep = usbhsg_ep_to_uep(ep);
 	struct usbhs_pipe *pipe = usbhsg_uep_to_pipe(uep);
 
+	if (!pipe)
+		return -EINVAL;
+
 	usbhsg_pipe_disable(uep);
 	usbhs_pipe_free(pipe);
 
-- 
1.7.9.5


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH v5 1/4] usb: renesas_usbhs: gadget: fix NULL pointer dereference in ep_disable()
  2014-10-31  4:20 [PATCH v5 1/4] usb: renesas_usbhs: gadget: fix NULL pointer dereference in ep_disable() Yoshihiro Shimoda
@ 2014-10-31 13:41 ` Felipe Balbi
  2014-11-04  1:03 ` yoshihiro shimoda
  1 sibling, 0 replies; 3+ messages in thread
From: Felipe Balbi @ 2014-10-31 13:41 UTC (permalink / raw)
  To: linux-sh

[-- Attachment #1: Type: text/plain, Size: 1784 bytes --]

On Fri, Oct 31, 2014 at 01:20:08PM +0900, Yoshihiro Shimoda wrote:
> From: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
> 
> This patch fixes an issue that the NULL pointer dereference happens
> when we uses g_audio driver. Since the g_audio driver will call
> usb_ep_disable() in afunc_set_alt() before it calls usb_ep_enable(),
> the uep->pipe of renesas usbhs driver will be NULL. So, this patch
> adds a condition to avoid the oops.
> 
> Signed-off-by: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
> Signed-off-by: Takeshi Kihara <takeshi.kihara.df@renesas.com>
> Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
> Fixes: 132fcb4608 (usb: gadget: Add Audio Class 2.0 Driver)

since this change is not patching the audio class driver, you can be
fixing that commit. Looking at the history of that file, it seems like
this was always broken since day one of this driver (commit 2f98382dc)
and if that's the case, this should become:

Fixes: 2f98382dc (usb: renesas_usbhs: Add Renesas USBHS Gadget)
Cc: <stable@vger.kernel.org> # v3.0+

> Cc: <stable@vger.kernel.org> # v3.3+
> ---
>  drivers/usb/renesas_usbhs/mod_gadget.c |    3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c
> index 2d17c10..294d43c 100644
> --- a/drivers/usb/renesas_usbhs/mod_gadget.c
> +++ b/drivers/usb/renesas_usbhs/mod_gadget.c
> @@ -602,6 +602,9 @@ static int usbhsg_ep_disable(struct usb_ep *ep)
>  	struct usbhsg_uep *uep = usbhsg_ep_to_uep(ep);
>  	struct usbhs_pipe *pipe = usbhsg_uep_to_pipe(uep);
>  
> +	if (!pipe)
> +		return -EINVAL;
> +
>  	usbhsg_pipe_disable(uep);
>  	usbhs_pipe_free(pipe);
>  
> -- 
> 1.7.9.5
> 

-- 
balbi

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* RE: [PATCH v5 1/4] usb: renesas_usbhs: gadget: fix NULL pointer dereference in ep_disable()
  2014-10-31  4:20 [PATCH v5 1/4] usb: renesas_usbhs: gadget: fix NULL pointer dereference in ep_disable() Yoshihiro Shimoda
  2014-10-31 13:41 ` Felipe Balbi
@ 2014-11-04  1:03 ` yoshihiro shimoda
  1 sibling, 0 replies; 3+ messages in thread
From: yoshihiro shimoda @ 2014-11-04  1:03 UTC (permalink / raw)
  To: linux-sh

> On Fri, Oct 31, 2014 at 01:20:08PM +0900, Yoshihiro Shimoda wrote:
> > From: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
> >
> > This patch fixes an issue that the NULL pointer dereference happens
> > when we uses g_audio driver. Since the g_audio driver will call
> > usb_ep_disable() in afunc_set_alt() before it calls usb_ep_enable(),
> > the uep->pipe of renesas usbhs driver will be NULL. So, this patch
> > adds a condition to avoid the oops.
> >
> > Signed-off-by: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
> > Signed-off-by: Takeshi Kihara <takeshi.kihara.df@renesas.com>
> > Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
> > Fixes: 132fcb4608 (usb: gadget: Add Audio Class 2.0 Driver)
> 
> since this change is not patching the audio class driver, you can be fixing that commit. Looking at the history of that
> file, it seems like this was always broken since day one of this driver (commit 2f98382dc) and if that's the case, this
> should become:
> 
> Fixes: 2f98382dc (usb: renesas_usbhs: Add Renesas USBHS Gadget)
> Cc: <stable@vger.kernel.org> # v3.0+

Thank you very much for the point. I will fix it.

Best regards,
Yoshihiro Shimoda

> > Cc: <stable@vger.kernel.org> # v3.3+
> > ---
> >  drivers/usb/renesas_usbhs/mod_gadget.c |    3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c
> > b/drivers/usb/renesas_usbhs/mod_gadget.c
> > index 2d17c10..294d43c 100644
> > --- a/drivers/usb/renesas_usbhs/mod_gadget.c
> > +++ b/drivers/usb/renesas_usbhs/mod_gadget.c
> > @@ -602,6 +602,9 @@ static int usbhsg_ep_disable(struct usb_ep *ep)
> >  	struct usbhsg_uep *uep = usbhsg_ep_to_uep(ep);
> >  	struct usbhs_pipe *pipe = usbhsg_uep_to_pipe(uep);
> >
> > +	if (!pipe)
> > +		return -EINVAL;
> > +
> >  	usbhsg_pipe_disable(uep);
> >  	usbhs_pipe_free(pipe);
> >
> > --
> > 1.7.9.5
> >
> 
> --
> balbi

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-11-04  1:03 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-10-31  4:20 [PATCH v5 1/4] usb: renesas_usbhs: gadget: fix NULL pointer dereference in ep_disable() Yoshihiro Shimoda
2014-10-31 13:41 ` Felipe Balbi
2014-11-04  1:03 ` yoshihiro shimoda

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.