| From 57ebb5731b3f368902d880c4adba153114b21e1c Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Thu, 21 May 2020 16:13:00 +0100 |
| Subject: usb: gadget: lpc32xx_udc: don't dereference ep pointer before null |
| check |
| |
| From: Colin Ian King <colin.king@canonical.com> |
| |
| [ Upstream commit eafa80041645cd7604c4357b1a0cd4a3c81f2227 ] |
| |
| Currently pointer ep is being dereferenced before it is null checked |
| leading to a null pointer dereference issue. Fix this by only assigning |
| pointer udc once ep is known to be not null. Also remove a debug |
| message that requires a valid udc which may not be possible at that |
| point. |
| |
| Addresses-Coverity: ("Dereference before null check") |
| Fixes: 24a28e428351 ("USB: gadget driver for LPC32xx") |
| Signed-off-by: Colin Ian King <colin.king@canonical.com> |
| Signed-off-by: Felipe Balbi <balbi@kernel.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/usb/gadget/udc/lpc32xx_udc.c | 11 ++++++----- |
| 1 file changed, 6 insertions(+), 5 deletions(-) |
| |
| diff --git a/drivers/usb/gadget/udc/lpc32xx_udc.c b/drivers/usb/gadget/udc/lpc32xx_udc.c |
| index ac2aa04ca6573..7107931617953 100644 |
| --- a/drivers/usb/gadget/udc/lpc32xx_udc.c |
| +++ b/drivers/usb/gadget/udc/lpc32xx_udc.c |
| @@ -1615,17 +1615,17 @@ static int lpc32xx_ep_enable(struct usb_ep *_ep, |
| const struct usb_endpoint_descriptor *desc) |
| { |
| struct lpc32xx_ep *ep = container_of(_ep, struct lpc32xx_ep, ep); |
| - struct lpc32xx_udc *udc = ep->udc; |
| + struct lpc32xx_udc *udc; |
| u16 maxpacket; |
| u32 tmp; |
| unsigned long flags; |
| |
| /* Verify EP data */ |
| if ((!_ep) || (!ep) || (!desc) || |
| - (desc->bDescriptorType != USB_DT_ENDPOINT)) { |
| - dev_dbg(udc->dev, "bad ep or descriptor\n"); |
| + (desc->bDescriptorType != USB_DT_ENDPOINT)) |
| return -EINVAL; |
| - } |
| + |
| + udc = ep->udc; |
| maxpacket = usb_endpoint_maxp(desc); |
| if ((maxpacket == 0) || (maxpacket > ep->maxpacket)) { |
| dev_dbg(udc->dev, "bad ep descriptor's packet size\n"); |
| @@ -1873,7 +1873,7 @@ static int lpc32xx_ep_dequeue(struct usb_ep *_ep, struct usb_request *_req) |
| static int lpc32xx_ep_set_halt(struct usb_ep *_ep, int value) |
| { |
| struct lpc32xx_ep *ep = container_of(_ep, struct lpc32xx_ep, ep); |
| - struct lpc32xx_udc *udc = ep->udc; |
| + struct lpc32xx_udc *udc; |
| unsigned long flags; |
| |
| if ((!ep) || (ep->hwep_num <= 1)) |
| @@ -1883,6 +1883,7 @@ static int lpc32xx_ep_set_halt(struct usb_ep *_ep, int value) |
| if (ep->is_in) |
| return -EAGAIN; |
| |
| + udc = ep->udc; |
| spin_lock_irqsave(&udc->lock, flags); |
| |
| if (value == 1) { |
| -- |
| 2.25.1 |
| |