usb: dwc3: gadget: Acquire spin_lock before checking usb_ep->desc
usb_ep's desc field is marked as NULL in ep_disable which gets
called on cable disconnect. Currently, ep_queue function is
checking for ep->desc before acquiring spin_lock. If USB cable
gets disconnected after ep->desc check but before spin_lock is
acquired then there are chances of hitting NULL pointer
dereference subsequently when ep_queue function later tries to
access ep->desc. Fix this by acquiring spin_lock before ep->desc
check in ep_queue.
CRs-Fixed: 454236
Change-Id: Icd7c2cf5ea3583759143555521ce44403f20e2bd
Signed-off-by: Manu Gautam <mgautam@codeaurora.org>
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 2db9eea..0664376 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1205,7 +1205,10 @@
int ret;
+ spin_lock_irqsave(&dwc->lock, flags);
+
if (!dep->endpoint.desc) {
+ spin_unlock_irqrestore(&dwc->lock, flags);
dev_dbg(dwc->dev, "trying to queue request %p to disabled %s\n",
request, ep->name);
return -ESHUTDOWN;
@@ -1217,7 +1220,6 @@
WARN(!dep->direction && (request->length % ep->desc->wMaxPacketSize),
"trying to queue unaligned request (%d)\n", request->length);
- spin_lock_irqsave(&dwc->lock, flags);
ret = __dwc3_gadget_ep_queue(dep, req);
spin_unlock_irqrestore(&dwc->lock, flags);