From 58d6d139c3e7bb923029e7ba18bfec7f420ead0f Mon Sep 17 00:00:00 2001 From: Rob Herring Date: Fri, 24 Jul 2015 10:14:21 -0500 Subject: usb: ci_udc: fix request allocation when endpoints are disabled The ci_udc driver request allocation assumes that the endpoint descriptor pointer is set to retrieve the endpoint number, but that is only true when the endpoint is enabled. This results in a NULL ptr dereference which for me happens to return 0 value. This causes the EP0 request struct to be returned for other endpoints. Some gadget drivers like fastboot and USB MS work fine, but ethernet does not. Really, the ci_udc driver is the oddball here doing this EP0 special case handling Stephen added. All the other drivers alloc/free functions are pretty much the same with the only variation being the size of the private struct. This could all be consolidated to a common function. Signed-off-by: Rob Herring Cc: Marek Vasut Acked-by: Stephen Warren --- drivers/usb/gadget/ci_udc.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'drivers') diff --git a/drivers/usb/gadget/ci_udc.c b/drivers/usb/gadget/ci_udc.c index 993be315a8..3e8eb8799f 100644 --- a/drivers/usb/gadget/ci_udc.c +++ b/drivers/usb/gadget/ci_udc.c @@ -258,10 +258,12 @@ static struct usb_request * ci_ep_alloc_request(struct usb_ep *ep, unsigned int gfp_flags) { struct ci_ep *ci_ep = container_of(ep, struct ci_ep, ep); - int num; + int num = -1; struct ci_req *ci_req; - num = ci_ep->desc->bEndpointAddress & USB_ENDPOINT_NUMBER_MASK; + if (ci_ep->desc) + num = ci_ep->desc->bEndpointAddress & USB_ENDPOINT_NUMBER_MASK; + if (num == 0 && controller.ep0_req) return &controller.ep0_req->req; @@ -281,9 +283,11 @@ static void ci_ep_free_request(struct usb_ep *ep, struct usb_request *req) { struct ci_ep *ci_ep = container_of(ep, struct ci_ep, ep); struct ci_req *ci_req = container_of(req, struct ci_req, req); - int num; + int num = -1; + + if (ci_ep->desc) + num = ci_ep->desc->bEndpointAddress & USB_ENDPOINT_NUMBER_MASK; - num = ci_ep->desc->bEndpointAddress & USB_ENDPOINT_NUMBER_MASK; if (num == 0) { if (!controller.ep0_req) return; -- cgit v1.2.3