usb: renesas_usbhs: fix NULL pointer dereference in xfer_work()
authorYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Wed, 8 Jun 2016 07:32:49 +0000 (16:32 +0900)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 20 Aug 2016 16:09:16 +0000 (18:09 +0200)
commit 4fdef698383db07d829da567e0e405fc41ff3a89 upstream.

This patch fixes an issue that the xfer_work() is possible to cause
NULL pointer dereference if the usb cable is disconnected while data
transfer is running.

In such case, a gadget driver may call usb_ep_disable()) before
xfer_work() is actually called. In this case, the usbhs_pkt_pop()
will call usbhsf_fifo_unselect(), and then usbhs_pipe_to_fifo()
in xfer_work() will return NULL.

Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support")
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/renesas_usbhs/fifo.c

index f1893e08e51a43649fe71bb2956cd884d4eca4fa..db565f620f82daf410e14961a8189d96638492f9 100644 (file)
@@ -808,20 +808,27 @@ static void xfer_work(struct work_struct *work)
 {
        struct usbhs_pkt *pkt = container_of(work, struct usbhs_pkt, work);
        struct usbhs_pipe *pipe = pkt->pipe;
-       struct usbhs_fifo *fifo = usbhs_pipe_to_fifo(pipe);
+       struct usbhs_fifo *fifo;
        struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe);
        struct dma_async_tx_descriptor *desc;
-       struct dma_chan *chan = usbhsf_dma_chan_get(fifo, pkt);
+       struct dma_chan *chan;
        struct device *dev = usbhs_priv_to_dev(priv);
        enum dma_transfer_direction dir;
+       unsigned long flags;
 
+       usbhs_lock(priv, flags);
+       fifo = usbhs_pipe_to_fifo(pipe);
+       if (!fifo)
+               goto xfer_work_end;
+
+       chan = usbhsf_dma_chan_get(fifo, pkt);
        dir = usbhs_pipe_is_dir_in(pipe) ? DMA_DEV_TO_MEM : DMA_MEM_TO_DEV;
 
        desc = dmaengine_prep_slave_single(chan, pkt->dma + pkt->actual,
                                        pkt->trans, dir,
                                        DMA_PREP_INTERRUPT | DMA_CTRL_ACK);
        if (!desc)
-               return;
+               goto xfer_work_end;
 
        desc->callback          = usbhsf_dma_complete;
        desc->callback_param    = pipe;
@@ -829,7 +836,7 @@ static void xfer_work(struct work_struct *work)
        pkt->cookie = dmaengine_submit(desc);
        if (pkt->cookie < 0) {
                dev_err(dev, "Failed to submit dma descriptor\n");
-               return;
+               goto xfer_work_end;
        }
 
        dev_dbg(dev, "  %s %d (%d/ %d)\n",
@@ -840,6 +847,9 @@ static void xfer_work(struct work_struct *work)
        usbhs_pipe_set_trans_count_if_bulk(pipe, pkt->trans);
        dma_async_issue_pending(chan);
        usbhs_pipe_enable(pipe);
+
+xfer_work_end:
+       usbhs_unlock(priv, flags);
 }
 
 /*