[lvc-project] [PATCH] usb: tegra-xudc: check ep->desc before dereferencing
Jon Hunter
jonathanh at nvidia.com
Wed Apr 16 10:43:58 MSK 2025
On 15/04/2025 18:42, Alexey V. Vissarionov wrote:
> Check ep->desc before dereferencing it in tegra_xudc_req_done() call
> and later in this function tegra_xudc_handle_transfer_completion()
>
> Found by ALT Linux Team (altlinux.org) and Linux Verification Center
> (linuxtesting.org)
>
> Fixes: 49db427232fe ("usb: gadget: Add UDC driver for tegra XUSB device mode controller")
> Signed-off-by: Alexey V. Vissarionov <gremlin at altlinux.org>
> ---
> drivers/usb/gadget/udc/tegra-xudc.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/usb/gadget/udc/tegra-xudc.c b/drivers/usb/gadget/udc/tegra-xudc.c
> index c7fdbc55fb0b97ed..0322e984e2c6fd91 100644
> --- a/drivers/usb/gadget/udc/tegra-xudc.c
> +++ b/drivers/usb/gadget/udc/tegra-xudc.c
> @@ -2661,6 +2661,10 @@ static void tegra_xudc_handle_transfer_completion(struct tegra_xudc *xudc,
> trb = trb_phys_to_virt(ep, trb_read_data_ptr(event));
> req = trb_to_request(ep, trb);
>
> + /* tegra_xudc_req_done() dereferences ep->desc; check it here */
> + if (!ep || !ep->desc)
> + return;
> +
Looking at the code, it would seem that we should check !ep at the start
of the function, because it has already been used at this point. Also
!ep is worthy of an error message because that should never happen.
Cheers
Jon
--
nvpublic
More information about the lvc-project
mailing list