[lvc-project] [PATCH v1] usb: tegra-xudc: check ep and ep->desc before deref

[Jon Hunter]

On 16/04/2025 10:55, Alexey V. Vissarionov wrote:
> Check ep before dereferencing it in trb_phys_to_virt() and ep->desc
> before dereferencing it in tegra_xudc_req_done()
> 
> Found by ALT Linux Team (altlinux.org) and Linux Verification Center
> (linuxtesting.org)
> 
> Fixes: 49db427232fe ("usb: gadget: Add UDC driver for tegra XUSB device mode controller")
> Signed-off-by: Alexey V. Vissarionov <gremlin at altlinux.org>
> ---
>   drivers/usb/gadget/udc/tegra-xudc.c | 19 ++++++++++++++++---
>   1 file changed, 16 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/usb/gadget/udc/tegra-xudc.c b/drivers/usb/gadget/udc/tegra-xudc.c
> index c7fdbc55fb0b97ed..cae99ebe9f85868d 100644
> --- a/drivers/usb/gadget/udc/tegra-xudc.c
> +++ b/drivers/usb/gadget/udc/tegra-xudc.c
> @@ -2658,9 +2658,23 @@ static void tegra_xudc_handle_transfer_completion(struct tegra_xudc *xudc,
>   	short_packet = (trb_read_cmpl_code(event) ==
>   			TRB_CMPL_CODE_SHORT_PACKET);
>   
> +	/* trb_phys_to_virt() dereferences ep; check it here */
> +	if (!ep)
> +	{

Please make sure you run 'checkpatch.pl' as I am sure if will flag that 
the above should be ...

     if (!ep) {

> +		dev_err(xudc->dev, "Unbelievable: ep is NULL\n");

I quite like the 'Unbelievable' but 'unexpected NULL pointer for ep' is 
also fine.

> +		return;
> +	}
> +
>   	trb = trb_phys_to_virt(ep, trb_read_data_ptr(event));
>   	req = trb_to_request(ep, trb);
>   
> +	/* tegra_xudc_req_done() dereferences ep->desc; check it here */
> +	if (!ep->desc)
> +	{
> +		dev_err(xudc->dev, "Unbelievable: ep->desc is NULL\n");
> +		return;
> +	}

I am not sure about the error message here, because the existing code 
just skips this. So it is not clear if this can happen and could be 
expected.

Jon

-- 
nvpublic