aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWill Deacon2020-12-15 11:15:38 -0600
committerGiuliano Procida2020-12-30 04:20:48 -0600
commit811618a9016c45b1f01ec5ff7f9624aae6495bc7 (patch)
treecae76e419ecca9a5e00e84ee9239e2b26b5fcbf9
parent03f232dcf8d411cd1b7fa6207018b706dbaf8229 (diff)
downloadkernel-811618a9016c45b1f01ec5ff7f9624aae6495bc7.tar.gz
kernel-811618a9016c45b1f01ec5ff7f9624aae6495bc7.tar.xz
kernel-811618a9016c45b1f01ec5ff7f9624aae6495bc7.zip
ANDROID: usb: f_accessory: Don't drop NULL reference in acc_disconnect()
If get_acc_dev() fails to obtain a reference to the current device, acc_disconnect() will attempt to put_acc_dev() with the resulting NULL pointer, leading to a crash: | Unable to handle kernel NULL pointer dereference at virtual address 00000074 | [...] | [<c0abb288>] (acc_disconnect) from [<c0a91a38>] (android_disconnect+0x1c/0x7c) | [<c0a91a38>] (android_disconnect) from [<c0a93958>] (usb_gadget_udc_reset+0x10/0x34) | [<c0a93958>] (usb_gadget_udc_reset) from [<c0a4a9c4>] (dwc3_gadget_reset_interrupt+0x88/0x4fc) | [<c0a4a9c4>] (dwc3_gadget_reset_interrupt) from [<c0a491f8>] (dwc3_process_event_buf+0x60/0x3e4) | [<c0a491f8>] (dwc3_process_event_buf) from [<c0a49180>] (dwc3_thread_interrupt+0x24/0x3c) | [<c0a49180>] (dwc3_thread_interrupt) from [<c02b3404>] (irq_thread_fn+0x1c/0x58) | [<c02b3404>] (irq_thread_fn) from [<c02b326c>] (irq_thread+0x1ec/0x2f4) | [<c02b326c>] (irq_thread) from [<c0260804>] (kthread+0x1a8/0x1ac) | [<c0260804>] (kthread) from [<c0200138>] (ret_from_fork+0x14/0x3c) Follow the pattern used elsewhere, and return early if we fail to obtain a reference. Bug: 173789633 Reported-by: YongQin Liu <yongqin.liu@linaro.org> Signed-off-by: Will Deacon <willdeacon@google.com> Change-Id: I37a2bff5bc1b6b8269788d08191181763bf0e896 Signed-off-by: Giuliano Procida <gprocida@google.com>
-rw-r--r--drivers/usb/gadget/function/f_accessory.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/drivers/usb/gadget/function/f_accessory.c b/drivers/usb/gadget/function/f_accessory.c
index a2dc735a9438..a9bd90612986 100644
--- a/drivers/usb/gadget/function/f_accessory.c
+++ b/drivers/usb/gadget/function/f_accessory.c
@@ -1400,10 +1400,11 @@ void acc_disconnect(void)
1400{ 1400{
1401 struct acc_dev *dev = get_acc_dev(); 1401 struct acc_dev *dev = get_acc_dev();
1402 1402
1403 /* unregister all HID devices if USB is disconnected */ 1403 if (!dev)
1404 if (dev) 1404 return;
1405 kill_all_hid_devices(dev);
1406 1405
1406 /* unregister all HID devices if USB is disconnected */
1407 kill_all_hid_devices(dev);
1407 put_acc_dev(dev); 1408 put_acc_dev(dev);
1408} 1409}
1409EXPORT_SYMBOL_GPL(acc_disconnect); 1410EXPORT_SYMBOL_GPL(acc_disconnect);