usb: musb: host: fix potential NULL pointer dereference

liubiin · gregkh · commit 303e99bde8dc · 2018-05-09T09:51:55.000+02:00
commit 2b63f13 upstream. musb_start_urb() doesn't check the pass-in parameter if it is NULL. But in musb_bulk_nak_timeout() the parameter passed to musb_start_urb() is returned from first_qh(), which could be NULL. So wrap the musb_start_urb() call here with a if condition check to avoid the potential NULL pointer dereference. Fixes: f283862 ("usb: musb: NAK timeout scheme on bulk TX endpoint") Cc: stable@vger.kernel.org # v3.7+ Signed-off-by: Bin Liu <b-liu@ti.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c
@@ -1023,7 +1023,9 @@ static void musb_bulk_nak_timeout(struct musb *musb, struct musb_hw_ep *ep,
 			/* set tx_reinit and schedule the next qh */
 			ep->tx_reinit = 1;
 		}
-		musb_start_urb(musb, is_in, next_qh);
+
+		if (next_qh)
+			musb_start_urb(musb, is_in, next_qh);
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1023,7 +1023,9 @@ static void musb_bulk_nak_timeout(struct musb musb, struct musb_hw_ep ep,`
`1023`	`1023`	`/* set tx_reinit and schedule the next qh */`
`1024`	`1024`	`ep->tx_reinit = 1;`
`1025`	`1025`	`}`
`1026`		`- musb_start_urb(musb, is_in, next_qh);`
	`1026`	`+`
	`1027`	`+ if (next_qh)`
	`1028`	`+ musb_start_urb(musb, is_in, next_qh);`
`1027`	`1029`	`}`
`1028`	`1030`	`}`
`1029`	`1031`