1. Patchew
  2. linux
  3. View series

[PATCH] usb: cdns3: gadget: fix NULL pointer dereference in ep_queue

Yongchao Wu posted 1 patch 4 days, 9 hours ago
There is a newer version of this series
drivers/usb/cdns3/cdns3-gadget.c | 3 +++
1 file changed, 3 insertions(+)
[PATCH] usb: cdns3: gadget: fix NULL pointer dereference in ep_queue
Posted by Yongchao Wu 4 days, 9 hours ago 
When the gadget endpoint is disabled or not yet configured, the ep->desc
pointer can be NULL. This leads to a NULL pointer dereference when
__cdns3_gadget_ep_queue() is called, causing a kernel crash.

Add a check to return -ESHUTDOWN if ep->desc is NULL, which is the
standard return code for unconfigured endpoints.

This prevents potential crashes when ep_queue is called on endpoints
that are not ready.

Signed-off-by: Yongchao Wu  <yongchao.wu@autochips.com>
---
 drivers/usb/cdns3/cdns3-gadget.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/usb/cdns3/cdns3-gadget.c b/drivers/usb/cdns3/cdns3-gadget.c
index d59a60a16..96d2a4c38 100644
--- a/drivers/usb/cdns3/cdns3-gadget.c
+++ b/drivers/usb/cdns3/cdns3-gadget.c
@@ -2589,6 +2589,9 @@ static int __cdns3_gadget_ep_queue(struct usb_ep *ep,
 	struct cdns3_request *priv_req;
 	int ret = 0;
 
+	if (!ep->desc)
+		return -ESHUTDOWN;
+
 	request->actual = 0;
 	request->status = -EINPROGRESS;
 	priv_req = to_cdns3_request(request);
-- 
2.43.0
Re: [PATCH] usb: cdns3: gadget: fix NULL pointer dereference in ep_queue
Posted by Peter Chen (CIX) 3 days, 1 hour ago 
On 26-03-29 09:34:04, Yongchao Wu wrote:
> When the gadget endpoint is disabled or not yet configured, the ep->desc
> pointer can be NULL. This leads to a NULL pointer dereference when
> __cdns3_gadget_ep_queue() is called, causing a kernel crash.
> 
> Add a check to return -ESHUTDOWN if ep->desc is NULL, which is the
> standard return code for unconfigured endpoints.
> 
> This prevents potential crashes when ep_queue is called on endpoints
> that are not ready.
> 
> Signed-off-by: Yongchao Wu  <yongchao.wu@autochips.com>

Add Fixed-by tag and Cc to stable tree please, others:

Acked-by: Peter Chen <peter.chen@kernel.org>

Peter
> ---
>  drivers/usb/cdns3/cdns3-gadget.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/usb/cdns3/cdns3-gadget.c b/drivers/usb/cdns3/cdns3-gadget.c
> index d59a60a16..96d2a4c38 100644
> --- a/drivers/usb/cdns3/cdns3-gadget.c
> +++ b/drivers/usb/cdns3/cdns3-gadget.c
> @@ -2589,6 +2589,9 @@ static int __cdns3_gadget_ep_queue(struct usb_ep *ep,
>  	struct cdns3_request *priv_req;
>  	int ret = 0;
>  
> +	if (!ep->desc)
> +		return -ESHUTDOWN;
> +
>  	request->actual = 0;
>  	request->status = -EINPROGRESS;
>  	priv_req = to_cdns3_request(request);
> -- 
> 2.43.0
> 
> 

-- 

Best regards,
Peter
Re: [PATCH] usb: cdns3: gadget: fix NULL pointer dereference in ep_queue
Posted by Sergey Shtylyov 2 days, 21 hours ago 
On 3/30/26 12:21 PM, Peter Chen (CIX) wrote:
[...]
>> When the gadget endpoint is disabled or not yet configured, the ep->desc
>> pointer can be NULL. This leads to a NULL pointer dereference when
>> __cdns3_gadget_ep_queue() is called, causing a kernel crash.
>>
>> Add a check to return -ESHUTDOWN if ep->desc is NULL, which is the
>> standard return code for unconfigured endpoints.
>>
>> This prevents potential crashes when ep_queue is called on endpoints
>> that are not ready.
>>
>> Signed-off-by: Yongchao Wu  <yongchao.wu@autochips.com>
> 
> Add Fixed-by tag and Cc to stable tree please, others:

   I think you meant the Fixes tag. :-)

[...]

MBR, Sergey

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.