From nobody Thu Apr 2 01:29:08 2026 Received: from mail-m49196.qiye.163.com (mail-m49196.qiye.163.com [45.254.49.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 98752EACD; Tue, 31 Mar 2026 00:04:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.254.49.196 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774915471; cv=none; b=ubrtc3Y+6UxmAK82ThW0mTt5KhCKKOwd2/qPtNBTTDLEBG90gU/jFI++f4nxV8LTmrVimowVp7o0VARWxng8aOud+hQ+tvqD8Bur3uDpmMz2AbE87wbbSn3tXM6TRrjzsuK5KHCs4CGt9yCAstyjQ1jOc5ZRA96mxluO+7Rocos= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774915471; c=relaxed/simple; bh=/QIvjWKbDBIRH67mT3BA0UqG08f2nXpv9thEhLoLGXM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=RVLaCJ6cllTLhdxdrKV3l9mkw5NVrUlsUO399yQUSO/qxasfVKTtD338vW2hLkW5KE7bOBH5pwQt1HU8mXGHazsdh0MTLrqS/Gf9O9l7ICw8cTKIdaY4hokcmUGRapL4uCbqjvdpQCN3HcTb8KVXgvPpGZeH+Wr0BTYuNeGGlvo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=autochips.com; spf=pass smtp.mailfrom=autochips.com; arc=none smtp.client-ip=45.254.49.196 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=autochips.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=autochips.com Received: from H20F120008.autochips.inc (unknown [223.244.89.246]) by smtp.qiye.163.com (Hmail) with ESMTP id 38e3cda8a; Tue, 31 Mar 2026 08:04:19 +0800 (GMT+08:00) From: Yongchao Wu To: peter.chen@kernel.org Cc: pawell@cadence.com, rogerq@kernel.org, gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, stable@kernel.org, Yongchao Wu Subject: [PATCH v3] usb: cdns3: gadget: fix NULL pointer dereference in ep_queue Date: Tue, 31 Mar 2026 08:04:07 +0800 Message-ID: <20260331000407.613298-1-yongchao.wu@autochips.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-HM-Tid: 0a9d4134995403ackunm89aa724e26e5764 X-HM-MType: 1 X-HM-Spam-Status: e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly tZV1koWUFITzdXWS1ZQUlXWQ8JGhUIEh9ZQVkZSUMfVkIdQk8ZTB1JGB1PQlYVFAkWGhdVEwETFh oSFyQUDg9ZV1kYEgtZQVlJSUhVSU9PVUNCVUlPTVlXWRYaDxIVHRRZQVlPS0hVSktJT09PSFVKS0 tVSkJLS1kG Content-Type: text/plain; charset="utf-8" When the gadget endpoint is disabled or not yet configured, the ep->desc pointer can be NULL. This leads to a NULL pointer dereference when __cdns3_gadget_ep_queue() is called, causing a kernel crash. Add a check to return -ESHUTDOWN if ep->desc is NULL, which is the standard return code for unconfigured endpoints. This prevents potential crashes when ep_queue is called on endpoints that are not ready. Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver") Cc: stable@kernel.org Signed-off-by: Yongchao Wu Acked-by: Peter Chen --- Changes in v3: - add Fixes tag - add Cc to stable tree Changes in v2: - Fix author name format (use "Yongchao Wu" instead of "yongchao.wu") --- drivers/usb/cdns3/cdns3-gadget.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/cdns3/cdns3-gadget.c b/drivers/usb/cdns3/cdns3-gad= get.c index d59a60a16..96d2a4c38 100644 --- a/drivers/usb/cdns3/cdns3-gadget.c +++ b/drivers/usb/cdns3/cdns3-gadget.c @@ -2589,6 +2589,9 @@ static int __cdns3_gadget_ep_queue(struct usb_ep *ep, struct cdns3_request *priv_req; int ret =3D 0; =20 + if (!ep->desc) + return -ESHUTDOWN; + request->actual =3D 0; request->status =3D -EINPROGRESS; priv_req =3D to_cdns3_request(request); --=20 2.43.0