From d3b9f0262bcc0782ea471eb155fe92a0b660a128 Mon Sep 17 00:00:00 2001 From: feng wang Date: Fri, 3 Feb 2012 14:07:57 +0800 Subject: [PATCH] usb:langwell_ude: Check ep desc to guarantee it is not disabled BZ: 20895 A panic is raised in langwell_irq as ep->desc is set to NULL. In langwell_ep_disable, ep is disabled and spin_lock get unlocked in langwell_irq to handle the trans complete. In function done, ep->desc is accessed and we meet NULL pointer. Function done will be skipped as it is called in nuke to release resources. So no leakage. Change-Id: I0c72ad83e12b6e61e04128dbafb492417eb1de01 Signed-off-by: feng wang Reviewed-on: http://android.intel.com:8080/33821 Reviewed-by: Zhuang, Jin Can Reviewed-by: Tang, Richard Reviewed-by: Meng, Zhe Tested-by: Meng, Zhe Reviewed-by: buildbot Tested-by: buildbot --- drivers/usb/gadget/langwell_udc.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/drivers/usb/gadget/langwell_udc.c b/drivers/usb/gadget/langwell_udc.c index 972fdb4..d56dfcb 100644 --- a/drivers/usb/gadget/langwell_udc.c +++ b/drivers/usb/gadget/langwell_udc.c @@ -529,6 +529,13 @@ static int langwell_ep_disable(struct usb_ep *_ep) spin_lock_irqsave(&dev->lock, flags); + if (!ep->desc) { + spin_unlock_irqrestore(&dev->lock, flags); + pm_runtime_put(&dev->pdev->dev); + dev_err(&dev->pdev->dev, "ep has already disabled\n"); + return -EINVAL; + } + /* disable endpoint control register */ ep_num = ep->ep_num; endptctrl = readl(&dev->op_regs->endptctrl[ep_num]); @@ -2866,6 +2873,12 @@ static void handle_trans_complete(struct langwell_udc *dev) ep0_req_complete(dev, epn, curr_req); break; } else { + /* Check to guarantee ep is enabled */ + if (!epn->desc) { + dev_err(&dev->pdev->dev, + "epn is disabled, break in handle trans complete\n"); + break; + } done(epn, curr_req, status); } } -- 2.7.4