Techwizz/kernel-fxtec-pro1x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

usb: xhci: Fix NULL pointer dereference as part of queue

Browse source 
In the scatter gather list handling as part of queuing
on the bulk endpoints in host mode, there is a possible
case where sent_len and block_len both are zero for
non-zero number of num_sgs. This will cause the num_sgs
to loop around zero and become a non-zero value and access
sg_next for the last SG which has SG_END set leading to
NULL pointer dereference.

Fix this by accessing the properties of SG after
the NULL check.

Change-Id: Ie9c64844fd04c5e2ef5ee53d1583bf9b998649fa
Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
This commit is contained in:
Sriharsha Allenki 2020-04-20 17:18:14 +05:30
parent fbad67d383
commit 22e7e0bd13
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
drivers/usb/host/xhci-ring.c
View file

@ -3305,8 +3305,8 @@ int xhci_queue_bulk_tx(struct xhci_hcd *xhci, gfp_t mem_flags,
/* New sg entry */
--num_sgs;
sent_len -= block_len;
if (num_sgs != 0) {
sg = sg_next(sg);
sg = sg_next(sg);
if (num_sgs != 0 && sg) {
block_len = sg_dma_len(sg);
addr = (u64) sg_dma_address(sg);
addr += sent_len;