Message ID | 20211025003308.1931014-1-jim.posen@gmail.com |
---|---|
State | Deferred |
Delegated to: | Tom Rini |
Headers | show |
Series | Avoid possible NULL dereference in XHCI driver | expand |
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 35bd5cd29e..1635d03ece 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -499,6 +499,7 @@ static void abort_td(struct usb_device *udev, int ep_index) xhci_queue_command(ctrl, NULL, udev->slot_id, ep_index, TRB_STOP_RING); event = xhci_wait_for_event(ctrl, TRB_TRANSFER); + BUG_ON(!event); field = le32_to_cpu(event->trans_event.flags); BUG_ON(TRB_TO_SLOT_ID(field) != udev->slot_id); BUG_ON(TRB_TO_EP_INDEX(field) != ep_index);
In the recovery function abort_td run after timed out XHCI transfers, there's a possible NULL pointer dereference. Instead, explicitly BUG_ON that condition. Signed-off-by: Jim Posen <jim.posen@gmail.com> --- drivers/usb/host/xhci-ring.c | 1 + 1 file changed, 1 insertion(+)