• AMAN DEEP's avatar
    usb: xhci: Bugfix for NULL pointer deference in xhci_endpoint_init() function · f30647cf
    AMAN DEEP authored
    commit 34968106 upstream.
    
    virt_dev->num_cached_rings counts on freed ring and is not updated
    correctly. In xhci_free_or_cache_endpoint_ring() function, the free ring
    is added into cache and then num_rings_cache is incremented as below:
    		virt_dev->ring_cache[rings_cached] =
    			virt_dev->eps[ep_index].ring;
    		virt_dev->num_rings_cached++;
    here, free ring pointer is added to a current index and then
    index is incremented.
    So current index always points to empty location in the ring cache.
    For getting available free ring, current index should be decremented
    first and then corresponding ring buffer value should be taken from ring
    cache.
    
    But In function xhci_endpoint_init(), the num_rings_cached index is
    accessed before decrement.
    		virt_dev->eps[ep_index].new_ring =
    			virt_dev->ring_cache[virt_dev->num_rings_cached];
    		virt_dev->ring_cache[virt_dev->num_rings_cached] = NULL;
    		virt_dev->num_rings_cached--;
    This is bug in manipulating the index of ring cache.
    And it should be as below:
    		virt_dev->num_rings_cached--;
    		virt_dev->eps[ep_index].new_ring =
    			virt_dev->ring_cache[virt_dev->num_rings_cached];
    		virt_dev->ring_cache[virt_dev->num_rings_cached] = NULL;
    Signed-off-by: default avatarAman Deep <aman.deep@samsung.com>
    Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
    f30647cf
xhci-mem.c 74.1 KB