Skip to content

Commit 31cce4c

Browse files
Nadezda Lutovinovasmb49
Nadezda Lutovinova
authored and
smb49
committed
usb: gadget: mv_u3d: request_irq() after initializing UDC
BugLink: https://bugs.launchpad.net/bugs/1946788 [ Upstream commit 2af0c5f ] If IRQ occurs between calling request_irq() and mv_u3d_eps_init(), then null pointer dereference occurs since u3d->eps[] wasn't initialized yet but used in mv_u3d_nuke(). The patch puts registration of the interrupt handler after initializing of neccesery data. Found by Linux Driver Verification project (linuxtesting.org). Fixes: 90fccb5 ("usb: gadget: Gadget directory cleanup - group UDC drivers") Acked-by: Felipe Balbi <balbi@kernel.org> Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru> Link: https://lore.kernel.org/r/20210818141247.4794-1-lutovinova@ispras.ru Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Kelsey Skunberg <kelsey.skunberg@canonical.com>
1 parent d788007 commit 31cce4c

File tree

1 file changed

+10
-9
lines changed

1 file changed

+10
-9
lines changed

drivers/usb/gadget/udc/mv_u3d_core.c

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1921,14 +1921,6 @@ static int mv_u3d_probe(struct platform_device *dev)
19211921
goto err_get_irq;
19221922
}
19231923
u3d->irq = r->start;
1924-
if (request_irq(u3d->irq, mv_u3d_irq,
1925-
IRQF_SHARED, driver_name, u3d)) {
1926-
u3d->irq = 0;
1927-
dev_err(&dev->dev, "Request irq %d for u3d failed\n",
1928-
u3d->irq);
1929-
retval = -ENODEV;
1930-
goto err_request_irq;
1931-
}
19321924

19331925
/* initialize gadget structure */
19341926
u3d->gadget.ops = &mv_u3d_ops; /* usb_gadget_ops */
@@ -1941,6 +1933,15 @@ static int mv_u3d_probe(struct platform_device *dev)
19411933

19421934
mv_u3d_eps_init(u3d);
19431935

1936+
if (request_irq(u3d->irq, mv_u3d_irq,
1937+
IRQF_SHARED, driver_name, u3d)) {
1938+
u3d->irq = 0;
1939+
dev_err(&dev->dev, "Request irq %d for u3d failed\n",
1940+
u3d->irq);
1941+
retval = -ENODEV;
1942+
goto err_request_irq;
1943+
}
1944+
19441945
/* external vbus detection */
19451946
if (u3d->vbus) {
19461947
u3d->clock_gating = 1;
@@ -1964,8 +1965,8 @@ static int mv_u3d_probe(struct platform_device *dev)
19641965

19651966
err_unregister:
19661967
free_irq(u3d->irq, u3d);
1967-
err_request_irq:
19681968
err_get_irq:
1969+
err_request_irq:
19691970
kfree(u3d->status_req);
19701971
err_alloc_status_req:
19711972
kfree(u3d->eps);

0 commit comments

Comments
 (0)