summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRob Herring <robh@kernel.org>2015-07-24 10:14:21 -0500
committerMarek Vasut <marex@denx.de>2015-07-24 22:08:38 +0200
commit58d6d139c3e7bb923029e7ba18bfec7f420ead0f (patch)
treea4c59e5fe253f4f535e90e174a8f6b728dfd8f73
parent85a9ea314e36fc42656bc93c9e3d83d58b595d3e (diff)
downloadu-boot-imx-58d6d139c3e7bb923029e7ba18bfec7f420ead0f.zip
u-boot-imx-58d6d139c3e7bb923029e7ba18bfec7f420ead0f.tar.gz
u-boot-imx-58d6d139c3e7bb923029e7ba18bfec7f420ead0f.tar.bz2
usb: ci_udc: fix request allocation when endpoints are disabled
The ci_udc driver request allocation assumes that the endpoint descriptor pointer is set to retrieve the endpoint number, but that is only true when the endpoint is enabled. This results in a NULL ptr dereference which for me happens to return 0 value. This causes the EP0 request struct to be returned for other endpoints. Some gadget drivers like fastboot and USB MS work fine, but ethernet does not. Really, the ci_udc driver is the oddball here doing this EP0 special case handling Stephen added. All the other drivers alloc/free functions are pretty much the same with the only variation being the size of the private struct. This could all be consolidated to a common function. Signed-off-by: Rob Herring <robh@kernel.org> Cc: Marek Vasut <marex@denx.de> Acked-by: Stephen Warren <swarren@nvidia.com>
-rw-r--r--drivers/usb/gadget/ci_udc.c12
1 files changed, 8 insertions, 4 deletions
diff --git a/drivers/usb/gadget/ci_udc.c b/drivers/usb/gadget/ci_udc.c
index 993be31..3e8eb87 100644
--- a/drivers/usb/gadget/ci_udc.c
+++ b/drivers/usb/gadget/ci_udc.c
@@ -258,10 +258,12 @@ static struct usb_request *
ci_ep_alloc_request(struct usb_ep *ep, unsigned int gfp_flags)
{
struct ci_ep *ci_ep = container_of(ep, struct ci_ep, ep);
- int num;
+ int num = -1;
struct ci_req *ci_req;
- num = ci_ep->desc->bEndpointAddress & USB_ENDPOINT_NUMBER_MASK;
+ if (ci_ep->desc)
+ num = ci_ep->desc->bEndpointAddress & USB_ENDPOINT_NUMBER_MASK;
+
if (num == 0 && controller.ep0_req)
return &controller.ep0_req->req;
@@ -281,9 +283,11 @@ static void ci_ep_free_request(struct usb_ep *ep, struct usb_request *req)
{
struct ci_ep *ci_ep = container_of(ep, struct ci_ep, ep);
struct ci_req *ci_req = container_of(req, struct ci_req, req);
- int num;
+ int num = -1;
+
+ if (ci_ep->desc)
+ num = ci_ep->desc->bEndpointAddress & USB_ENDPOINT_NUMBER_MASK;
- num = ci_ep->desc->bEndpointAddress & USB_ENDPOINT_NUMBER_MASK;
if (num == 0) {
if (!controller.ep0_req)
return;