From 07fd19958fbb78f42a1a6e4b019a2e2235e5cdad Mon Sep 17 00:00:00 2001 From: Will Deacon Date: Tue, 15 Dec 2020 17:15:38 +0000 Subject: [PATCH] ANDROID: usb: f_accessory: Don't drop NULL reference in acc_disconnect() If get_acc_dev() fails to obtain a reference to the current device, acc_disconnect() will attempt to put_acc_dev() with the resulting NULL pointer, leading to a crash: | Unable to handle kernel NULL pointer dereference at virtual address 00000074 | [...] | [] (acc_disconnect) from [] (android_disconnect+0x1c/0x7c) | [] (android_disconnect) from [] (usb_gadget_udc_reset+0x10/0x34) | [] (usb_gadget_udc_reset) from [] (dwc3_gadget_reset_interrupt+0x88/0x4fc) | [] (dwc3_gadget_reset_interrupt) from [] (dwc3_process_event_buf+0x60/0x3e4) | [] (dwc3_process_event_buf) from [] (dwc3_thread_interrupt+0x24/0x3c) | [] (dwc3_thread_interrupt) from [] (irq_thread_fn+0x1c/0x58) | [] (irq_thread_fn) from [] (irq_thread+0x1ec/0x2f4) | [] (irq_thread) from [] (kthread+0x1a8/0x1ac) | [] (kthread) from [] (ret_from_fork+0x14/0x3c) Follow the pattern used elsewhere, and return early if we fail to obtain a reference. Bug: 173789633 Reported-by: YongQin Liu Signed-off-by: Will Deacon Change-Id: I37a2bff5bc1b6b8269788d08191181763bf0e896 --- drivers/usb/gadget/function/f_accessory.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/usb/gadget/function/f_accessory.c b/drivers/usb/gadget/function/f_accessory.c index 9d0896abbeb7..a66d2dffe1d3 100644 --- a/drivers/usb/gadget/function/f_accessory.c +++ b/drivers/usb/gadget/function/f_accessory.c @@ -1390,10 +1390,11 @@ void acc_disconnect(void) { struct acc_dev *dev = get_acc_dev(); - /* unregister all HID devices if USB is disconnected */ - if (dev) - kill_all_hid_devices(dev); + if (!dev) + return; + /* unregister all HID devices if USB is disconnected */ + kill_all_hid_devices(dev); put_acc_dev(dev); } EXPORT_SYMBOL_GPL(acc_disconnect);