From 1d76cb0f895dc8200b95aa5eaaae72c41bcc3886 Mon Sep 17 00:00:00 2001 From: Will Deacon Date: Tue, 15 Dec 2020 17:15:38 +0000 Subject: [PATCH] ANDROID: usb: f_accessory: Don't drop NULL reference in acc_disconnect() If get_acc_dev() fails to obtain a reference to the current device, acc_disconnect() will attempt to put_acc_dev() with the resulting NULL pointer, leading to a crash: | Unable to handle kernel NULL pointer dereference at virtual address 00000074 | [...] | [] (acc_disconnect) from [] (android_disconnect+0x1c/0x7c) | [] (android_disconnect) from [] (usb_gadget_udc_reset+0x10/0x34) | [] (usb_gadget_udc_reset) from [] (dwc3_gadget_reset_interrupt+0x88/0x4fc) | [] (dwc3_gadget_reset_interrupt) from [] (dwc3_process_event_buf+0x60/0x3e4) | [] (dwc3_process_event_buf) from [] (dwc3_thread_interrupt+0x24/0x3c) | [] (dwc3_thread_interrupt) from [] (irq_thread_fn+0x1c/0x58) | [] (irq_thread_fn) from [] (irq_thread+0x1ec/0x2f4) | [] (irq_thread) from [] (kthread+0x1a8/0x1ac) | [] (kthread) from [] (ret_from_fork+0x14/0x3c) Follow the pattern used elsewhere, and return early if we fail to obtain a reference. Bug: 173789633 Reported-by: YongQin Liu Signed-off-by: Will Deacon Change-Id: I37a2bff5bc1b6b8269788d08191181763bf0e896 Signed-off-by: Giuliano Procida --- drivers/usb/gadget/function/f_accessory.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/usb/gadget/function/f_accessory.c b/drivers/usb/gadget/function/f_accessory.c index df3c2fb67701..2fed4cbb6911 100644 --- a/drivers/usb/gadget/function/f_accessory.c +++ b/drivers/usb/gadget/function/f_accessory.c @@ -1313,10 +1313,11 @@ void acc_disconnect(void) { struct acc_dev *dev = get_acc_dev(); - /* unregister all HID devices if USB is disconnected */ - if (dev) - kill_all_hid_devices(dev); + if (!dev) + return; + /* unregister all HID devices if USB is disconnected */ + kill_all_hid_devices(dev); put_acc_dev(dev); } EXPORT_SYMBOL_GPL(acc_disconnect);