usb: gadget: tegra: check ep->desc before calling ep_index

tegra_ep_disable will set ep->desc to be NULL. So in tegra_ep_dequeue,
ep->desc needs to be checked before calling ep_index or kernel panic
may happen due to NULL pointer.

Bug 1506083

Change-Id: I24390d863d3e31cb02a8e53015e1d0137f18487a
Signed-off-by: Kerwin Wan <kerwinw@nvidia.com>
Reviewed-on: http://git-master/r/400828
(cherry picked from commit 1a25c75ce4fbd29cbde10122e829201f762ef26e)
Reviewed-on: http://git-master/r/405001
Reviewed-by: Rakesh Babu Bodla <rbodla@nvidia.com>
Reviewed-by: Venkat Moganty <vmoganty@nvidia.com>

diff --git a/drivers/usb/gadget/tegra_udc.c b/drivers/usb/gadget/tegra_udc.c
index 7fbbc31aeac207057a877f2ad0d7b6bca74e3677..7d1c0e6b5305f7cd05672c2d47e71d504758d97e 100644 (file)
--- a/drivers/usb/gadget/tegra_udc.c
+++ b/drivers/usb/gadget/tegra_udc.c
@@ -1087,6 +1087,10 @@ static int tegra_ep_dequeue(struct usb_ep *_ep, struct usb_request *_req)
                return -EINVAL;
 
        spin_lock_irqsave(&ep->udc->lock, flags);
+       if (!ep->desc) {
+               spin_unlock_irqrestore(&ep->udc->lock, flags);
+               return -EINVAL;
+       }
        stopped = ep->stopped;
 
        /* Stop the ep before we deal with the queue */