[PATCH 3/3] usb: gadget: introduce 'enabled' flag in struct usb_ep

Mon, 07 Apr 2025 08:00:51 -0700 

f_acm calls usb_ep_disable(f_acm->ep_notify) unconditionally in
acm_start_ctrl(), even if the USB endpoint was never enabled before. This
causes crashes for some UDC drivers (e.g. ci_udc), because they dereference
data structures that are assigned only after having called usb_ep_enable().

The f_acm driver in U-Boot is similar to the Linux driver, where this issue
does not occur because usb_ep_disable() and usb_ep_enable() internally
track the enabled state. In Linux this change was made in commit
b0bac2581c19 ("usb: gadget: introduce 'enabled' flag in struct usb_ep") by
Robert Baldyga.

Fix the crashes for f_acm by making the same change in U-Boot. This makes
the API less bug-prone and avoids introducing crashes when adapting new
gadget drivers from Linux.

Signed-off-by: Stephan Gerhold <stephan.gerh...@linaro.org>
---
 include/linux/usb/gadget.h | 27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/include/linux/usb/gadget.h b/include/linux/usb/gadget.h
index 
c7927df15aa386f33eb3b3889adee854d42386a8..fe79bf64a0e1c037e69e694fe58cbe5343e18a70
 100644
--- a/include/linux/usb/gadget.h
+++ b/include/linux/usb/gadget.h
@@ -179,6 +179,7 @@ struct usb_ep {
        const struct usb_ep_ops *ops;
        struct list_head        ep_list;
        struct usb_ep_caps      caps;
+       bool                    enabled;
        unsigned                maxpacket:16;
        unsigned                maxpacket_limit:16;
        unsigned                max_streams:16;
@@ -230,7 +231,18 @@ static inline void usb_ep_set_maxpacket_limit(struct 
usb_ep *ep,
 static inline int usb_ep_enable(struct usb_ep *ep,
                                const struct usb_endpoint_descriptor *desc)
 {
-       return ep->ops->enable(ep, desc);
+       int ret;
+
+       if (ep->enabled)
+               return 0;
+
+       ret = ep->ops->enable(ep, desc);
+       if (ret)
+               return ret;
+
+       ep->enabled = true;
+
+       return 0;
 }
 
 /**
@@ -247,7 +259,18 @@ static inline int usb_ep_enable(struct usb_ep *ep,
  */
 static inline int usb_ep_disable(struct usb_ep *ep)
 {
-       return ep->ops->disable(ep);
+       int ret;
+
+       if (!ep->enabled)
+               return 0;
+
+       ret = ep->ops->disable(ep);
+       if (ret)
+               return ret;
+
+       ep->enabled = false;
+
+       return 0;
 }
 
 /**

-- 
2.47.2

Reply via email to