Commit 7f6f127b authored Mar 31, 2026 by Yongchao Wu Committed by Greg Kroah-Hartman Apr 02, 2026

usb: cdns3: gadget: fix NULL pointer dereference in ep_queue



When the gadget endpoint is disabled or not yet configured, the ep->desc
pointer can be NULL. This leads to a NULL pointer dereference when
__cdns3_gadget_ep_queue() is called, causing a kernel crash.

Add a check to return -ESHUTDOWN if ep->desc is NULL, which is the
standard return code for unconfigured endpoints.

This prevents potential crashes when ep_queue is called on endpoints
that are not ready.

Fixes: 7733f6c3 ("usb: cdns3: Add Cadence USB3 DRD Driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Yongchao Wu <yongchao.wu@autochips.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
Link: https://patch.msgid.link/20260331000407.613298-1-yongchao.wu@autochips.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 0179c6da

drivers/usb/cdns3/cdns3-gadget.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -2589,6 +2589,9 @@ static int __cdns3_gadget_ep_queue(struct usb_ep *ep,
		struct cdns3_request *priv_req;
		int ret = 0;

		if (!ep->desc)
		return -ESHUTDOWN;

		request->actual = 0;
		request->status = -EINPROGRESS;
		priv_req = to_cdns3_request(request);