usb: dwc3: gadget: Fix desc NULL pointer in dwc3_gadget_ep_queue()

dep->endpoint.desc is checked at the beginning of
dwc3_gadget_ep_queue(), but after that it may be set to NULL
by another thread and then accessed again in dwc3_gadget_ep_queue().
This will lead to kernel oops.

Expand spinlock protection area to aviod race condition.

Signed-off-by: Zhuang Jin Can <jin.can.zhuang@intel.com>
Signed-off-by: Jiebing Li <jiebing.li@intel.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>

1 files changed, 2 insertions, 1 deletions

diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 349cacc577d8..e8fb231630f7 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1225,16 +1225,17 @@ static int dwc3_gadget_ep_queue(struct usb_ep *ep, struct usb_request *request,
 
         int                             ret;
 
+        spin_lock_irqsave(&dwc->lock, flags);
         if (!dep->endpoint.desc) {
                 dev_dbg(dwc->dev, "trying to queue request %p to disabled %s\n",
                                 request, ep->name);
+                spin_unlock_irqrestore(&dwc->lock, flags);
                 return -ESHUTDOWN;
         }
 
         dev_vdbg(dwc->dev, "queing request %p to %s length %d\n",
                         request, ep->name, request->length);
 
-        spin_lock_irqsave(&dwc->lock, flags);
         ret = __dwc3_gadget_ep_queue(dep, req);
         spin_unlock_irqrestore(&dwc->lock, flags);