Re: [PATCH] drivers: usb: gadget: udc: Fix NULL dereference

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Peter Chen <peter.chen@freescale.com>
To: Tapasweni Pathak <tapaswenipathak@gmail.com>
Cc: <balbi@ti.com>, <gregkh@linuxfoundation.org>,
	<jg1.han@samsung.com>, <benoit.taine@lip6.fr>,
	<linux-usb@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
	<julia.lawall@lip6.fr>
Subject: Re: [PATCH] drivers: usb: gadget: udc: Fix NULL dereference
Date: Wed, 4 Mar 2015 09:11:19 +0800	[thread overview]
Message-ID: <20150304011118.GB23399@shlinux2> (raw)
In-Reply-To: <20150303125841.GA9671@kt-Inspiron-3542>

On Tue, Mar 03, 2015 at 06:28:42PM +0530, Tapasweni Pathak wrote:
> This patch fixes multiple instances of null pointer dereference in this code.
> 
> ep->udc is assigned to udc. ep is just an offset from _ep. _ep is then
> checked for NULL. udc is dereferenced under the NULL check for _ep, making
> an invalid pointer reference.
> 
> udc is then checked for NULL, if NULL, it is then dereferenced as
> udc->dev.
> 
> To fix these issues, shift assignment of udc by dereferencing ep after
> null check for _ep, replace both dev_dbg statements with pr_debug.
> 
> Found using Coccinelle.
> 
> Signed-off-by: Tapasweni Pathak <tapaswenipathak@gmail.com>
> Suggested-by : Julia Lawall <julia.lawall@lip6.fr>
> Reviewed-by : Julia Lawall <julia.lawall@lip6.fr>
> ---
>  drivers/usb/gadget/udc/lpc32xx_udc.c |    7 +++----
>  1 file changed, 3 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/usb/gadget/udc/lpc32xx_udc.c b/drivers/usb/gadget/udc/lpc32xx_udc.c
> index 27fd413..6398539 100644
> --- a/drivers/usb/gadget/udc/lpc32xx_udc.c
> +++ b/drivers/usb/gadget/udc/lpc32xx_udc.c
> @@ -1807,17 +1807,16 @@ static int lpc32xx_ep_queue(struct usb_ep *_ep,
>  	    !list_empty(&req->queue))
>  		return -EINVAL;
> 
> -	udc = ep->udc;
> -
>  	if (!_ep) {
> -		dev_dbg(udc->dev, "invalid ep\n");
> +		pr_debug("invalid ep\n");
>  		return -EINVAL;
>  	}
> 
> +	udc = ep->udc;
> 
>  	if ((!udc) || (!udc->driver) ||
>  	    (udc->gadget.speed == USB_SPEED_UNKNOWN)) {
> -		dev_dbg(udc->dev, "invalid device\n");
> +		pr_debug("invalid device\n");
>  		return -EINVAL;
>  	}
> 

It is driver code, we'd better use dev_dbg. If _ep exists,
both ep and udc should exist. So, how about just checking
_ep at the beginning:

diff --git a/drivers/usb/gadget/udc/lpc32xx_udc.c b/drivers/usb/gadget/udc/lpc32xx_udc.c
index 27fd413..c65de0e 100644
--- a/drivers/usb/gadget/udc/lpc32xx_udc.c
+++ b/drivers/usb/gadget/udc/lpc32xx_udc.c
@@ -1803,7 +1803,7 @@ static int lpc32xx_ep_queue(struct usb_ep *_ep,
 	req = container_of(_req, struct lpc32xx_request, req);
 	ep = container_of(_ep, struct lpc32xx_ep, ep);
 
-	if (!_req || !_req->complete || !_req->buf ||
+	if (!_ep || !_req || !_req->complete || !_req->buf ||
 	    !list_empty(&req->queue))
 		return -EINVAL;
 
@@ -1815,8 +1815,7 @@ static int lpc32xx_ep_queue(struct usb_ep *_ep,
 	}
 
 
-	if ((!udc) || (!udc->driver) ||
-	    (udc->gadget.speed == USB_SPEED_UNKNOWN)) {
+	if ((!udc->driver) || (udc->gadget.speed == USB_SPEED_UNKNOWN)) {
 		dev_dbg(udc->dev, "invalid device\n");
 		return -EINVAL;
 	}

-- 

Best Regards,
Peter Chen

next prev parent reply	other threads:[~2015-03-04  2:24 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-03 12:58 [PATCH] drivers: usb: gadget: udc: Fix NULL dereference Tapasweni Pathak
2015-03-04  1:11 ` Peter Chen [this message]
2015-03-09 15:41   ` Felipe Balbi
2015-03-10  2:02     ` Peter Chen
2015-03-10  2:36       ` Felipe Balbi
2015-03-10  3:00         ` Peter Chen
2015-03-10 20:50           ` Felipe Balbi

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:27fd413 dfblob:c65de0e )
 OR (
bs:"Re: [PATCH] drivers: usb: gadget: udc: Fix NULL dereference" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150304011118.GB23399@shlinux2 \
    --to=peter.chen@freescale.com \
    --cc=balbi@ti.com \
    --cc=benoit.taine@lip6.fr \
    --cc=gregkh@linuxfoundation.org \
    --cc=jg1.han@samsung.com \
    --cc=julia.lawall@lip6.fr \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=tapaswenipathak@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.