[usb-gadget-udc] question about null check after calling phys_to

All of lore.kernel.org
 help / color / mirror / Atom feed

* [usb-gadget-udc] question about null check after calling phys_to_virt() function
@ 2017-05-02 20:24 Gustavo A. R. Silva
  2017-05-16  8:10 ` Felipe Balbi
  0 siblings, 1 reply; 3+ messages in thread
From: Gustavo A. R. Silva @ 2017-05-02 20:24 UTC (permalink / raw)
  To: Felipe Balbi, Greg Kroah-Hartman, Michal Nazarewicz
  Cc: linux-geode, linux-usb, linux-kernel, Peter Senna Tschudin


Hello everybody,

While looking into Coverity ID 145958 I ran into the following piece  
of code at drivers/usb/gadget/udc/amd5536udc.c:852:

} else if (i == buf_len) {
         /* first td */
         td = (struct udc_data_dma *)phys_to_virt(
                                 req->td_data->next);
         td->status = 0;
} else {
         td = (struct udc_data_dma *)phys_to_virt(last->next);
         td->status = 0;
}

if (td)
         td->bufptr = req->req.dma + i; /* assign buffer */
else
         break;

The issue here is that _td_ pointer is being dereferenced before null check.

After searching for calls to phys_to_virt() function, I've noticed  
that is not common at all to test the returned address value.

So either the null check at line 862 is not needed or a null check  
before each td->status = 0; needs to be added.

I think it would be good to apply a patch like the following one:

-                       td->status = 0;
+
+                       if (td)
+                               td->status = 0;
+                       else
+                               break;
                 } else {
                         td = (struct udc_data_dma *)phys_to_virt(last->next);
-                       td->status = 0;
+
+                       if (td)
+                               td->status = 0;
+                       else
+                               break;
                 }

-               if (td)
-                       td->bufptr = req->req.dma + i; /* assign buffer */
-               else
-                       break;
+               td->bufptr = req->req.dma + i; /* assign buffer */


What do you think?

Thanks in advance for your comments
--
Gustavo A. R. Silva

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [usb-gadget-udc] question about null check after calling phys_to_virt() function
  2017-05-02 20:24 [usb-gadget-udc] question about null check after calling phys_to_virt() function Gustavo A. R. Silva
@ 2017-05-16  8:10 ` Felipe Balbi
  2017-05-16 16:28   ` Gustavo A. R. Silva
  0 siblings, 1 reply; 3+ messages in thread
From: Felipe Balbi @ 2017-05-16  8:10 UTC (permalink / raw)
  To: Gustavo A. R. Silva, Greg Kroah-Hartman, Michal Nazarewicz
  Cc: linux-geode, linux-usb, linux-kernel, Peter Senna Tschudin

[-- Attachment #1: Type: text/plain, Size: 1033 bytes --]


Hi,

"Gustavo A. R. Silva" <garsilva@embeddedor.com> writes:
> Hello everybody,
>
> While looking into Coverity ID 145958 I ran into the following piece  
> of code at drivers/usb/gadget/udc/amd5536udc.c:852:
>
> } else if (i == buf_len) {
>          /* first td */
>          td = (struct udc_data_dma *)phys_to_virt(
>                                  req->td_data->next);
>          td->status = 0;
> } else {
>          td = (struct udc_data_dma *)phys_to_virt(last->next);
>          td->status = 0;
> }
>
> if (td)
>          td->bufptr = req->req.dma + i; /* assign buffer */
> else
>          break;
>
> The issue here is that _td_ pointer is being dereferenced before null check.
>
> After searching for calls to phys_to_virt() function, I've noticed  
> that is not common at all to test the returned address value.
>
> So either the null check at line 862 is not needed or a null check  
> before each td->status = 0; needs to be added.

just remove the previous null check

-- 
balbi

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [usb-gadget-udc] question about null check after calling phys_to_virt() function
  2017-05-16  8:10 ` Felipe Balbi
@ 2017-05-16 16:28   ` Gustavo A. R. Silva
  0 siblings, 0 replies; 3+ messages in thread
From: Gustavo A. R. Silva @ 2017-05-16 16:28 UTC (permalink / raw)
  To: Felipe Balbi
  Cc: Greg Kroah-Hartman, Michal Nazarewicz, linux-geode, linux-usb,
	linux-kernel, Peter Senna Tschudin

Hi Felipe,

Quoting Felipe Balbi <balbi@kernel.org>:

> Hi,
>
> "Gustavo A. R. Silva" <garsilva@embeddedor.com> writes:
>> Hello everybody,
>>
>> While looking into Coverity ID 145958 I ran into the following piece
>> of code at drivers/usb/gadget/udc/amd5536udc.c:852:
>>
>> } else if (i == buf_len) {
>>          /* first td */
>>          td = (struct udc_data_dma *)phys_to_virt(
>>                                  req->td_data->next);
>>          td->status = 0;
>> } else {
>>          td = (struct udc_data_dma *)phys_to_virt(last->next);
>>          td->status = 0;
>> }
>>
>> if (td)
>>          td->bufptr = req->req.dma + i; /* assign buffer */
>> else
>>          break;
>>
>> The issue here is that _td_ pointer is being dereferenced before null check.
>>
>> After searching for calls to phys_to_virt() function, I've noticed
>> that is not common at all to test the returned address value.
>>
>> So either the null check at line 862 is not needed or a null check
>> before each td->status = 0; needs to be added.
>
> just remove the previous null check
>

I get it.

Thanks!
--
Gustavo A. R. Silva

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2017-05-16 16:29 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-05-02 20:24 [usb-gadget-udc] question about null check after calling phys_to_virt() function Gustavo A. R. Silva
2017-05-16  8:10 ` Felipe Balbi
2017-05-16 16:28   ` Gustavo A. R. Silva

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.