Re: [Qemu-devel] [PULL 4/5] usb-mtp: Introduce write support for MTP objects

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Bandan Das <bsd@redhat.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Gerd Hoffmann <kraxel@redhat.com>,
	QEMU Developers <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [PULL 4/5] usb-mtp: Introduce write support for MTP objects
Date: Mon, 30 Apr 2018 13:56:10 -0400	[thread overview]
Message-ID: <jpg1sewshmt.fsf@linux.bootlegged.copy> (raw)
In-Reply-To: <CAFEAcA8D=xERhHb06izoE9SeWN7zp8qRUqGjij3k1hR4xpiZsA@mail.gmail.com> (Peter Maydell's message of "Fri, 27 Apr 2018 14:38:25 +0100")

Peter Maydell <peter.maydell@linaro.org> writes:

> On 27 February 2018 at 08:39, Gerd Hoffmann <kraxel@redhat.com> wrote:
>> From: Bandan Das <bsd@redhat.com>
>>
>> Allow write operations on behalf of the initiator. The
>> precursor to write is the sending of the write metadata
>> that consists of the ObjectInfo dataset. This patch introduces
>> a flag that is set when the responder is ready to receive
>> write data based on a previous SendObjectInfo operation by
>> the initiator (The SendObjectInfo implementation is in a
>> later patch)
>>
>> Signed-off-by: Bandan Das <bsd@redhat.com>
>> Message-id: 20180223164829.29683-5-bsd@redhat.com
>> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
>
> Hi. Coverity (CID 1390604) complains here about a possible
> use-after-NULL-check:
>
>> @@ -1567,8 +1706,13 @@ static void usb_mtp_handle_data(USBDevice *dev, USBPacket *p)
>>              p->status = USB_RET_STALL;
>>              return;
>>          }
>> -        usb_packet_copy(p, &container, sizeof(container));
>> -        switch (le16_to_cpu(container.type)) {
>> +        if (s->data_out && !s->data_out->first) {
>> +            container_type = TYPE_DATA;
>
> Here we check s->data_out, so we might set container_type
> to TYPE_DATA with s->data_out == NULL...

Just to be sure, is it enough to replace the if with:
if (s->data !=NULL && !s->data->first) ?

Bandan

>> +        } else {
>> +            usb_packet_copy(p, &container, sizeof(container));
>> +            container_type = le16_to_cpu(container.type);
>> +        }
>> +        switch (container_type) {
>>          case TYPE_COMMAND:
>>              if (s->data_in || s->data_out || s->result) {
>>                  trace_usb_mtp_stall(s->dev.addr, "transaction inflight");
>> @@ -1599,6 +1743,15 @@ static void usb_mtp_handle_data(USBDevice *dev, USBPacket *p)
>>                                    (cmd.argc > 4) ? cmd.argv[4] : 0);
>>              usb_mtp_command(s, &cmd);
>>              break;
>> +        case TYPE_DATA:
>> +            /* One of the previous transfers has already errored but the
>> +             * responder is still sending data associated with it
>> +             */
>> +            if (s->result != NULL) {
>> +                return;
>> +            }
>> +            usb_mtp_get_data(s, &container, p);
>
> ...but here we call usb_mtp_get_data(), which will always
> dereference s->data_out, and so will crash if it is NULL.
>
>> +            break;
>>          default:
>>              /* not needed as long as the mtp device is read-only */
>>              p->status = USB_RET_STALL;
>> --
>> 2.9.3
>
> thanks
> -- PMM

next prev parent reply	other threads:[~2018-04-30 17:56 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-02-27  8:39 [Qemu-devel] [PULL 0/5] Usb 20180227 patches Gerd Hoffmann
2018-02-27  8:39 ` [Qemu-devel] [PULL 1/5] usb-mtp: Add one more argument when building results Gerd Hoffmann
2018-02-27  8:39 ` [Qemu-devel] [PULL 2/5] usb-mtp: print parent path in IN_IGNORED trace fn Gerd Hoffmann
2018-02-27  8:39 ` [Qemu-devel] [PULL 3/5] usb-mtp: Support delete of mtp objects Gerd Hoffmann
2019-03-05 16:14   ` Peter Maydell
2018-02-27  8:39 ` [Qemu-devel] [PULL 4/5] usb-mtp: Introduce write support for MTP objects Gerd Hoffmann
2018-04-27 13:38   ` Peter Maydell
2018-04-30 17:56     ` Bandan Das [this message]
2018-02-27  8:39 ` [Qemu-devel] [PULL 5/5] usb-mtp: Advertise SendObjectInfo for write support Gerd Hoffmann
2018-04-27 13:28   ` Peter Maydell
2018-04-27 13:35   ` Peter Maydell
2018-02-27 19:28 ` [Qemu-devel] [PULL 0/5] Usb 20180227 patches Peter Maydell
  -- strict thread matches above, loose matches on Subject: below --
2018-02-20 15:28 [Qemu-devel] [PULL 0/5] Usb 20180220 patches Gerd Hoffmann
2018-02-20 15:28 ` [Qemu-devel] [PULL 4/5] usb-mtp: Introduce write support for MTP objects Gerd Hoffmann
2018-02-20 20:47   ` Eric Blake
2018-02-20 21:27     ` Bandan Das

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=jpg1sewshmt.fsf@linux.bootlegged.copy \
    --to=bsd@redhat.com \
    --cc=kraxel@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.