drivers/usb/gadget/ether.c: NULL dereference

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* drivers/usb/gadget/ether.c: NULL dereference
@ 2006-11-11 16:06 Adrian Bunk
  2006-11-12  6:35 ` [linux-usb-devel] " David Brownell
  0 siblings, 1 reply; 5+ messages in thread
From: Adrian Bunk @ 2006-11-11 16:06 UTC (permalink / raw)
  To: greg; +Cc: linux-usb-devel, linux-kernel

The Coverity checker spotted the following NULL dereference of "skb" in 
drivers/usb/gadget/ether.c:

<--  snip  -->

...
static int
rx_submit (struct eth_dev *dev, struct usb_request *req, gfp_t gfp_flags)
{
        struct sk_buff          *skb;
        int                     retval = -ENOMEM;
...
        if ((skb = alloc_skb (size + NET_IP_ALIGN, gfp_flags)) == 0) {
                DEBUG (dev, "no rx skb\n");
                goto enomem;
        }
...
enomem:
                defer_kevent (dev, WORK_RX_MEMORY);
        if (retval) {
                DEBUG (dev, "rx submit --> %d\n", retval);
                dev_kfree_skb_any (skb);
...

<--  snip  -->

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [linux-usb-devel] drivers/usb/gadget/ether.c: NULL dereference
  2006-11-11 16:06 drivers/usb/gadget/ether.c: NULL dereference Adrian Bunk
@ 2006-11-12  6:35 ` David Brownell
  2006-11-12  6:50   ` Adrian Bunk
  0 siblings, 1 reply; 5+ messages in thread
From: David Brownell @ 2006-11-12  6:35 UTC (permalink / raw)
  To: linux-usb-devel; +Cc: Adrian Bunk, greg, linux-kernel

On Saturday 11 November 2006 8:06 am, Adrian Bunk wrote:
> The Coverity checker spotted the following NULL dereference of "skb" in 
> drivers/usb/gadget/ether.c:

I don't see such a dereference.  As usual, free(NULL) is legit.

Is this another case of bogus reports from Coverity?  I still need to
revert a bug in the EHCI debug code caused by someone "fixing" it
because Coverity doesn't understand unions...


> <--  snip  -->
> 
> ...
> static int
> rx_submit (struct eth_dev *dev, struct usb_request *req, gfp_t gfp_flags)
> {
>         struct sk_buff          *skb;
>         int                     retval = -ENOMEM;
> ...
>         if ((skb = alloc_skb (size + NET_IP_ALIGN, gfp_flags)) == 0) {
>                 DEBUG (dev, "no rx skb\n");
>                 goto enomem;
>         }
> ...
> enomem:
>                 defer_kevent (dev, WORK_RX_MEMORY);
>         if (retval) {
>                 DEBUG (dev, "rx submit --> %d\n", retval);
>                 dev_kfree_skb_any (skb);
> ...
> 
> <--  snip  -->
> 
> cu
> Adrian
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [linux-usb-devel] drivers/usb/gadget/ether.c: NULL dereference
  2006-11-12  6:35 ` [linux-usb-devel] " David Brownell
@ 2006-11-12  6:50   ` Adrian Bunk
  2006-11-12  7:10     ` David Brownell
  0 siblings, 1 reply; 5+ messages in thread
From: Adrian Bunk @ 2006-11-12  6:50 UTC (permalink / raw)
  To: David Brownell; +Cc: linux-usb-devel, greg, linux-kernel

On Sat, Nov 11, 2006 at 10:35:48PM -0800, David Brownell wrote:
> On Saturday 11 November 2006 8:06 am, Adrian Bunk wrote:
> > The Coverity checker spotted the following NULL dereference of "skb" in 
> > drivers/usb/gadget/ether.c:
> 
> I don't see such a dereference.  As usual, free(NULL) is legit.
>...


void dev_kfree_skb_any(struct sk_buff *skb)
{
        if (in_irq() || irqs_disabled())
                dev_kfree_skb_irq(skb);
        else
                dev_kfree_skb(skb);
}


And the first thing dev_kfree_skb_irq() does is to dereference skb...


> > <--  snip  -->
> > 
> > ...
> > static int
> > rx_submit (struct eth_dev *dev, struct usb_request *req, gfp_t gfp_flags)
> > {
> >         struct sk_buff          *skb;
> >         int                     retval = -ENOMEM;
> > ...
> >         if ((skb = alloc_skb (size + NET_IP_ALIGN, gfp_flags)) == 0) {
> >                 DEBUG (dev, "no rx skb\n");
> >                 goto enomem;
> >         }
> > ...
> > enomem:
> >                 defer_kevent (dev, WORK_RX_MEMORY);
> >         if (retval) {
> >                 DEBUG (dev, "rx submit --> %d\n", retval);
> >                 dev_kfree_skb_any (skb);
> > ...
> > 
> > <--  snip  -->
> > 
> > cu
> > Adrian
> > 

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [linux-usb-devel] drivers/usb/gadget/ether.c: NULL dereference
  2006-11-12  6:50   ` Adrian Bunk
@ 2006-11-12  7:10     ` David Brownell
  2006-11-12 12:23       ` Adrian Bunk
  0 siblings, 1 reply; 5+ messages in thread
From: David Brownell @ 2006-11-12  7:10 UTC (permalink / raw)
  To: Adrian Bunk; +Cc: linux-usb-devel, greg, linux-kernel


> 
> void dev_kfree_skb_any(struct sk_buff *skb)
> {
>         if (in_irq() || irqs_disabled())
>                 dev_kfree_skb_irq(skb);
>         else
>                 dev_kfree_skb(skb);
> }
> 
> 
> And the first thing dev_kfree_skb_irq() does is to dereference skb...

Yet dev_kfree_skb() --> kfree_skb() starts with the standard idiom

	if (unlikely(!skb))
		return

Seems to me that the finger of blame is more appropriately pointed
at either dev_kfree_skb_any() or dev_kfree_skb_irq() ...

- Dave


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [linux-usb-devel] drivers/usb/gadget/ether.c: NULL dereference
  2006-11-12  7:10     ` David Brownell
@ 2006-11-12 12:23       ` Adrian Bunk
  0 siblings, 0 replies; 5+ messages in thread
From: Adrian Bunk @ 2006-11-12 12:23 UTC (permalink / raw)
  To: David Brownell; +Cc: linux-usb-devel, greg, linux-kernel, davem, netdev

On Sat, Nov 11, 2006 at 11:10:17PM -0800, David Brownell wrote:
> 
> > 
> > void dev_kfree_skb_any(struct sk_buff *skb)
> > {
> >         if (in_irq() || irqs_disabled())
> >                 dev_kfree_skb_irq(skb);
> >         else
> >                 dev_kfree_skb(skb);
> > }
> > 
> > 
> > And the first thing dev_kfree_skb_irq() does is to dereference skb...
> 
> Yet dev_kfree_skb() --> kfree_skb() starts with the standard idiom
> 
> 	if (unlikely(!skb))
> 		return
> 
> Seems to me that the finger of blame is more appropriately pointed
> at either dev_kfree_skb_any() or dev_kfree_skb_irq() ...
>...

Adding the net maintainers to the Cc:
Is there any reason why dev_kfree_skb_irq() has no NULL check for "skb"?

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2006-11-12 12:23 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-11 16:06 drivers/usb/gadget/ether.c: NULL dereference Adrian Bunk
2006-11-12  6:35 ` [linux-usb-devel] " David Brownell
2006-11-12  6:50   ` Adrian Bunk
2006-11-12  7:10     ` David Brownell
2006-11-12 12:23       ` Adrian Bunk

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox