[PATCH] USB Pegasus driver - avoid a potential NULL pointer dereference.

[PATCH] USB Pegasus driver - avoid a potential NULL pointer dereference.

[Jesper Juhl]

Hello,

This patch makes sure we don't dereference a NULL pointer in 
drivers/net/usb/pegasus.c::write_bulk_callback() in the initial 
struct net_device *net = pegasus->net; assignment.
The existing code checks if 'pegasus' is NULL and bails out if 
it is, so we better not touch that pointer until after that check.

Please consider merging.


Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
---

 drivers/net/usb/pegasus.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
index a05fd97..04cba6b 100644
--- a/drivers/net/usb/pegasus.c
+++ b/drivers/net/usb/pegasus.c
@@ -768,11 +768,13 @@ done:
 static void write_bulk_callback(struct urb *urb)
 {
 	pegasus_t *pegasus = urb->context;
-	struct net_device *net = pegasus->net;
+	struct net_device *net;
 
 	if (!pegasus)
 		return;
 
+	net = pegasus->net;
+
 	if (!netif_device_present(net) || !netif_running(net))
 		return;
 


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
linux-usb-devel@lists.sourceforge.net
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel

Re: [PATCH] USB Pegasus driver - avoid a potential NULL pointer dereference.

[Satyam Sharma]

Hi,

On 7/29/07, Jesper Juhl <jesper.juhl@gmail.com> wrote:
> Hello,
>
> This patch makes sure we don't dereference a NULL pointer in
> drivers/net/usb/pegasus.c::write_bulk_callback() in the initial
> struct net_device *net = pegasus->net; assignment.
> The existing code checks if 'pegasus' is NULL and bails out if
> it is, so we better not touch that pointer until after that check.
> [...]
> diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
> index a05fd97..04cba6b 100644
> --- a/drivers/net/usb/pegasus.c
> +++ b/drivers/net/usb/pegasus.c
> @@ -768,11 +768,13 @@ done:
>  static void write_bulk_callback(struct urb *urb)
>  {
>         pegasus_t *pegasus = urb->context;
> -       struct net_device *net = pegasus->net;
> +       struct net_device *net;
>
>         if (!pegasus)
>                 return;
>
> +       net = pegasus->net;
> +
>         if (!netif_device_present(net) || !netif_running(net))
>                 return;

Is it really possible that we're called into this function with
urb->context == NULL? If not, I'd suggest let's just get rid of
the check itself, instead.

Satyam

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
linux-usb-devel@lists.sourceforge.net
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel

Re: [PATCH] USB Pegasus driver - avoid a potential NULL pointer dereference.

[Jesper Juhl]

On 29/07/07, Satyam Sharma <satyam.sharma@gmail.com> wrote:
> Hi,
>
> On 7/29/07, Jesper Juhl <jesper.juhl@gmail.com> wrote:
> > Hello,
> >
> > This patch makes sure we don't dereference a NULL pointer in
> > drivers/net/usb/pegasus.c::write_bulk_callback() in the initial
> > struct net_device *net = pegasus->net; assignment.
> > The existing code checks if 'pegasus' is NULL and bails out if
> > it is, so we better not touch that pointer until after that check.
> > [...]
> > diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
> > index a05fd97..04cba6b 100644
> > --- a/drivers/net/usb/pegasus.c
> > +++ b/drivers/net/usb/pegasus.c
> > @@ -768,11 +768,13 @@ done:
> >  static void write_bulk_callback(struct urb *urb)
> >  {
> >         pegasus_t *pegasus = urb->context;
> > -       struct net_device *net = pegasus->net;
> > +       struct net_device *net;
> >
> >         if (!pegasus)
> >                 return;
> >
> > +       net = pegasus->net;
> > +
> >         if (!netif_device_present(net) || !netif_running(net))
> >                 return;
>
> Is it really possible that we're called into this function with
> urb->context == NULL? If not, I'd suggest let's just get rid of
> the check itself, instead.
>
I'm not sure. I am not very familiar with this code. I just figured
that moving the assignment is potentially a little safer and it is
certainly no worse than the current code, so that's a safe and
potentially benneficial change. Removing the check may be safe but I'm
not certain enough to make that call...

-- 
Jesper Juhl <jesper.juhl@gmail.com>
Don't top-post  http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please      http://www.expita.com/nomime.html

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
linux-usb-devel@lists.sourceforge.net
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel

Re: [linux-usb-devel] [PATCH] USB Pegasus driver - avoid a potential NULL pointer dereference.

[Oliver Neukum]

Am Sonntag 29 Juli 2007 schrieb Jesper Juhl:
> On 29/07/07, Satyam Sharma <satyam.sharma@gmail.com> wrote:
> > Hi,
> >
> > On 7/29/07, Jesper Juhl <jesper.juhl@gmail.com> wrote:
> > > Hello,
> > >
> > > This patch makes sure we don't dereference a NULL pointer in
> > > drivers/net/usb/pegasus.c::write_bulk_callback() in the initial
> > > struct net_device *net = pegasus->net; assignment.
> > > The existing code checks if 'pegasus' is NULL and bails out if
> > > it is, so we better not touch that pointer until after that check.
> > > [...]
> > > diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
> > > index a05fd97..04cba6b 100644
> > > --- a/drivers/net/usb/pegasus.c
> > > +++ b/drivers/net/usb/pegasus.c
> > > @@ -768,11 +768,13 @@ done:
> > >  static void write_bulk_callback(struct urb *urb)
> > >  {
> > >         pegasus_t *pegasus = urb->context;
> > > -       struct net_device *net = pegasus->net;
> > > +       struct net_device *net;
> > >
> > >         if (!pegasus)
> > >                 return;
> > >
> > > +       net = pegasus->net;
> > > +
> > >         if (!netif_device_present(net) || !netif_running(net))
> > >                 return;
> >
> > Is it really possible that we're called into this function with
> > urb->context == NULL? If not, I'd suggest let's just get rid of
> > the check itself, instead.
> >
> I'm not sure. I am not very familiar with this code. I just figured
> that moving the assignment is potentially a little safer and it is
> certainly no worse than the current code, so that's a safe and
> potentially benneficial change. Removing the check may be safe but I'm
> not certain enough to make that call...

pegasus == NULL there would be a kernel bug. Silently ignoring
it, like the code now wants to do is bad. As the oops has never been
reported, I figure turning it into an explicit debugging test is overkill,
so removal seems to be the best option.

	Regards
		Oliver

Re: [PATCH] USB Pegasus driver - avoid a potential NULL pointer dereference.

[Satyam Sharma]

On Sun, 29 Jul 2007, Oliver Neukum wrote:

> Am Sonntag 29 Juli 2007 schrieb Jesper Juhl:
> > On 29/07/07, Satyam Sharma <satyam.sharma@gmail.com> wrote:
> > > Hi,
> > >
> > > On 7/29/07, Jesper Juhl <jesper.juhl@gmail.com> wrote:
> > > > Hello,
> > > >
> > > > This patch makes sure we don't dereference a NULL pointer in
> > > > drivers/net/usb/pegasus.c::write_bulk_callback() in the initial
> > > > struct net_device *net = pegasus->net; assignment.
> > > > The existing code checks if 'pegasus' is NULL and bails out if
> > > > it is, so we better not touch that pointer until after that check.
> > > > [...]
> > >
> > > Is it really possible that we're called into this function with
> > > urb->context == NULL? If not, I'd suggest let's just get rid of
> > > the check itself, instead.
> > >
> > I'm not sure. I am not very familiar with this code. I just figured
> > that moving the assignment is potentially a little safer and it is
> > certainly no worse than the current code, so that's a safe and
> > potentially benneficial change. Removing the check may be safe but I'm
> > not certain enough to make that call...
> 
> pegasus == NULL there would be a kernel bug. Silently ignoring
> it, like the code now wants to do is bad. As the oops has never been
> reported, I figure turning it into an explicit debugging test is overkill,
> so removal seems to be the best option.

Ok, thanks. Updated patch below.

[PATCH] pegasus: Remove bogus checks in urb->complete() callbacks

urb->complete() callbacks registered in drivers/net/usb/pegasus.c needlessly
check for urb->context != NULL, but that is not possible (the only way that
can be possible would be a kernel bug elsewhere, and these checks would
simply end up hiding that). So let's remove the bogus checks.

Signed-off-by: Satyam Sharma <satyam@infradead.org>

---

 drivers/net/usb/pegasus.c |    9 +--------
 1 files changed, 1 insertions(+), 8 deletions(-)

diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
index a05fd97..439ef9f 100644
--- a/drivers/net/usb/pegasus.c
+++ b/drivers/net/usb/pegasus.c
@@ -770,9 +770,6 @@ static void write_bulk_callback(struct urb *urb)
 	pegasus_t *pegasus = urb->context;
 	struct net_device *net = pegasus->net;
 
-	if (!pegasus)
-		return;
-
 	if (!netif_device_present(net) || !netif_running(net))
 		return;
 
@@ -805,13 +802,9 @@ static void write_bulk_callback(struct urb *urb)
 static void intr_callback(struct urb *urb)
 {
 	pegasus_t *pegasus = urb->context;
-	struct net_device *net;
+	struct net_device *net = pegasus->net;
 	int status;
 
-	if (!pegasus)
-		return;
-	net = pegasus->net;
-
 	switch (urb->status) {
 	case 0:
 		break;

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
linux-usb-devel@lists.sourceforge.net
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel

Re: [PATCH] USB Pegasus driver - avoid a potential NULL pointer dereference.

[Petko Manolov]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 2206 bytes --]

On Sun, 29 Jul 2007, Oliver Neukum wrote:

> Am Sonntag 29 Juli 2007 schrieb Jesper Juhl:
>> On 29/07/07, Satyam Sharma <satyam.sharma@gmail.com> wrote:
>>> Hi,
>>>
>>> On 7/29/07, Jesper Juhl <jesper.juhl@gmail.com> wrote:
>>>> Hello,
>>>>
>>>> This patch makes sure we don't dereference a NULL pointer in
>>>> drivers/net/usb/pegasus.c::write_bulk_callback() in the initial
>>>> struct net_device *net = pegasus->net; assignment.
>>>> The existing code checks if 'pegasus' is NULL and bails out if
>>>> it is, so we better not touch that pointer until after that check.
>>>> [...]
>>>> diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
>>>> index a05fd97..04cba6b 100644
>>>> --- a/drivers/net/usb/pegasus.c
>>>> +++ b/drivers/net/usb/pegasus.c
>>>> @@ -768,11 +768,13 @@ done:
>>>>  static void write_bulk_callback(struct urb *urb)
>>>>  {
>>>>         pegasus_t *pegasus = urb->context;
>>>> -       struct net_device *net = pegasus->net;
>>>> +       struct net_device *net;
>>>>
>>>>         if (!pegasus)
>>>>                 return;
>>>>
>>>> +       net = pegasus->net;
>>>> +
>>>>         if (!netif_device_present(net) || !netif_running(net))
>>>>                 return;
>>>
>>> Is it really possible that we're called into this function with
>>> urb->context == NULL? If not, I'd suggest let's just get rid of
>>> the check itself, instead.
>>>
>> I'm not sure. I am not very familiar with this code. I just figured
>> that moving the assignment is potentially a little safer and it is
>> certainly no worse than the current code, so that's a safe and
>> potentially benneficial change. Removing the check may be safe but I'm
>> not certain enough to make that call...
>
> pegasus == NULL there would be a kernel bug. Silently ignoring
> it, like the code now wants to do is bad. As the oops has never been
> reported, I figure turning it into an explicit debugging test is overkill,
> so removal seems to be the best option.

In the past urb->context was not guaranteed to be non-null for any 
asynchronous calls.  If this is not the case anymore then it should be 
removed from at least two more locations in the driver.

Attached you'll find the resulting patch.


 		Petko

[-- Attachment #2: Type: TEXT/x-diff, Size: 1403 bytes --]

--- drivers/net/usb/pegasus.c.old	2007-07-10 11:39:50.000000000 +0300
+++ drivers/net/usb/pegasus.c	2007-07-30 11:02:10.000000000 +0300
@@ -100,9 +100,6 @@ static void ctrl_callback(struct urb *ur
 {
 	pegasus_t *pegasus = urb->context;
 
-	if (!pegasus)
-		return;
-
 	switch (urb->status) {
 	case 0:
 		if (pegasus->flags & ETH_REGS_CHANGE) {
@@ -609,15 +606,11 @@ static inline struct sk_buff *pull_skb(p
 static void read_bulk_callback(struct urb *urb)
 {
 	pegasus_t *pegasus = urb->context;
-	struct net_device *net;
+	struct net_device *net = pegasus->net;
 	int rx_status, count = urb->actual_length;
 	u8 *buf = urb->transfer_buffer;
 	__u16 pkt_len;
 
-	if (!pegasus)
-		return;
-
-	net = pegasus->net;
 	if (!netif_device_present(net) || !netif_running(net))
 		return;
 
@@ -770,9 +763,6 @@ static void write_bulk_callback(struct u
 	pegasus_t *pegasus = urb->context;
 	struct net_device *net = pegasus->net;
 
-	if (!pegasus)
-		return;
-
 	if (!netif_device_present(net) || !netif_running(net))
 		return;
 
@@ -805,13 +795,9 @@ static void write_bulk_callback(struct u
 static void intr_callback(struct urb *urb)
 {
 	pegasus_t *pegasus = urb->context;
-	struct net_device *net;
+	struct net_device *net = pegasus->net;
 	int status;
 
-	if (!pegasus)
-		return;
-	net = pegasus->net;
-
 	switch (urb->status) {
 	case 0:
 		break;

[-- Attachment #3: Type: text/plain, Size: 315 bytes --]

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

[-- Attachment #4: Type: text/plain, Size: 191 bytes --]

_______________________________________________
linux-usb-devel@lists.sourceforge.net
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel

Re: [PATCH] USB Pegasus driver - avoid a potential NULL pointer dereference.

[Satyam Sharma]

On Mon, 30 Jul 2007, Petko Manolov wrote:

> On Sun, 29 Jul 2007, Oliver Neukum wrote:
> 
> > [...]
> > pegasus == NULL there would be a kernel bug. Silently ignoring
> > it, like the code now wants to do is bad. As the oops has never been
> > reported, I figure turning it into an explicit debugging test is overkill,
> > so removal seems to be the best option.
> 
> In the past urb->context was not guaranteed to be non-null for any
> asynchronous calls.  If this is not the case anymore then it should be removed
> from at least two more locations in the driver.
> 
> Attached you'll find the resulting patch.

Given Oliver's earlier comment, it looks okay to me. Thanks.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
linux-usb-devel@lists.sourceforge.net
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel