Bug 9594

Summary: Dereferencing NULL pointer on drivers/usb/gadget/ether.c
Product: Drivers Reporter: Marcio Buss (marciobuss)
Component: USBAssignee: Greg Kroah-Hartman (greg)
Status: REJECTED WILL_NOT_FIX    
Severity: normal    
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.23 Subsystem:
Regression: --- Bisected commit-id:
Bug Depends on:    
Bug Blocks: 5089    
Attachments: probable fix

Description Marcio Buss 2007-12-17 22:16:22 UTC 
The potential error can be tracked down as follows:

(1) line 1050: let the second conjunct on the "if" statment be false
    meaning "dev->status_ep" is null. This means the "if" evaluates to false.

follow thru the code until...

(2) line 1101: usb_ep_disable(dev->status_ep) passes in a null argument, 
    however "use_ep_disable" cannot handle that:

   static inline int
   usb_ep_disable (struct usb_ep *ep)
   {
 	return ep->ops->disable (ep);
   }
Comment 1 Anonymous Emailer 2007-12-17 22:29:51 UTC 
Reply-To: akpm@linux-foundation.org

On Mon, 17 Dec 2007 22:16:23 -0800 (PST) bugme-daemon@bugzilla.kernel.org wrote:

> http://bugzilla.kernel.org/show_bug.cgi?id=9594
> 
>            Summary: Dereferencing NULL pointer on drivers/usb/gadget/ether.c
>            Product: Drivers
>            Version: 2.5
>      KernelVersion: 2.6.23
>           Platform: All
>         OS/Version: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: USB
>         AssignedTo: greg@kroah.com
>         ReportedBy: marciobuss@gmail.com
> 
> 
> The potential error can be tracked down as follows:
> 
> (1) line 1050: let the second conjunct on the "if" statment be false
>     meaning "dev->status_ep" is null. This means the "if" evaluates to false.
> 
> follow thru the code until...
> 
> (2) line 1101: usb_ep_disable(dev->status_ep) passes in a null argument, 
>     however "use_ep_disable" cannot handle that:
> 
>    static inline int
>    usb_ep_disable (struct usb_ep *ep)
>    {
>         return ep->ops->disable (ep);
>    }
> 
> 
> -- 
> Configure bugmail: http://bugzilla.kernel.org/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are on the CC list for the bug, or are watching someone who is.
Comment 2 Anonymous Emailer 2007-12-19 10:19:33 UTC 
Reply-To: david-b@pacbell.net

> > http://bugzilla.kernel.org/show_bug.cgi?id=9594
> > 
> >     ...
> > 
> > The potential error can be tracked down as follows:
> > 
> > (1) line 1050: let the second conjunct on the "if" statment be false
> >     meaning "dev->status_ep" is null. This means the "if" evaluates to
> false.

I'm guessing this is really line 1020 at the top of set_ether_config(),
in the current kernel.  Because line 1050 has nothing to do with status_ep.

> > follow thru the code until...
> > 
> > (2) line 1101: usb_ep_disable(dev->status_ep) passes in a null argument, 
> >     however "use_ep_disable" cannot handle that:

And I'm assuming that's 51 lines later, the "on error..." path.
As we know, no errors happen hence all error paths work Just Fine.  ;)

Another way to put this diagnosis is that the same test needs to
be used in both places, else it's overkill in one of them.
Comment 3 David Brownell 2007-12-19 10:34:53 UTC 
Created attachment 14127 [details]
probable fix

I'm assuming this is another bug noted by code inspection rather than real usage, so testing is impossible ... please clarify.