9594 – Dereferencing NULL pointer on drivers/usb/gadget/ether.c

Bug 9594 - Dereferencing NULL pointer on drivers/usb/gadget/ether.c

Summary: Dereferencing NULL pointer on drivers/usb/gadget/ether.c

Status:	REJECTED WILL_NOT_FIX

Alias:	None

Product:	Drivers
Classification:	Unclassified
Component:	USB (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	Greg Kroah-Hartman

URL:
Keywords:

Depends on:
Blocks:	USB
	Show dependency tree

Reported:	2007-12-17 22:16 UTC by Marcio Buss
Modified:	2009-03-24 10:42 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	2.6.23
Subsystem:
Regression:	---
Bisected commit-id:

Attachments
probable fix (1.10 KB, patch) 2007-12-19 10:34 UTC, David Brownell	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Description Marcio Buss 2007-12-17 22:16:22 UTC

The potential error can be tracked down as follows:

(1) line 1050: let the second conjunct on the "if" statment be false
    meaning "dev->status_ep" is null. This means the "if" evaluates to false.

follow thru the code until...

(2) line 1101: usb_ep_disable(dev->status_ep) passes in a null argument, 
    however "use_ep_disable" cannot handle that:

   static inline int
   usb_ep_disable (struct usb_ep *ep)
   {
 	return ep->ops->disable (ep);
   }

Comment 1 Anonymous Emailer 2007-12-17 22:29:51 UTC

Reply-To: akpm@linux-foundation.org

On Mon, 17 Dec 2007 22:16:23 -0800 (PST) bugme-daemon@bugzilla.kernel.org wrote:

> http://bugzilla.kernel.org/show_bug.cgi?id=9594
> 
>            Summary: Dereferencing NULL pointer on drivers/usb/gadget/ether.c
>            Product: Drivers
>            Version: 2.5
>      KernelVersion: 2.6.23
>           Platform: All
>         OS/Version: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: USB
>         AssignedTo: greg@kroah.com
>         ReportedBy: marciobuss@gmail.com
> 
> 
> The potential error can be tracked down as follows:
> 
> (1) line 1050: let the second conjunct on the "if" statment be false
>     meaning "dev->status_ep" is null. This means the "if" evaluates to false.
> 
> follow thru the code until...
> 
> (2) line 1101: usb_ep_disable(dev->status_ep) passes in a null argument, 
>     however "use_ep_disable" cannot handle that:
> 
>    static inline int
>    usb_ep_disable (struct usb_ep *ep)
>    {
>         return ep->ops->disable (ep);
>    }
> 
> 
> -- 
> Configure bugmail: http://bugzilla.kernel.org/userprefs.cgi?tab=email
> ------- You are receiving this mail because: -------
> You are on the CC list for the bug, or are watching someone who is.

Comment 2 Anonymous Emailer 2007-12-19 10:19:33 UTC

Reply-To: david-b@pacbell.net

> > http://bugzilla.kernel.org/show_bug.cgi?id=9594
> > 
> >     ...
> > 
> > The potential error can be tracked down as follows:
> > 
> > (1) line 1050: let the second conjunct on the "if" statment be false
> >     meaning "dev->status_ep" is null. This means the "if" evaluates to
> false.

I'm guessing this is really line 1020 at the top of set_ether_config(),
in the current kernel.  Because line 1050 has nothing to do with status_ep.

> > follow thru the code until...
> > 
> > (2) line 1101: usb_ep_disable(dev->status_ep) passes in a null argument, 
> >     however "use_ep_disable" cannot handle that:

And I'm assuming that's 51 lines later, the "on error..." path.
As we know, no errors happen hence all error paths work Just Fine.  ;)

Another way to put this diagnosis is that the same test needs to
be used in both places, else it's overkill in one of them.

Comment 3 David Brownell 2007-12-19 10:34:53 UTC

Created attachment 14127 [details]
probable fix

I'm assuming this is another bug noted by code inspection rather than real usage, so testing is impossible ... please clarify.

Note You need to log in before you can comment on or make changes to this bug.