Bug 9595 - Another potential NULL ptr dereference, drivers/usb/gadget/fsl_usb2_udc.c
Summary: Another potential NULL ptr dereference, drivers/usb/gadget/fsl_usb2_udc.c
Status: CLOSED CODE_FIX
Alias: None
Product: Drivers
Classification: Unclassified
Component: USB (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: David Brownell
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-12-17 22:22 UTC by Marcio Buss
Modified: 2008-09-22 10:39 UTC (History)
0 users

See Also:
Kernel Version: 2.6.23
Tree: Mainline
Regression: ---


Attachments

Description Marcio Buss 2007-12-17 22:22:06 UTC
The following code fragment occurs at line 773:

	if (!_ep || (!ep->desc && ep_index(ep))) {
		VDBG("%s, bad ep\n", __FUNCTION__);
		return -EINVAL;
	}

Shouldn't the first conjunct of "&&" test be "ep->desc" ?

	if (!_ep || (ep->desc && ep_index(ep))) {
		VDBG("%s, bad ep\n", __FUNCTION__);
		return -EINVAL;
	}
Comment 1 Anonymous Emailer 2008-01-02 01:31:14 UTC
Reply-To: david-b@pacbell.net

On Monday 17 December 2007, bugme-daemon@bugzilla.kernel.org wrote:
> http://bugzilla.kernel.org/show_bug.cgi?id=9595

The maintainers of this driver are in a better position to handle
this than I am ...

I think this is a bogus bug report, since the claus in question is
just rejecting endpoints other than ep0 that don't have descriptors.
(If it's coded like other drivers...)
Comment 2 Anonymous Emailer 2008-01-03 00:59:58 UTC
Reply-To: leoli@freescale.com

On Wed, 2008-01-02 at 01:31 -0800, David Brownell wrote:
> On Monday 17 December 2007, bugme-daemon@bugzilla.kernel.org wrote:
> > http://bugzilla.kernel.org/show_bug.cgi?id=9595
> 
> The maintainers of this driver are in a better position to handle
> this than I am ...
> 
> I think this is a bogus bug report, since the claus in question is
> just rejecting endpoints other than ep0 that don't have descriptors.
> (If it's coded like other drivers...)

For fsl_usb2_udc driver, ep0 also has a descriptor.  Current code is
misleading and contains a logical mistake.  Here is the patch to cleanup
it.  Thanks.

---
diff --git a/drivers/usb/gadget/fsl_usb2_udc.c b/drivers/usb/gadget/fsl_usb2_udc.c
index 038e7d7..08cb673 100644
--- a/drivers/usb/gadget/fsl_usb2_udc.c
+++ b/drivers/usb/gadget/fsl_usb2_udc.c
@@ -776,7 +776,7 @@ fsl_ep_queue(struct usb_ep *_ep, struct usb_request *_req, gfp_t gfp_flags)
 		VDBG("%s, bad params\n", __FUNCTION__);
 		return -EINVAL;
 	}
-	if (!_ep || (!ep->desc && ep_index(ep))) {
+	if (unlikely(!_ep || !ep->desc)) {
 		VDBG("%s, bad ep\n", __FUNCTION__);
 		return -EINVAL;
 	}
Comment 3 Alan 2008-09-22 10:39:39 UTC
Upstream merge checked

Note You need to log in before you can comment on or make changes to this bug.