Re: [linux-usb] Robustness for usb

Wed, 29 Mar 2000 13:27:15 -0800 

I really don't like this patch.  It covers up problems in higher-level
drivers, rather than actually fixing anything.

Really, what we need to do is systematically go through all the drivers
and find all the potential race conditions which could cause the use of a
NULL pointer and lock them.

Matt Dharm

On Mon, 27 Mar 2000, Pavel Machek wrote:

> Hi!
> 
> This should help prevent some oopses. [It is good chance that upper
> layer will correctly recover from our error.]
> 
>                                                               Pavel
> 
> --- clean/drivers/usb/usb.c   Sat Mar 25 22:47:36 2000
> +++ linux/drivers/usb/usb.c   Mon Mar 27 23:55:44 2000
> @@ -27,6 +27,8 @@
>  #define DEBUG
>  #include <linux/usb.h>
>  
> +#define CHECK do { if ((!dev) || (pipe == -1)) { printk( KERN_CRIT "Someone passed 
>NULL into usb core.\n" ); return -EINVAL; } } while(0)
> +
>  /*
>   * Prototypes for the device driver probing/loading functions
>   */
> @@ -596,18 +598,20 @@
>  
>  /*-------------------------------------------------------------------*/
>  // returns status (negative) or length (positive)
> -int usb_internal_control_msg(struct usb_device *usb_dev, unsigned int pipe, 
> +int usb_internal_control_msg(struct usb_device *dev, unsigned int pipe, 
>                           devrequest *cmd,  void *data, int len, int timeout)
>  {
>       urb_t *urb;
>       int retv;
>       int length;
>  
> +     CHECK;
> +
>       urb = usb_alloc_urb(0);
>       if (!urb)
>               return -ENOMEM;
>    
> -     FILL_CONTROL_URB(urb, usb_dev, pipe, (unsigned char*)cmd, data, len,    /* 
>build urb */  
> +     FILL_CONTROL_URB(urb, dev, pipe, (unsigned char*)cmd, data, len,    /* build 
>urb */  
>                  (usb_complete_t)usb_api_blocking_completion,0);
>  
>       retv = usb_start_wait_urb(urb, timeout, &length);
> @@ -624,6 +628,8 @@
>  {
>       devrequest *dr = kmalloc(sizeof(devrequest), GFP_KERNEL);
>       int ret;
> +
> +     CHECK;
>       
>       if (!dr)
>               return -ENOMEM;
> @@ -647,11 +653,13 @@
>  /* compatibility wrapper, builds bulk urb, and waits for completion */
>  /* synchronous behavior */
>  
> -int usb_bulk_msg(struct usb_device *usb_dev, unsigned int pipe, 
> +int usb_bulk_msg(struct usb_device *dev, unsigned int pipe, 
>                       void *data, int len, int *actual_length, int timeout)
>  {
>       urb_t *urb;
>  
> +     CHECK;
> +
>       if (len < 0)
>               return -EINVAL;
>  
> @@ -659,7 +667,7 @@
>       if (!urb)
>               return -ENOMEM;
>  
> -     FILL_BULK_URB(urb,usb_dev,pipe,(unsigned char*)data,len,   /* build urb */
> +     FILL_BULK_URB(urb,dev,pipe,(unsigned char*)data,len,   /* build urb */
>                       (usb_complete_t)usb_api_blocking_completion,0);
>  
>       return usb_start_wait_urb(urb,timeout,actual_length);
> @@ -671,6 +679,11 @@
>       urb_t *urb;
>       api_wrapper_data *awd;
>  
> +     if ((!dev) || (pipe == -1)) {
> +             printk(KERN_CRIT "Someone passed NULL to usb_request_bulk\n" );
> +             return NULL;
> +     }
> +
>       if (!(urb=usb_alloc_urb(0)))
>               return NULL;
>       if (!(awd = kmalloc(sizeof(api_wrapper_data), in_interrupt() ? GFP_ATOMIC : 
>GFP_KERNEL))) {
> @@ -699,6 +712,10 @@
>  int usb_terminate_bulk(struct usb_device *dev, void *first)
>  {
>       urb_t *urb=(urb_t*)first;
> +
> +     if (!dev)
> +             return -EINVAL;
> +
>       dbg("usb_terminate_bulk: urb:%p",urb);
>       if (!urb) // none found? there is nothing to remove!
>               return -ENODEV;
> @@ -746,6 +763,7 @@
>       urb_t *urb;
>       unsigned int maxsze = usb_maxpacket(dev, pipe, usb_pipeout(pipe));
>  
> +     CHECK;
>       *handle = NULL;
>       
>       //dbg("irq: dev:%p pipe:%08X handler:%p period:%d dev_id:%p max:%d", dev, 
>pipe, handler, period, dev_id, maxsze);
> @@ -807,7 +825,7 @@
>       int     err;
>       urb_t *urb = (urb_t*)handle;
>  
> -     if (!urb)
> +     if ((!urb) || (!dev))
>               return -EBADF;
>       err=usb_unlink_urb(urb);
>       kfree(urb->context);
> @@ -1460,6 +1478,7 @@
>       __u16 status;
>       int endp=usb_pipeendpoint(pipe)|(usb_pipein(pipe)<<7);
>  
> +     CHECK;
>  /*
>       if (!usb_endpoint_halted(dev, endp & 0x0f, usb_endpoint_out(endp)))
>               return 0;
> --- clean/include/linux/usb.h Sat Mar 25 22:47:44 2000
> +++ linux/include/linux/usb.h Mon Mar 27 23:46:13 2000
> @@ -688,11 +688,15 @@
>  
>  static inline unsigned int __create_pipe(struct usb_device *dev, unsigned int 
>endpoint)
>  {
> +     if (!dev)
> +             return -1;
>       return (dev->devnum << 8) | (endpoint << 15) | (dev->slow << 26) | 
>dev->maxpacketsize;
>  }
>  
>  static inline unsigned int __default_pipe(struct usb_device *dev)
>  {
> +     if (!dev)
> +             return -1;
>       return (dev->slow << 26);
>  }
>  
> 
> 

-- 
Matthew Dharm                              Home: [EMAIL PROTECTED] 
Engineer, Qualcomm, Inc.                         Work: [EMAIL PROTECTED]

It was a new hope.
                                        -- Dust Puppy
User Friendly, 12/25/1998


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to