Re: [PATCH 3/3] usb: gadget: u_ether: fix dereference after null check coverify warning

[Peter Chen]

On Fri, Jul 01, 2016 at 03:33:30PM +0800, Peter Chen wrote:
> skb is checked for null pointer at above code, so skb might be null.
> eem_wrap uses it without checking null pointer, fix it by adding null
> pointer check.
> 
> Signed-off-by: Peter Chen <peter.c...@nxp.com>
> ---
>  drivers/usb/gadget/function/u_ether.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/gadget/function/u_ether.c 
> b/drivers/usb/gadget/function/u_ether.c
> index 5f562c1..2bc8823 100644
> --- a/drivers/usb/gadget/function/u_ether.c
> +++ b/drivers/usb/gadget/function/u_ether.c
> @@ -549,7 +549,7 @@ static netdev_tx_t eth_start_xmit(struct sk_buff *skb,
>               unsigned long   flags;
>  
>               spin_lock_irqsave(&dev->lock, flags);
> -             if (dev->port_usb)
> +             if (dev->port_usb && skb)
>                       skb = dev->wrap(dev->port_usb, skb);
>               spin_unlock_irqrestore(&dev->lock, flags);
>               if (!skb) {
> -- 

Felipe, please do not queue this patch, it will break the ncm function
which the socket buffer may be NULL.

If you are ok with below changes, I will submit patch:

diff --git a/drivers/usb/gadget/function/f_eem.c 
b/drivers/usb/gadget/function/f_eem.c
index d58bfc3..5e0db68 100644
--- a/drivers/usb/gadget/function/f_eem.c
+++ b/drivers/usb/gadget/function/f_eem.c
@@ -341,11 +341,15 @@ static struct sk_buff *eem_wrap(struct gether *port, 
struct sk_buff *skb)
 {
        struct sk_buff  *skb2 = NULL;
        struct usb_ep   *in = port->in_ep;
-       int             padlen = 0;
+       int             headroom, tailroom, padlen = 0;
        u16             len = skb->len;
 
-       int headroom = skb_headroom(skb);
-       int tailroom = skb_tailroom(skb);
+       if (!skb)
+               return NULL;
+
+       len = skb->len;
+       headroom = skb_headroom(skb);
+       tailroom = skb_tailroom(skb);
 
        /* When (len + EEM_HLEN + ETH_FCS_LEN) % in->maxpacket) is 0,
         * stick two bytes of zero-length EEM packet on the end.
diff --git a/drivers/usb/gadget/function/f_rndis.c 
b/drivers/usb/gadget/function/f_rndis.c
index c800582..16562e4 100644
--- a/drivers/usb/gadget/function/f_rndis.c
+++ b/drivers/usb/gadget/function/f_rndis.c
@@ -374,6 +374,9 @@ static struct sk_buff *rndis_add_header(struct gether *port,
 {
        struct sk_buff *skb2;
 
+       if (!skb)
+               return NULL;
+
        skb2 = skb_realloc_headroom(skb, sizeof(struct rndis_packet_msg_type));
        rndis_add_hdr(skb2);

-- 

Best Regards,
Peter Chen
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html