[PATCH] drivers: usb: gadget: udc: Fix NULL dereference

2015-03-03 Thread Tapasweni Pathak 
This patch fixes multiple instances of null pointer dereference in this code.

ep-udc is assigned to udc. ep is just an offset from _ep. _ep is then
checked for NULL. udc is dereferenced under the NULL check for _ep, making
an invalid pointer reference.

udc is then checked for NULL, if NULL, it is then dereferenced as
udc-dev.

To fix these issues, shift assignment of udc by dereferencing ep after
null check for _ep, replace both dev_dbg statements with pr_debug.

Found using Coccinelle.

Signed-off-by: Tapasweni Pathak tapaswenipat...@gmail.com
Suggested-by : Julia Lawall julia.law...@lip6.fr
Reviewed-by : Julia Lawall julia.law...@lip6.fr
---
 drivers/usb/gadget/udc/lpc32xx_udc.c |7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/usb/gadget/udc/lpc32xx_udc.c 
b/drivers/usb/gadget/udc/lpc32xx_udc.c
index 27fd413..6398539 100644
--- a/drivers/usb/gadget/udc/lpc32xx_udc.c
+++ b/drivers/usb/gadget/udc/lpc32xx_udc.c
@@ -1807,17 +1807,16 @@ static int lpc32xx_ep_queue(struct usb_ep *_ep,
!list_empty(req-queue))
return -EINVAL;

-   udc = ep-udc;
-
if (!_ep) {
-   dev_dbg(udc-dev, invalid ep\n);
+   pr_debug(invalid ep\n);
return -EINVAL;
}

+   udc = ep-udc;

if ((!udc) || (!udc-driver) ||
(udc-gadget.speed == USB_SPEED_UNKNOWN)) {
-   dev_dbg(udc-dev, invalid device\n);
+   pr_debug(invalid device\n);
return -EINVAL;
}

--
1.7.9.5

--
To unsubscribe from this list: send the line unsubscribe linux-usb in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] usb: gadget: function: Replace GFP_KERNEL with GFP_ATOMIC

2015-02-20 Thread Tapasweni Pathak 
To avoid deadlock, do not call blocking functions with spinlocks held.

Replace GFP_KERNEL with GFP_ATOMIC, as the latter will fail if the heap
doesn't have enough free pages but will not sleep and hence deadlock can
be avoided.

Found by Coccinelle.

Signed-off-by: Tapasweni Pathak tapaswenipat...@gmail.com
---
Is there any other way this can be fixed as it is better to avoid GFP_ATOMIC?

 drivers/usb/gadget/function/f_fs.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/function/f_fs.c 
b/drivers/usb/gadget/function/f_fs.c
index af98b09..8a25d30 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -823,7 +823,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct 
ffs_io_data *io_data)
}

if (io_data-aio) {
-   req = usb_ep_alloc_request(ep-ep, GFP_KERNEL);
+   req = usb_ep_alloc_request(ep-ep, GFP_ATOMIC);
if (unlikely(!req))
goto error_lock;

--
1.7.9.5

--
To unsubscribe from this list: send the line unsubscribe linux-usb in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html