[PATCH v3 1/4] usb: renesas_usbhs: gadget: fix NULL pointer dereference in ep_disable()
From: Kazuya Mizuguchi kazuya.mizuguchi...@renesas.com This patch fixes an issue that the NULL pointer dereference happens when we uses g_audio driver. Since the g_audio driver will call usb_ep_disable() in afunc_set_alt() before it calls usb_ep_enable(), the uep-pipe of renesas usbhs driver will be NULL. So, this patch adds a condition to avoid the oops. Signed-off-by: Kazuya Mizuguchi kazuya.mizuguchi...@renesas.com Signed-off-by: Takeshi Kihara takeshi.kihara...@renesas.com Signed-off-by: Yoshihiro Shimoda yoshihiro.shimoda...@renesas.com Cc: sta...@vger.kernel.org --- drivers/usb/renesas_usbhs/mod_gadget.c |3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c index 2d17c10..2d0903f 100644 --- a/drivers/usb/renesas_usbhs/mod_gadget.c +++ b/drivers/usb/renesas_usbhs/mod_gadget.c @@ -602,6 +602,9 @@ static int usbhsg_ep_disable(struct usb_ep *ep) struct usbhsg_uep *uep = usbhsg_ep_to_uep(ep); struct usbhs_pipe *pipe = usbhsg_uep_to_pipe(uep); + if (!uep || !uep-pipe) + return -EINVAL; + usbhsg_pipe_disable(uep); usbhs_pipe_free(pipe); -- 1.7.9.5 -- To unsubscribe from this list: send the line unsubscribe linux-usb in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3 1/4] usb: renesas_usbhs: gadget: fix NULL pointer dereference in ep_disable()
On Thu, Oct 30, 2014 at 07:30:16PM +0900, Yoshihiro Shimoda wrote: From: Kazuya Mizuguchi kazuya.mizuguchi...@renesas.com This patch fixes an issue that the NULL pointer dereference happens when we uses g_audio driver. Since the g_audio driver will call usb_ep_disable() in afunc_set_alt() before it calls usb_ep_enable(), the uep-pipe of renesas usbhs driver will be NULL. So, this patch adds a condition to avoid the oops. Signed-off-by: Kazuya Mizuguchi kazuya.mizuguchi...@renesas.com Signed-off-by: Takeshi Kihara takeshi.kihara...@renesas.com Signed-off-by: Yoshihiro Shimoda yoshihiro.shimoda...@renesas.com Cc: sta...@vger.kernel.org --- drivers/usb/renesas_usbhs/mod_gadget.c |3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c index 2d17c10..2d0903f 100644 --- a/drivers/usb/renesas_usbhs/mod_gadget.c +++ b/drivers/usb/renesas_usbhs/mod_gadget.c @@ -602,6 +602,9 @@ static int usbhsg_ep_disable(struct usb_ep *ep) struct usbhsg_uep *uep = usbhsg_ep_to_uep(ep); struct usbhs_pipe *pipe = usbhsg_uep_to_pipe(uep); + if (!uep || !uep-pipe) how can uep ever be NULL ? Look at the definition of usbhsg_ep_to_uep(): #define usbhsg_ep_to_uep(e) container_of(e, struct usbhsg_uep, ep) how can a container_of() ever return NULL ? What you should check if ep (the argument to this function) being NULL. -- balbi signature.asc Description: Digital signature
RE: [PATCH v3 1/4] usb: renesas_usbhs: gadget: fix NULL pointer dereference in ep_disable()
On Thu, Oct 30, 2014 at 07:30:16PM +0900, Yoshihiro Shimoda wrote: From: Kazuya Mizuguchi kazuya.mizuguchi...@renesas.com This patch fixes an issue that the NULL pointer dereference happens when we uses g_audio driver. Since the g_audio driver will call usb_ep_disable() in afunc_set_alt() before it calls usb_ep_enable(), the uep-pipe of renesas usbhs driver will be NULL. So, this patch adds a condition to avoid the oops. Signed-off-by: Kazuya Mizuguchi kazuya.mizuguchi...@renesas.com Signed-off-by: Takeshi Kihara takeshi.kihara...@renesas.com Signed-off-by: Yoshihiro Shimoda yoshihiro.shimoda...@renesas.com Cc: sta...@vger.kernel.org --- drivers/usb/renesas_usbhs/mod_gadget.c |3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c index 2d17c10..2d0903f 100644 --- a/drivers/usb/renesas_usbhs/mod_gadget.c +++ b/drivers/usb/renesas_usbhs/mod_gadget.c @@ -602,6 +602,9 @@ static int usbhsg_ep_disable(struct usb_ep *ep) struct usbhsg_uep *uep = usbhsg_ep_to_uep(ep); struct usbhs_pipe *pipe = usbhsg_uep_to_pipe(uep); + if (!uep || !uep-pipe) how can uep ever be NULL ? Look at the definition of usbhsg_ep_to_uep(): #define usbhsg_ep_to_uep(e) container_of(e, struct usbhsg_uep, ep) how can a container_of() ever return NULL ? What you should check if ep (the argument to this function) being NULL. Thank you for the point. Morimoto-san also pointed out this code at v1 patch. But I forgot to fix it... We can change the if (!uep || !uep-pipe) to if (!pipe). I will fix this patch. Best regards, Yoshihiro Shimoda -- To unsubscribe from this list: send the line unsubscribe linux-usb in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3 1/4] usb: renesas_usbhs: gadget: fix NULL pointer dereference in ep_disable()
On Fri, Oct 31, 2014 at 12:06:06AM +, yoshihiro shimoda wrote: On Thu, Oct 30, 2014 at 07:30:16PM +0900, Yoshihiro Shimoda wrote: From: Kazuya Mizuguchi kazuya.mizuguchi...@renesas.com This patch fixes an issue that the NULL pointer dereference happens when we uses g_audio driver. Since the g_audio driver will call usb_ep_disable() in afunc_set_alt() before it calls usb_ep_enable(), the uep-pipe of renesas usbhs driver will be NULL. So, this patch adds a condition to avoid the oops. Signed-off-by: Kazuya Mizuguchi kazuya.mizuguchi...@renesas.com Signed-off-by: Takeshi Kihara takeshi.kihara...@renesas.com Signed-off-by: Yoshihiro Shimoda yoshihiro.shimoda...@renesas.com Cc: sta...@vger.kernel.org --- drivers/usb/renesas_usbhs/mod_gadget.c |3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c index 2d17c10..2d0903f 100644 --- a/drivers/usb/renesas_usbhs/mod_gadget.c +++ b/drivers/usb/renesas_usbhs/mod_gadget.c @@ -602,6 +602,9 @@ static int usbhsg_ep_disable(struct usb_ep *ep) struct usbhsg_uep *uep = usbhsg_ep_to_uep(ep); struct usbhs_pipe *pipe = usbhsg_uep_to_pipe(uep); + if (!uep || !uep-pipe) how can uep ever be NULL ? Look at the definition of usbhsg_ep_to_uep(): #define usbhsg_ep_to_uep(e) container_of(e, struct usbhsg_uep, ep) how can a container_of() ever return NULL ? What you should check if ep (the argument to this function) being NULL. Thank you for the point. Morimoto-san also pointed out this code at v1 patch. But I forgot to fix it... We can change the if (!uep || !uep-pipe) to if (!pipe). alright, I'll wait for a new version. Thank you -- balbi signature.asc Description: Digital signature