[RFC PATCHv2 0/1] usb: f_rndis: Avoid to use ERROR macro if cdev can be null

[RFC PATCHv2 0/1] usb: f_rndis: Avoid to use ERROR macro if cdev can be null

[oskar.andero]

Hi,

This is patch version 2. Besides review I hope to get some feed-back on what
the preferred solution is.

Background:

When going through our patches to be mainlined I stumbled on this one which
we have fixed in many different ways internally.

The problem is a NULL pointer dereference that can be triggered by disconnecting
the USB cable at a specific time.

Before submitting the final patch I would like to hear which solution you'd
prefer. As I see it there are four different ways to fix the problem:

1) Remove the ERROR() call completely.
2) Add an if-statement on cdev in rndis_response_complete() and use pr_err() or
   ERROR().
3) Globally update the ERROR() macro to handle the case where cdev is null.
4) Use the attached patch (RFC PATCHv2 1/1) where ERROR() is simply replaced with pr_err().

Thanks!

-Oskar

Truls Bengtsson (1):
  usb: f_rndis: Avoid to use ERROR macro if cdev can be null

 drivers/usb/gadget/f_rndis.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

-- 
1.7.8.6

[RFC PATCHv2 1/1] usb: f_rndis: Avoid to use ERROR macro if cdev can be null

[oskar.andero]

From: Truls Bengtsson <truls.bengtsson@sonymobile.com>

The udc_irq service runs the isr_tr_complete_handler which in turn
"nukes" the endpoints, including a call to rndis_response_complete,
if appropriate. If the rndis_msg_parser fails here, an error will
be printed using a dev_err call (through the ERROR() macro).

However, if the usb cable was just disconnected the device (cdev)
might not be available and will be null. Since the dev_err macro will
dereference the cdev pointer we get a null pointer exception.

Reviewed-by: Radovan Lekanovic <radovan.lekanovic@sonymobile.com>
Signed-off-by: Truls Bengtsson <truls.bengtsson@sonymobile.com>
Signed-off-by: Oskar Andero <oskar.andero@sonymobile.com>
---
 drivers/usb/gadget/f_rndis.c |    3 +--
 1 files changed, 1 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/gadget/f_rndis.c b/drivers/usb/gadget/f_rndis.c
index 71beeb8..cc9c49c 100644
--- a/drivers/usb/gadget/f_rndis.c
+++ b/drivers/usb/gadget/f_rndis.c
@@ -447,14 +447,13 @@ static void rndis_response_complete(struct usb_ep *ep, struct usb_request *req)
 static void rndis_command_complete(struct usb_ep *ep, struct usb_request *req)
 {
 	struct f_rndis			*rndis = req->context;
-	struct usb_composite_dev	*cdev = rndis->port.func.config->cdev;
 	int				status;
 
 	/* received RNDIS command from USB_CDC_SEND_ENCAPSULATED_COMMAND */
 //	spin_lock(&dev->lock);
 	status = rndis_msg_parser(rndis->config, (u8 *) req->buf);
 	if (status < 0)
-		ERROR(cdev, "RNDIS command error %d, %d/%d\n",
+		pr_err("RNDIS command error %d, %d/%d\n",
 			status, req->actual, req->length);
 //	spin_unlock(&dev->lock);
 }
-- 
1.7.8.6

Re: [RFC PATCHv2 1/1] usb: f_rndis: Avoid to use ERROR macro if cdev can be null

[Michal Nazarewicz]

[-- Attachment #1: Type: text/plain, Size: 2149 bytes --]

On Tue, Mar 19 2013, oskar.andero@sonymobile.com wrote:
> The udc_irq service runs the isr_tr_complete_handler which in turn
> "nukes" the endpoints, including a call to rndis_response_complete,
> if appropriate. If the rndis_msg_parser fails here, an error will
> be printed using a dev_err call (through the ERROR() macro).
>
> However, if the usb cable was just disconnected the device (cdev)
> might not be available and will be null. Since the dev_err macro will
> dereference the cdev pointer we get a null pointer exception.
>
> Reviewed-by: Radovan Lekanovic <radovan.lekanovic@sonymobile.com>
> Signed-off-by: Truls Bengtsson <truls.bengtsson@sonymobile.com>
> Signed-off-by: Oskar Andero <oskar.andero@sonymobile.com>

Acked-by: Michal Nazarewicz <mina86@mina86.com>

I think this is the best solution.  Adding if statements around it would
just add noise.

> ---
>  drivers/usb/gadget/f_rndis.c |    3 +--
>  1 files changed, 1 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/gadget/f_rndis.c b/drivers/usb/gadget/f_rndis.c
> index 71beeb8..cc9c49c 100644
> --- a/drivers/usb/gadget/f_rndis.c
> +++ b/drivers/usb/gadget/f_rndis.c
> @@ -447,14 +447,13 @@ static void rndis_response_complete(struct usb_ep *ep, struct usb_request *req)
>  static void rndis_command_complete(struct usb_ep *ep, struct usb_request *req)
>  {
>  	struct f_rndis			*rndis = req->context;
> -	struct usb_composite_dev	*cdev = rndis->port.func.config->cdev;
>  	int				status;
>  
>  	/* received RNDIS command from USB_CDC_SEND_ENCAPSULATED_COMMAND */
>  //	spin_lock(&dev->lock);
>  	status = rndis_msg_parser(rndis->config, (u8 *) req->buf);
>  	if (status < 0)
> -		ERROR(cdev, "RNDIS command error %d, %d/%d\n",
> +		pr_err("RNDIS command error %d, %d/%d\n",
>  			status, req->actual, req->length);
>  //	spin_unlock(&dev->lock);
>  }

-- 
Best regards,                                         _     _
.o. | Liege of Serenely Enlightened Majesty of      o' \,=./ `o
..o | Computer Science,  Michał “mina86” Nazarewicz    (o o)
ooo +----<email/xmpp: mpn@google.com>--------------ooO--(_)--Ooo--

[-- Attachment #2.1: Type: text/plain, Size: 0 bytes --]



[-- Attachment #2.2: Type: application/pgp-signature, Size: 835 bytes --]

Re: [RFC PATCHv2 1/1] usb: f_rndis: Avoid to use ERROR macro if cdev can be null

[Felipe Balbi]

[-- Attachment #1: Type: text/plain, Size: 1090 bytes --]

On Tue, Mar 19, 2013 at 02:22:56PM +0100, Michal Nazarewicz wrote:
> On Tue, Mar 19 2013, oskar.andero@sonymobile.com wrote:
> > The udc_irq service runs the isr_tr_complete_handler which in turn
> > "nukes" the endpoints, including a call to rndis_response_complete,
> > if appropriate. If the rndis_msg_parser fails here, an error will
> > be printed using a dev_err call (through the ERROR() macro).
> >
> > However, if the usb cable was just disconnected the device (cdev)
> > might not be available and will be null. Since the dev_err macro will
> > dereference the cdev pointer we get a null pointer exception.
> >
> > Reviewed-by: Radovan Lekanovic <radovan.lekanovic@sonymobile.com>
> > Signed-off-by: Truls Bengtsson <truls.bengtsson@sonymobile.com>
> > Signed-off-by: Oskar Andero <oskar.andero@sonymobile.com>
> 
> Acked-by: Michal Nazarewicz <mina86@mina86.com>
> 
> I think this is the best solution.  Adding if statements around it would
> just add noise.

alright, please re-send without RFC tag and with Michal's acked-by so I
can apply.

-- 
balbi

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]