From: Chunfeng Yun <chunfeng.yun@mediatek.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Felipe Balbi <felipe.balbi@linux.intel.com>
Cc: Matthias Brugger <matthias.bgg@gmail.com>,
Markus Elfring <Markus.Elfring@web.de>,
Chunfeng Yun <chunfeng.yun@mediatek.com>,
<linux-usb@vger.kernel.org>,
<linux-arm-kernel@lists.infradead.org>,
<linux-mediatek@lists.infradead.org>,
<linux-kernel@vger.kernel.org>
Subject: [V2 PATCH] usb: mtu3: fix NULL pointer dereference
Date: Tue, 30 Jun 2020 15:42:22 +0800 [thread overview]
Message-ID: <1593502942-24455-1-git-send-email-chunfeng.yun@mediatek.com> (raw)
Some pointers are dereferenced before successful checks.
Reported-by: Markus Elfring <Markus.Elfring@web.de>
Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
---
v2: nothing changed, but abandon another patch
---
drivers/usb/mtu3/mtu3_gadget.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c
index f93732e..1689ca8 100644
--- a/drivers/usb/mtu3/mtu3_gadget.c
+++ b/drivers/usb/mtu3/mtu3_gadget.c
@@ -332,14 +332,21 @@ static int mtu3_gadget_queue(struct usb_ep *ep,
static int mtu3_gadget_dequeue(struct usb_ep *ep, struct usb_request *req)
{
- struct mtu3_ep *mep = to_mtu3_ep(ep);
- struct mtu3_request *mreq = to_mtu3_request(req);
+ struct mtu3_ep *mep;
+ struct mtu3_request *mreq;
struct mtu3_request *r;
+ struct mtu3 *mtu;
unsigned long flags;
int ret = 0;
- struct mtu3 *mtu = mep->mtu;
- if (!ep || !req || mreq->mep != mep)
+ if (!ep || !req)
+ return -EINVAL;
+
+ mep = to_mtu3_ep(ep);
+ mtu = mep->mtu;
+
+ mreq = to_mtu3_request(req);
+ if (mreq->mep != mep)
return -EINVAL;
dev_dbg(mtu->dev, "%s : req=%p\n", __func__, req);
@@ -373,8 +380,8 @@ static int mtu3_gadget_dequeue(struct usb_ep *ep, struct usb_request *req)
*/
static int mtu3_gadget_ep_set_halt(struct usb_ep *ep, int value)
{
- struct mtu3_ep *mep = to_mtu3_ep(ep);
- struct mtu3 *mtu = mep->mtu;
+ struct mtu3_ep *mep;
+ struct mtu3 *mtu;
struct mtu3_request *mreq;
unsigned long flags;
int ret = 0;
@@ -382,6 +389,9 @@ static int mtu3_gadget_ep_set_halt(struct usb_ep *ep, int value)
if (!ep)
return -EINVAL;
+ mep = to_mtu3_ep(ep);
+ mtu = mep->mtu;
+
dev_dbg(mtu->dev, "%s : %s...", __func__, ep->name);
spin_lock_irqsave(&mtu->lock, flags);
@@ -422,11 +432,12 @@ static int mtu3_gadget_ep_set_halt(struct usb_ep *ep, int value)
/* Sets the halt feature with the clear requests ignored */
static int mtu3_gadget_ep_set_wedge(struct usb_ep *ep)
{
- struct mtu3_ep *mep = to_mtu3_ep(ep);
+ struct mtu3_ep *mep;
if (!ep)
return -EINVAL;
+ mep = to_mtu3_ep(ep);
mep->wedged = 1;
return usb_ep_set_halt(ep);
--
1.9.1
WARNING: multiple messages have this Message-ID (diff)
From: Chunfeng Yun <chunfeng.yun@mediatek.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Felipe Balbi <felipe.balbi@linux.intel.com>
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
Chunfeng Yun <chunfeng.yun@mediatek.com>,
linux-mediatek@lists.infradead.org,
Matthias Brugger <matthias.bgg@gmail.com>,
Markus Elfring <Markus.Elfring@web.de>,
linux-arm-kernel@lists.infradead.org
Subject: [V2 PATCH] usb: mtu3: fix NULL pointer dereference
Date: Tue, 30 Jun 2020 15:42:22 +0800 [thread overview]
Message-ID: <1593502942-24455-1-git-send-email-chunfeng.yun@mediatek.com> (raw)
Some pointers are dereferenced before successful checks.
Reported-by: Markus Elfring <Markus.Elfring@web.de>
Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
---
v2: nothing changed, but abandon another patch
---
drivers/usb/mtu3/mtu3_gadget.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c
index f93732e..1689ca8 100644
--- a/drivers/usb/mtu3/mtu3_gadget.c
+++ b/drivers/usb/mtu3/mtu3_gadget.c
@@ -332,14 +332,21 @@ static int mtu3_gadget_queue(struct usb_ep *ep,
static int mtu3_gadget_dequeue(struct usb_ep *ep, struct usb_request *req)
{
- struct mtu3_ep *mep = to_mtu3_ep(ep);
- struct mtu3_request *mreq = to_mtu3_request(req);
+ struct mtu3_ep *mep;
+ struct mtu3_request *mreq;
struct mtu3_request *r;
+ struct mtu3 *mtu;
unsigned long flags;
int ret = 0;
- struct mtu3 *mtu = mep->mtu;
- if (!ep || !req || mreq->mep != mep)
+ if (!ep || !req)
+ return -EINVAL;
+
+ mep = to_mtu3_ep(ep);
+ mtu = mep->mtu;
+
+ mreq = to_mtu3_request(req);
+ if (mreq->mep != mep)
return -EINVAL;
dev_dbg(mtu->dev, "%s : req=%p\n", __func__, req);
@@ -373,8 +380,8 @@ static int mtu3_gadget_dequeue(struct usb_ep *ep, struct usb_request *req)
*/
static int mtu3_gadget_ep_set_halt(struct usb_ep *ep, int value)
{
- struct mtu3_ep *mep = to_mtu3_ep(ep);
- struct mtu3 *mtu = mep->mtu;
+ struct mtu3_ep *mep;
+ struct mtu3 *mtu;
struct mtu3_request *mreq;
unsigned long flags;
int ret = 0;
@@ -382,6 +389,9 @@ static int mtu3_gadget_ep_set_halt(struct usb_ep *ep, int value)
if (!ep)
return -EINVAL;
+ mep = to_mtu3_ep(ep);
+ mtu = mep->mtu;
+
dev_dbg(mtu->dev, "%s : %s...", __func__, ep->name);
spin_lock_irqsave(&mtu->lock, flags);
@@ -422,11 +432,12 @@ static int mtu3_gadget_ep_set_halt(struct usb_ep *ep, int value)
/* Sets the halt feature with the clear requests ignored */
static int mtu3_gadget_ep_set_wedge(struct usb_ep *ep)
{
- struct mtu3_ep *mep = to_mtu3_ep(ep);
+ struct mtu3_ep *mep;
if (!ep)
return -EINVAL;
+ mep = to_mtu3_ep(ep);
mep->wedged = 1;
return usb_ep_set_halt(ep);
--
1.9.1
_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek
WARNING: multiple messages have this Message-ID (diff)
From: Chunfeng Yun <chunfeng.yun@mediatek.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Felipe Balbi <felipe.balbi@linux.intel.com>
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
Chunfeng Yun <chunfeng.yun@mediatek.com>,
linux-mediatek@lists.infradead.org,
Matthias Brugger <matthias.bgg@gmail.com>,
Markus Elfring <Markus.Elfring@web.de>,
linux-arm-kernel@lists.infradead.org
Subject: [V2 PATCH] usb: mtu3: fix NULL pointer dereference
Date: Tue, 30 Jun 2020 15:42:22 +0800 [thread overview]
Message-ID: <1593502942-24455-1-git-send-email-chunfeng.yun@mediatek.com> (raw)
Some pointers are dereferenced before successful checks.
Reported-by: Markus Elfring <Markus.Elfring@web.de>
Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
---
v2: nothing changed, but abandon another patch
---
drivers/usb/mtu3/mtu3_gadget.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c
index f93732e..1689ca8 100644
--- a/drivers/usb/mtu3/mtu3_gadget.c
+++ b/drivers/usb/mtu3/mtu3_gadget.c
@@ -332,14 +332,21 @@ static int mtu3_gadget_queue(struct usb_ep *ep,
static int mtu3_gadget_dequeue(struct usb_ep *ep, struct usb_request *req)
{
- struct mtu3_ep *mep = to_mtu3_ep(ep);
- struct mtu3_request *mreq = to_mtu3_request(req);
+ struct mtu3_ep *mep;
+ struct mtu3_request *mreq;
struct mtu3_request *r;
+ struct mtu3 *mtu;
unsigned long flags;
int ret = 0;
- struct mtu3 *mtu = mep->mtu;
- if (!ep || !req || mreq->mep != mep)
+ if (!ep || !req)
+ return -EINVAL;
+
+ mep = to_mtu3_ep(ep);
+ mtu = mep->mtu;
+
+ mreq = to_mtu3_request(req);
+ if (mreq->mep != mep)
return -EINVAL;
dev_dbg(mtu->dev, "%s : req=%p\n", __func__, req);
@@ -373,8 +380,8 @@ static int mtu3_gadget_dequeue(struct usb_ep *ep, struct usb_request *req)
*/
static int mtu3_gadget_ep_set_halt(struct usb_ep *ep, int value)
{
- struct mtu3_ep *mep = to_mtu3_ep(ep);
- struct mtu3 *mtu = mep->mtu;
+ struct mtu3_ep *mep;
+ struct mtu3 *mtu;
struct mtu3_request *mreq;
unsigned long flags;
int ret = 0;
@@ -382,6 +389,9 @@ static int mtu3_gadget_ep_set_halt(struct usb_ep *ep, int value)
if (!ep)
return -EINVAL;
+ mep = to_mtu3_ep(ep);
+ mtu = mep->mtu;
+
dev_dbg(mtu->dev, "%s : %s...", __func__, ep->name);
spin_lock_irqsave(&mtu->lock, flags);
@@ -422,11 +432,12 @@ static int mtu3_gadget_ep_set_halt(struct usb_ep *ep, int value)
/* Sets the halt feature with the clear requests ignored */
static int mtu3_gadget_ep_set_wedge(struct usb_ep *ep)
{
- struct mtu3_ep *mep = to_mtu3_ep(ep);
+ struct mtu3_ep *mep;
if (!ep)
return -EINVAL;
+ mep = to_mtu3_ep(ep);
mep->wedged = 1;
return usb_ep_set_halt(ep);
--
1.9.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next reply other threads:[~2020-06-30 7:43 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-30 7:42 Chunfeng Yun [this message]
2020-06-30 7:42 ` [V2 PATCH] usb: mtu3: fix NULL pointer dereference Chunfeng Yun
2020-06-30 7:42 ` Chunfeng Yun
2020-06-30 10:47 ` [PATCH v2] usb: mtu3: Fix NULL pointer dereferences Markus Elfring
2020-06-30 10:47 ` Markus Elfring
2020-06-30 10:47 ` Markus Elfring
2020-06-30 10:47 ` Markus Elfring
2020-07-01 11:58 ` [V2 PATCH] usb: mtu3: fix NULL pointer dereference Greg Kroah-Hartman
2020-07-01 11:58 ` Greg Kroah-Hartman
2020-07-01 11:58 ` Greg Kroah-Hartman
2020-07-02 2:52 ` Chunfeng Yun
2020-07-02 2:52 ` Chunfeng Yun
2020-07-02 2:52 ` Chunfeng Yun
2020-07-09 6:42 ` Felipe Balbi
2020-07-09 6:42 ` Felipe Balbi
2020-07-09 6:42 ` Felipe Balbi
2020-07-09 6:40 ` Felipe Balbi
2020-07-09 6:40 ` Felipe Balbi
2020-07-09 6:40 ` Felipe Balbi
2020-07-09 7:05 ` Chunfeng Yun
2020-07-09 7:05 ` Chunfeng Yun
2020-07-09 7:05 ` Chunfeng Yun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1593502942-24455-1-git-send-email-chunfeng.yun@mediatek.com \
--to=chunfeng.yun@mediatek.com \
--cc=Markus.Elfring@web.de \
--cc=felipe.balbi@linux.intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-usb@vger.kernel.org \
--cc=matthias.bgg@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.