From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751429AbdIPKmg (ORCPT ); Sat, 16 Sep 2017 06:42:36 -0400 Received: from mail-lf0-f67.google.com ([209.85.215.67]:32868 "EHLO mail-lf0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751364AbdIPKmb (ORCPT ); Sat, 16 Sep 2017 06:42:31 -0400 X-Google-Smtp-Source: AOwi7QCsvFemLX1mGH0CBbqpZjA530Nc22yeV+U0+J/OVtcQtZbfV6BBRtnyxLBSi2I+jA6AdwVfMw== From: Serge Semin To: richard.leitner@skidata.com, gregkh@linuxfoundation.org, robh+dt@kernel.org, mark.rutland@arm.com Cc: Sergey.Semin@t-platforms.ru, linux-usb@vger.kernel.org, devicetree@vger.kernel.org, linux-kernel@vger.kernel.org, Serge Semin Subject: [PATCH 7/9 v2] usb: usb251xb: Fix property_u32 NULL pointer dereference Date: Sat, 16 Sep 2017 13:42:18 +0300 Message-Id: <20170916104220.3742-8-fancer.lancer@gmail.com> X-Mailer: git-send-email 2.12.0 In-Reply-To: <20170916104220.3742-1-fancer.lancer@gmail.com> References: <20170915233113.17855-1-fancer.lancer@gmail.com> <20170916104220.3742-1-fancer.lancer@gmail.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The methods like of_property_read_u32 utilizing the specified pointer permit only the pointer to a preallocated u32 storage as the third argument. As a result the driver crashes on NULL pointer dereference in case if "oc-delay-us" or "power-on-time-ms" declared in dts file. Signed-off-by: Serge Semin --- drivers/usb/misc/usb251xb.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/usb/misc/usb251xb.c b/drivers/usb/misc/usb251xb.c index 51cc53ddc..c308b0006 100644 --- a/drivers/usb/misc/usb251xb.c +++ b/drivers/usb/misc/usb251xb.c @@ -348,7 +348,7 @@ static int usb251xb_get_ofdata(struct usb251xb *hub, struct device *dev = hub->dev; struct device_node *np = dev->of_node; int len, err, i; - u32 *property_u32 = NULL; + u32 property_u32 = 0; const u32 *cproperty_u32; const char *cproperty_char; char str[USB251XB_STRING_BUFSIZE / 2]; @@ -425,16 +425,16 @@ static int usb251xb_get_ofdata(struct usb251xb *hub, if (of_get_property(np, "dynamic-power-switching", NULL)) hub->conf_data2 |= BIT(7); - if (!of_property_read_u32(np, "oc-delay-us", property_u32)) { - if (*property_u32 == 100) { + if (!of_property_read_u32(np, "oc-delay-us", &property_u32)) { + if (property_u32 == 100) { /* 100 us*/ hub->conf_data2 &= ~BIT(5); hub->conf_data2 &= ~BIT(4); - } else if (*property_u32 == 4000) { + } else if (property_u32 == 4000) { /* 4 ms */ hub->conf_data2 &= ~BIT(5); hub->conf_data2 |= BIT(4); - } else if (*property_u32 == 16000) { + } else if (property_u32 == 16000) { /* 16 ms */ hub->conf_data2 |= BIT(5); hub->conf_data2 |= BIT(4); @@ -498,8 +498,8 @@ static int usb251xb_get_ofdata(struct usb251xb *hub, } hub->power_on_time = USB251XB_DEF_POWER_ON_TIME; - if (!of_property_read_u32(np, "power-on-time-ms", property_u32)) - hub->power_on_time = min_t(u8, *property_u32 / 2, 255); + if (!of_property_read_u32(np, "power-on-time-ms", &property_u32)) + hub->power_on_time = min_t(u8, property_u32 / 2, 255); if (of_property_read_u16_array(np, "language-id", &hub->lang_id, 1)) hub->lang_id = USB251XB_DEF_LANGUAGE_ID; -- 2.12.0