| Message ID | 1652861570-102489-1-git-send-email-lyz_cs@pku.edu.cn |
|---|---|
| State | New |
| Headers | show |
| Series | usb: cdns3: Fix potential dereference of NULL pointer | expand |
> -----Original Messages----- > From: "Greg KH" <gregkh@linuxfoundation.org> > Sent Time: 2022-05-20 00:07:17 (Friday) > To: "Yongzhi Liu" <lyz_cs@pku.edu.cn> > Cc: peter.chen@kernel.org, pawell@cadence.com, rogerq@kernel.org, a-govindraju@ti.com, felipe.balbi@linux.intel.com, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, fuyq@stu.pku.edu.cn > Subject: Re: [PATCH] usb: cdns3: Fix potential dereference of NULL pointer > > On Wed, May 18, 2022 at 01:12:50AM -0700, Yongzhi Liu wrote: > > The return value of cdns3_gadget_ep_alloc_request() > > needs to be checked to avoid use of NULL pointer > > in case of an allocation failure. > > > > Fixes: 7733f6c32e36f ("usb: cdns3: Add Cadence USB3 DRD Driver") > > > > Signed-off-by: Yongzhi Liu <lyz_cs@pku.edu.cn> > > Again, no blank line and use the full width for your text. > > > --- > > drivers/usb/cdns3/cdns3-gadget.c | 6 +++++- > > 1 file changed, 5 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/usb/cdns3/cdns3-gadget.c b/drivers/usb/cdns3/cdns3-gadget.c > > index 5d8c982..7be328e 100644 > > --- a/drivers/usb/cdns3/cdns3-gadget.c > > +++ b/drivers/usb/cdns3/cdns3-gadget.c > > @@ -2568,6 +2568,10 @@ static int cdns3_gadget_ep_queue(struct usb_ep *ep, struct usb_request *request, > > struct cdns3_request *priv_req; > > > > zlp_request = cdns3_gadget_ep_alloc_request(ep, GFP_ATOMIC); > > + if (!zlp_request) { > > + ret = -ENOMEM; > > + goto err; > > + } > > How did you test this that the if the allocation fails this will clean > up properly? > I find this by a static analyzer based on frequency and similarity, which report many null ptr deref bugs. In cdns3/cdns3-gadget.c, I find that we usually check the return value when call function 'cdns3_gadget_ep_alloc_request'. If 'zcalloc' in 'cdns3_gadget_ep_alloc_request' failed, the allocation will return null. Therefore, i think we should add null checks here. I will resubmit a new patch if you think the bug is real. Thanks for your reply and advice. > thanks, > > greg k-h
diff --git a/drivers/usb/cdns3/cdns3-gadget.c b/drivers/usb/cdns3/cdns3-gadget.c index 5d8c982..7be328e 100644 --- a/drivers/usb/cdns3/cdns3-gadget.c +++ b/drivers/usb/cdns3/cdns3-gadget.c @@ -2568,6 +2568,10 @@ static int cdns3_gadget_ep_queue(struct usb_ep *ep, struct usb_request *request, struct cdns3_request *priv_req; zlp_request = cdns3_gadget_ep_alloc_request(ep, GFP_ATOMIC); + if (!zlp_request) { + ret = -ENOMEM; + goto err; + } zlp_request->buf = priv_dev->zlp_buf; zlp_request->length = 0; @@ -2578,7 +2582,7 @@ static int cdns3_gadget_ep_queue(struct usb_ep *ep, struct usb_request *request, priv_ep->name); ret = __cdns3_gadget_ep_queue(ep, zlp_request, gfp_flags); } - +err: spin_unlock_irqrestore(&priv_dev->lock, flags); return ret; }
The return value of cdns3_gadget_ep_alloc_request() needs to be checked to avoid use of NULL pointer in case of an allocation failure. Fixes: 7733f6c32e36f ("usb: cdns3: Add Cadence USB3 DRD Driver") Signed-off-by: Yongzhi Liu <lyz_cs@pku.edu.cn> --- drivers/usb/cdns3/cdns3-gadget.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)