| Message ID | 20200214122328.24987-1-vigneshr@ti.com |
|---|---|
| State | New |
| Headers | show |
| Series | usb: dwc3: Check that the request is valid in dwc3_gadget_giveback() | expand |
On 2/14/20 1:23 PM, Vignesh Raghavendra wrote: > From: Jean-Jacques Hiblot <jjhiblot at ti.com> > > This fixes potential issues reported by klokworks: > Pointer 'req' returned from call to function 'next_request' at line 531 and > 538 may be NULL and will be dereferenced in dwc3_gadget_giveback() Shouldn't you rather handle the issue in dwc3_remove_requests() ? Also, please explain what conditions trigger this issue, i.e. when req becomes NULL.
On 15/02/20 12:03 am, Marek Vasut wrote: > On 2/14/20 1:23 PM, Vignesh Raghavendra wrote: >> From: Jean-Jacques Hiblot <jjhiblot at ti.com> >> >> This fixes potential issues reported by klokworks: >> Pointer 'req' returned from call to function 'next_request' at line 531 and >> 538 may be NULL and will be dereferenced in dwc3_gadget_giveback() > > Shouldn't you rather handle the issue in dwc3_remove_requests() ? > Also, please explain what conditions trigger this issue, i.e. when req > becomes NULL. > There is already a check for list_empty() before calling next_request() in dwc3_remove_requests() which makes sure that 'req' will not be NULL. So this report is a false positive. Please ignore the patch.. Sorry for the trouble
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 4353dffb6b12..12de3b1da663 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -227,6 +227,9 @@ void dwc3_gadget_giveback(struct dwc3_ep *dep, struct dwc3_request *req, { struct dwc3 *dwc = dep->dwc; + if (!req) + return; + if (req->queued) { dep->busy_slot++; /*