Re: [PATCH 3/3] usb: gadget: u_ether: fix dereference after null check coverify warning

Thu, 11 Aug 2016 00:28:53 -0700 

On Wed, Aug 10, 2016 at 02:20:18PM +0300, Felipe Balbi wrote:
> 
> Hi,
> 
> Peter Chen <hzpeterc...@gmail.com> writes:
> > On Fri, Jul 01, 2016 at 03:33:30PM +0800, Peter Chen wrote:
> >> skb is checked for null pointer at above code, so skb might be null.
> >> eem_wrap uses it without checking null pointer, fix it by adding null
> >> pointer check.
> >> 
> >> Signed-off-by: Peter Chen <peter.c...@nxp.com>
> >> ---
> >>  drivers/usb/gadget/function/u_ether.c | 2 +-
> >>  1 file changed, 1 insertion(+), 1 deletion(-)
> >> 
> >> diff --git a/drivers/usb/gadget/function/u_ether.c 
> >> b/drivers/usb/gadget/function/u_ether.c
> >> index 5f562c1..2bc8823 100644
> >> --- a/drivers/usb/gadget/function/u_ether.c
> >> +++ b/drivers/usb/gadget/function/u_ether.c
> >> @@ -549,7 +549,7 @@ static netdev_tx_t eth_start_xmit(struct sk_buff *skb,
> >>            unsigned long   flags;
> >>  
> >>            spin_lock_irqsave(&dev->lock, flags);
> >> -          if (dev->port_usb)
> >> +          if (dev->port_usb && skb)
> >>                    skb = dev->wrap(dev->port_usb, skb);
> >>            spin_unlock_irqrestore(&dev->lock, flags);
> >>            if (!skb) {
> >> -- 
> >
> > Felipe, please do not queue this patch, it will break the ncm function
> > which the socket buffer may be NULL.
> >
> > If you are ok with below changes, I will submit patch:
> >
> > diff --git a/drivers/usb/gadget/function/f_eem.c 
> > b/drivers/usb/gadget/function/f_eem.c
> > index d58bfc3..5e0db68 100644
> > --- a/drivers/usb/gadget/function/f_eem.c
> > +++ b/drivers/usb/gadget/function/f_eem.c
> > @@ -341,11 +341,15 @@ static struct sk_buff *eem_wrap(struct gether *port, 
> > struct sk_buff *skb)
> >  {
> >     struct sk_buff  *skb2 = NULL;
> >     struct usb_ep   *in = port->in_ep;
> > -   int             padlen = 0;
> > +   int             headroom, tailroom, padlen = 0;
> >     u16             len = skb->len;
> >  
> > -   int headroom = skb_headroom(skb);
> > -   int tailroom = skb_tailroom(skb);
> > +   if (!skb)
> > +           return NULL;
> > +
> > +   len = skb->len;
> > +   headroom = skb_headroom(skb);
> > +   tailroom = skb_tailroom(skb);
> >  
> >     /* When (len + EEM_HLEN + ETH_FCS_LEN) % in->maxpacket) is 0,
> >      * stick two bytes of zero-length EEM packet on the end.
> > diff --git a/drivers/usb/gadget/function/f_rndis.c 
> > b/drivers/usb/gadget/function/f_rndis.c
> > index c800582..16562e4 100644
> > --- a/drivers/usb/gadget/function/f_rndis.c
> > +++ b/drivers/usb/gadget/function/f_rndis.c
> > @@ -374,6 +374,9 @@ static struct sk_buff *rndis_add_header(struct gether 
> > *port,
> >  {
> >     struct sk_buff *skb2;
> >  
> > +   if (!skb)
> > +           return NULL;
> > +
> >     skb2 = skb_realloc_headroom(skb, sizeof(struct rndis_packet_msg_type));
> >     rndis_add_hdr(skb2);
> >
> 
> looks okay to me. Patch 1/3 and 2/3 are still fine, right?
> 

Yes, I will send v2 and appended these two.

-- 

Best Regards,
Peter Chen
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to