Hi,
This is patch version 2. Besides review I hope to get some feed-back on what
the preferred solution is.
Background:
When going through our patches to be mainlined I stumbled on this one which
we have fixed in many different ways internally.
The problem is a NULL pointer dereference that can be triggered by disconnecting
the USB cable at a specific time.
Before submitting the final patch I would like to hear which solution you'd
prefer. As I see it there are four different ways to fix the problem:
1) Remove the ERROR() call completely.
2) Add an if-statement on cdev in rndis_response_complete() and use pr_err() or
ERROR().
3) Globally update the ERROR() macro to handle the case where cdev is null.
4) Use the attached patch (RFC PATCHv2 1/1) where ERROR() is simply replaced with pr_err().
Thanks!
-Oskar
Truls Bengtsson (1):
usb: f_rndis: Avoid to use ERROR macro if cdev can be null
drivers/usb/gadget/f_rndis.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
--
1.7.8.6
From: Truls Bengtsson <[email protected]>
The udc_irq service runs the isr_tr_complete_handler which in turn
"nukes" the endpoints, including a call to rndis_response_complete,
if appropriate. If the rndis_msg_parser fails here, an error will
be printed using a dev_err call (through the ERROR() macro).
However, if the usb cable was just disconnected the device (cdev)
might not be available and will be null. Since the dev_err macro will
dereference the cdev pointer we get a null pointer exception.
Reviewed-by: Radovan Lekanovic <[email protected]>
Signed-off-by: Truls Bengtsson <[email protected]>
Signed-off-by: Oskar Andero <[email protected]>
---
drivers/usb/gadget/f_rndis.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/f_rndis.c b/drivers/usb/gadget/f_rndis.c
index 71beeb8..cc9c49c 100644
--- a/drivers/usb/gadget/f_rndis.c
+++ b/drivers/usb/gadget/f_rndis.c
@@ -447,14 +447,13 @@ static void rndis_response_complete(struct usb_ep *ep, struct usb_request *req)
static void rndis_command_complete(struct usb_ep *ep, struct usb_request *req)
{
struct f_rndis *rndis = req->context;
- struct usb_composite_dev *cdev = rndis->port.func.config->cdev;
int status;
/* received RNDIS command from USB_CDC_SEND_ENCAPSULATED_COMMAND */
// spin_lock(&dev->lock);
status = rndis_msg_parser(rndis->config, (u8 *) req->buf);
if (status < 0)
- ERROR(cdev, "RNDIS command error %d, %d/%d\n",
+ pr_err("RNDIS command error %d, %d/%d\n",
status, req->actual, req->length);
// spin_unlock(&dev->lock);
}
--
1.7.8.6
On Tue, Mar 19, 2013 at 02:22:56PM +0100, Michal Nazarewicz wrote:
> On Tue, Mar 19 2013, [email protected] wrote:
> > The udc_irq service runs the isr_tr_complete_handler which in turn
> > "nukes" the endpoints, including a call to rndis_response_complete,
> > if appropriate. If the rndis_msg_parser fails here, an error will
> > be printed using a dev_err call (through the ERROR() macro).
> >
> > However, if the usb cable was just disconnected the device (cdev)
> > might not be available and will be null. Since the dev_err macro will
> > dereference the cdev pointer we get a null pointer exception.
> >
> > Reviewed-by: Radovan Lekanovic <[email protected]>
> > Signed-off-by: Truls Bengtsson <[email protected]>
> > Signed-off-by: Oskar Andero <[email protected]>
>
> Acked-by: Michal Nazarewicz <[email protected]>
>
> I think this is the best solution. Adding if statements around it would
> just add noise.
alright, please re-send without RFC tag and with Michal's acked-by so I
can apply.
--
balbi