Hi,
When going through our patches to be mainlined I stumbled on this one which
we have fixed in many different ways internally.
The problem is a NULL pointer dereference that can be triggered by disconnecting
the USB cable at a specific time.
Before submitting the final patch I would like to hear which solution you'd
prefer. As I see it there are four different ways to fix the problem:
1) Remove the ERROR() call completely.
2) Add an if-statement on cdev in rndis_response_complete() and use pr_err() or
ERROR().
3) Globally update the ERROR() macro to handle the case where cdev is null.
4) Use the attached patch (RFC PATCH 1/1) where ERROR() is simply replaced with pr_err().
Thanks!
-Oskar
Truls Bengtsson (1):
usb: f_rndis: Avoid to use ERROR macro if cdev can be null
drivers/usb/gadget/f_rndis.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
--
1.7.8.6
From: Truls Bengtsson <[email protected]>
The udc_irq service runs the isr_tr_complete_handler which in turn
"nukes" the endpoints, including a call to rndis_response_complete,
if appropriate. If the rndis_msg_parser fails here, an error will
be printed using a dev_err call (through the ERROR() macro).
However, if the usb cable was just disconnected the device (cdev)
might not be available and will be null. Since the dev_err macro will
dereference the cdev pointer we get a null pointer exception.
Reviewed-by: Radovan Lekanovic <[email protected]>
Signed-off-by: Truls Bengtsson <[email protected]>
Signed-off-by: Oskar Andero <[email protected]>
---
drivers/usb/gadget/f_rndis.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/f_rndis.c b/drivers/usb/gadget/f_rndis.c
index 71beeb8..41b5ebd 100644
--- a/drivers/usb/gadget/f_rndis.c
+++ b/drivers/usb/gadget/f_rndis.c
@@ -6,6 +6,7 @@
* Copyright (C) 2008 Nokia Corporation
* Copyright (C) 2009 Samsung Electronics
* Author: Michal Nazarewicz ([email protected])
+ * Copyright (C) 2013 Sony Mobile Communications AB.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -447,14 +448,13 @@ static void rndis_response_complete(struct usb_ep *ep, struct usb_request *req)
static void rndis_command_complete(struct usb_ep *ep, struct usb_request *req)
{
struct f_rndis *rndis = req->context;
- struct usb_composite_dev *cdev = rndis->port.func.config->cdev;
int status;
/* received RNDIS command from USB_CDC_SEND_ENCAPSULATED_COMMAND */
// spin_lock(&dev->lock);
status = rndis_msg_parser(rndis->config, (u8 *) req->buf);
if (status < 0)
- ERROR(cdev, "RNDIS command error %d, %d/%d\n",
+ pr_err("RNDIS command error %d, %d/%d\n",
status, req->actual, req->length);
// spin_unlock(&dev->lock);
}
--
1.7.8.6
Hello.
On 08-03-2013 16:53, [email protected] wrote:
> From: Truls Bengtsson <[email protected]>
> The udc_irq service runs the isr_tr_complete_handler which in turn
> "nukes" the endpoints, including a call to rndis_response_complete,
> if appropriate. If the rndis_msg_parser fails here, an error will
> be printed using a dev_err call (through the ERROR() macro).
> However, if the usb cable was just disconnected the device (cdev)
> might not be available and will be null. Since the dev_err macro will
> dereference the cdev pointer we get a null pointer exception.
> Reviewed-by: Radovan Lekanovic <[email protected]>
> Signed-off-by: Truls Bengtsson <[email protected]>
> Signed-off-by: Oskar Andero <[email protected]>
> ---
> drivers/usb/gadget/f_rndis.c | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
> diff --git a/drivers/usb/gadget/f_rndis.c b/drivers/usb/gadget/f_rndis.c
> index 71beeb8..41b5ebd 100644
> --- a/drivers/usb/gadget/f_rndis.c
> +++ b/drivers/usb/gadget/f_rndis.c
> @@ -6,6 +6,7 @@
> * Copyright (C) 2008 Nokia Corporation
> * Copyright (C) 2009 Samsung Electronics
> * Author: Michal Nazarewicz ([email protected])
> + * Copyright (C) 2013 Sony Mobile Communications AB.
Your change seems too insignificant to add a copyright.
WBR, Sergei
On Fri, Mar 08, 2013 at 11:56:26PM +0400, Sergei Shtylyov wrote:
> Hello.
>
> On 08-03-2013 16:53, [email protected] wrote:
>
> >From: Truls Bengtsson <[email protected]>
>
> >The udc_irq service runs the isr_tr_complete_handler which in turn
> >"nukes" the endpoints, including a call to rndis_response_complete,
> >if appropriate. If the rndis_msg_parser fails here, an error will
> >be printed using a dev_err call (through the ERROR() macro).
>
> >However, if the usb cable was just disconnected the device (cdev)
> >might not be available and will be null. Since the dev_err macro will
> >dereference the cdev pointer we get a null pointer exception.
>
> >Reviewed-by: Radovan Lekanovic <[email protected]>
> >Signed-off-by: Truls Bengtsson <[email protected]>
> >Signed-off-by: Oskar Andero <[email protected]>
> >---
> > drivers/usb/gadget/f_rndis.c | 4 ++--
> > 1 files changed, 2 insertions(+), 2 deletions(-)
>
> >diff --git a/drivers/usb/gadget/f_rndis.c b/drivers/usb/gadget/f_rndis.c
> >index 71beeb8..41b5ebd 100644
> >--- a/drivers/usb/gadget/f_rndis.c
> >+++ b/drivers/usb/gadget/f_rndis.c
> >@@ -6,6 +6,7 @@
> > * Copyright (C) 2008 Nokia Corporation
> > * Copyright (C) 2009 Samsung Electronics
> > * Author: Michal Nazarewicz ([email protected])
> >+ * Copyright (C) 2013 Sony Mobile Communications AB.
>
> Your change seems too insignificant to add a copyright.
You are right, it legally is. Truls, please consult your company's
lawyers if you have questions about this, you can not assert copyright
over a file for a 2 line change, that's not allowed at all in any
jurisdiction I know of.
Because of that, I can not accept this change, sorry.
greg k-h
On 21:16 Fri 08 Mar , Greg Kroah-Hartman wrote:
> On Fri, Mar 08, 2013 at 11:56:26PM +0400, Sergei Shtylyov wrote:
> > Hello.
> >
> > On 08-03-2013 16:53, [email protected] wrote:
> >
> > >From: Truls Bengtsson <[email protected]>
> >
> > >The udc_irq service runs the isr_tr_complete_handler which in turn
> > >"nukes" the endpoints, including a call to rndis_response_complete,
> > >if appropriate. If the rndis_msg_parser fails here, an error will
> > >be printed using a dev_err call (through the ERROR() macro).
> >
> > >However, if the usb cable was just disconnected the device (cdev)
> > >might not be available and will be null. Since the dev_err macro will
> > >dereference the cdev pointer we get a null pointer exception.
> >
> > >Reviewed-by: Radovan Lekanovic <[email protected]>
> > >Signed-off-by: Truls Bengtsson <[email protected]>
> > >Signed-off-by: Oskar Andero <[email protected]>
> > >---
> > > drivers/usb/gadget/f_rndis.c | 4 ++--
> > > 1 files changed, 2 insertions(+), 2 deletions(-)
> >
> > >diff --git a/drivers/usb/gadget/f_rndis.c b/drivers/usb/gadget/f_rndis.c
> > >index 71beeb8..41b5ebd 100644
> > >--- a/drivers/usb/gadget/f_rndis.c
> > >+++ b/drivers/usb/gadget/f_rndis.c
> > >@@ -6,6 +6,7 @@
> > > * Copyright (C) 2008 Nokia Corporation
> > > * Copyright (C) 2009 Samsung Electronics
> > > * Author: Michal Nazarewicz ([email protected])
> > >+ * Copyright (C) 2013 Sony Mobile Communications AB.
> >
> > Your change seems too insignificant to add a copyright.
>
> You are right, it legally is. Truls, please consult your company's
> lawyers if you have questions about this, you can not assert copyright
> over a file for a 2 line change, that's not allowed at all in any
> jurisdiction I know of.
>
> Because of that, I can not accept this change, sorry.
Thanks for your input guys and I totally agree with you! However, I was
expecting more comments on the cover-letter, or should I take it that this
solution is acceptable?
-Oskar
On Mon, Mar 18, 2013 at 09:28:07AM +0100, [email protected] wrote:
> On 21:16 Fri 08 Mar , Greg Kroah-Hartman wrote:
> > On Fri, Mar 08, 2013 at 11:56:26PM +0400, Sergei Shtylyov wrote:
> > > Hello.
> > >
> > > On 08-03-2013 16:53, [email protected] wrote:
> > >
> > > >From: Truls Bengtsson <[email protected]>
> > >
> > > >The udc_irq service runs the isr_tr_complete_handler which in turn
> > > >"nukes" the endpoints, including a call to rndis_response_complete,
> > > >if appropriate. If the rndis_msg_parser fails here, an error will
> > > >be printed using a dev_err call (through the ERROR() macro).
> > >
> > > >However, if the usb cable was just disconnected the device (cdev)
> > > >might not be available and will be null. Since the dev_err macro will
> > > >dereference the cdev pointer we get a null pointer exception.
> > >
> > > >Reviewed-by: Radovan Lekanovic <[email protected]>
> > > >Signed-off-by: Truls Bengtsson <[email protected]>
> > > >Signed-off-by: Oskar Andero <[email protected]>
> > > >---
> > > > drivers/usb/gadget/f_rndis.c | 4 ++--
> > > > 1 files changed, 2 insertions(+), 2 deletions(-)
> > >
> > > >diff --git a/drivers/usb/gadget/f_rndis.c b/drivers/usb/gadget/f_rndis.c
> > > >index 71beeb8..41b5ebd 100644
> > > >--- a/drivers/usb/gadget/f_rndis.c
> > > >+++ b/drivers/usb/gadget/f_rndis.c
> > > >@@ -6,6 +6,7 @@
> > > > * Copyright (C) 2008 Nokia Corporation
> > > > * Copyright (C) 2009 Samsung Electronics
> > > > * Author: Michal Nazarewicz ([email protected])
> > > >+ * Copyright (C) 2013 Sony Mobile Communications AB.
> > >
> > > Your change seems too insignificant to add a copyright.
> >
> > You are right, it legally is. Truls, please consult your company's
> > lawyers if you have questions about this, you can not assert copyright
> > over a file for a 2 line change, that's not allowed at all in any
> > jurisdiction I know of.
> >
> > Because of that, I can not accept this change, sorry.
>
> Thanks for your input guys and I totally agree with you! However, I was
> expecting more comments on the cover-letter, or should I take it that this
> solution is acceptable?
I don't remember, please resend the series after fixing the issues
pointed out.
greg k-h