usb: dwc3: Check that the request is valid in dwc3_gadget_giveback()
diff mbox series

Message ID 20200214122328.24987-1-vigneshr@ti.com
State New
Delegated to: Marek Vasut
Headers show
Series
  • usb: dwc3: Check that the request is valid in dwc3_gadget_giveback()
Related show

Commit Message

Vignesh Raghavendra Feb. 14, 2020, 12:23 p.m. UTC
From: Jean-Jacques Hiblot <jjhiblot@ti.com>

This fixes potential issues reported by klokworks:
Pointer 'req' returned from call to function 'next_request' at line 531 and
538 may be NULL and will be dereferenced in dwc3_gadget_giveback()

Signed-off-by: Jean-Jacques Hiblot <jjhiblot@ti.com>
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
---
 drivers/usb/dwc3/gadget.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Marek Vasut Feb. 14, 2020, 6:33 p.m. UTC | #1
On 2/14/20 1:23 PM, Vignesh Raghavendra wrote:
> From: Jean-Jacques Hiblot <jjhiblot@ti.com>
> 
> This fixes potential issues reported by klokworks:
> Pointer 'req' returned from call to function 'next_request' at line 531 and
> 538 may be NULL and will be dereferenced in dwc3_gadget_giveback()

Shouldn't you rather handle the issue in dwc3_remove_requests() ?
Also, please explain what conditions trigger this issue, i.e. when req
becomes NULL.
Vignesh Raghavendra Feb. 17, 2020, 4:34 a.m. UTC | #2
On 15/02/20 12:03 am, Marek Vasut wrote:
> On 2/14/20 1:23 PM, Vignesh Raghavendra wrote:
>> From: Jean-Jacques Hiblot <jjhiblot@ti.com>
>>
>> This fixes potential issues reported by klokworks:
>> Pointer 'req' returned from call to function 'next_request' at line 531 and
>> 538 may be NULL and will be dereferenced in dwc3_gadget_giveback()
> 
> Shouldn't you rather handle the issue in dwc3_remove_requests() ?
> Also, please explain what conditions trigger this issue, i.e. when req
> becomes NULL.
> 

There is already a check for list_empty() before calling next_request()
in dwc3_remove_requests() which makes sure that 'req' will not be NULL.
So this report is a false positive.

Please ignore the patch.. Sorry for the trouble

Patch
diff mbox series

diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 4353dffb6b12..12de3b1da663 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -227,6 +227,9 @@  void dwc3_gadget_giveback(struct dwc3_ep *dep, struct dwc3_request *req,
 {
 	struct dwc3			*dwc = dep->dwc;
 
+	if (!req)
+		return;
+
 	if (req->queued) {
 		dep->busy_slot++;
 		/*