diff mbox series

[RFC] musb_bulk_rx_nak_timeout()

Message ID bc62efc8-77f5-3243-87a8-1a5bbfb6237a@gmx.de
State Deferred
Delegated to: Tom Rini
Headers show
Series [RFC] musb_bulk_rx_nak_timeout() | expand

Commit Message

Heinrich Schuchardt April 5, 2021, 12:06 a.m. UTC 
Hello Marek,

the code in musb_bulk_rx_nak_timeout() looks fishy:

dma may be set to NULL and dereferenced afterwards.

The following change would avoid the NULL dereference but I am not deep
enough into the code to evaluate what is intended here:

                         musb->dma_controller->channel_abort(dma);
                         urb->actual_length += dma->actual_len;

Best regards

Heinrich

Comments

Marek Vasut April 5, 2021, 12:33 p.m. UTC | #1 
On 4/5/21 2:06 AM, Heinrich Schuchardt wrote:
> Hello Marek,

Hi,

> the code in musb_bulk_rx_nak_timeout() looks fishy:
> 
> dma may be set to NULL and dereferenced afterwards.
> 
> The following change would avoid the NULL dereference but I am not deep
> enough into the code to evaluate what is intended here:
> 
> diff --git a/drivers/usb/musb-new/musb_host.c
> b/drivers/usb/musb-new/musb_host.c
> index acb2d40f3b..f495a23d57 100644
> --- a/drivers/usb/musb-new/musb_host.c
> +++ b/drivers/usb/musb-new/musb_host.c
> @@ -1409,7 +1409,7 @@ static void musb_bulk_rx_nak_timeout(struct musb
> *musb, struct musb_hw_ep *ep)
>         cur_qh = first_qh(&musb->in_bulk);
>         if (cur_qh) {
>                 urb = next_urb(cur_qh);
> -               if (dma_channel_status(dma) == MUSB_DMA_STATUS_BUSY) {
> +               if (dma && dma_channel_status(dma) ==
> MUSB_DMA_STATUS_BUSY) {
>                         dma->status = MUSB_DMA_STATUS_CORE_ABORT;
>                         musb->dma_controller->channel_abort(dma);
>                         urb->actual_length += dma->actual_len;
> 

I don't have any musb hardware, expanding CC to people who might be able 
to take a look.
diff mbox series

Patch

diff --git a/drivers/usb/musb-new/musb_host.c
b/drivers/usb/musb-new/musb_host.c
index acb2d40f3b..f495a23d57 100644
--- a/drivers/usb/musb-new/musb_host.c
+++ b/drivers/usb/musb-new/musb_host.c
@@ -1409,7 +1409,7 @@  static void musb_bulk_rx_nak_timeout(struct musb
*musb, struct musb_hw_ep *ep)
         cur_qh = first_qh(&musb->in_bulk);
         if (cur_qh) {
                 urb = next_urb(cur_qh);
-               if (dma_channel_status(dma) == MUSB_DMA_STATUS_BUSY) {
+               if (dma && dma_channel_status(dma) ==
MUSB_DMA_STATUS_BUSY) {
                         dma->status = MUSB_DMA_STATUS_CORE_ABORT;