RE: [PATCH] usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init()

From: Pawel Laszczak
Date: Wed Dec 01 2021 - 02:39:26 EST

Next message: Arnd Bergmann: "Re: [ardb:for-kernelci 18/28] arch/arm/mach-footbridge/common.c:102:6: warning: no previous prototype for function 'dc21285_handle_irq'"
Previous message: Shawn Guo: "Re: [PATCH v2 2/2] irqchip: Add Qualcomm MPM controller driver"
In reply to: Pawel Laszczak: "RE: [PATCH] usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init()"
Next in thread: Peter Chen: "Re: [PATCH] usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Only fixed Peter Chen address email:
peter.chen@xxxxxxx doesn't exist, should be peter.chen@xxxxxxxxxx

>-----Original Message-----
>From: Pawel Laszczak
>Sent: Wednesday, December 1, 2021 8:28 AM
>To: Zhou Qingyang <zhou1615@xxxxxxx>
>Cc: kjlu@xxxxxxx; Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>; Peter Chen <peter.chen@xxxxxxx>; linux-
>usb@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx
>Subject: RE: [PATCH] usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init()
>
>>
>>In cdnsp_endpoint_init(), cdnsp_ring_alloc() is assigned to pep->ring
>>and there is a dereference of it in cdnsp_endpoint_init(), which could
>>lead to a NULL pointer dereference on failure of cdnsp_ring_alloc().
>>
>>Fix this bug by adding a check of pep->ring.
>>
>>This bug was found by a static analyzer. The analysis employs
>>differential checking to identify inconsistent security operations
>>(e.g., checks or kfrees) between two code paths and confirms that the
>>inconsistent operations are not recovered in the current function or
>>the callers, so they constitute bugs.
>>
>>Note that, as a bug found by static analysis, it can be a false
>>positive or hard to trigger. Multiple researchers have cross-reviewed
>>the bug.
>>
>>Builds with CONFIG_USB_CDNSP_GADGET=y show no new warnings,
>>and our static analyzer no longer warns about this code.
>>
>>Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
>>Signed-off-by: Zhou Qingyang <zhou1615@xxxxxxx>
>>---
>> drivers/usb/cdns3/cdnsp-mem.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>>diff --git a/drivers/usb/cdns3/cdnsp-mem.c b/drivers/usb/cdns3/cdnsp-mem.c
>>index ad9aee3f1e39..97866bfb2da9 100644
>>--- a/drivers/usb/cdns3/cdnsp-mem.c
>>+++ b/drivers/usb/cdns3/cdnsp-mem.c
>>@@ -987,6 +987,9 @@ int cdnsp_endpoint_init(struct cdnsp_device *pdev,
>>
>> /* Set up the endpoint ring. */
>> pep->ring = cdnsp_ring_alloc(pdev, 2, ring_type, max_packet, mem_flags);
>>+ if (!pep->ring)
>>+ return -ENOMEM;
>>+
>> pep->skip = false;
>>
>> /* Fill the endpoint context */
>>--
>>2.25.1
>
>
>Acked-by: Pawel Laszczak <pawell@xxxxxxxxxxx>
>
>--
>
>Thanks,
>Pawel Laszczak

Next message: Arnd Bergmann: "Re: [ardb:for-kernelci 18/28] arch/arm/mach-footbridge/common.c:102:6: warning: no previous prototype for function 'dc21285_handle_irq'"
Previous message: Shawn Guo: "Re: [PATCH v2 2/2] irqchip: Add Qualcomm MPM controller driver"
In reply to: Pawel Laszczak: "RE: [PATCH] usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init()"
Next in thread: Peter Chen: "Re: [PATCH] usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]