[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-trivial] [PATCH 9/9] hcd-musb: fix dereference null return val
From: |
Gonglei |
Subject: |
Re: [Qemu-trivial] [PATCH 9/9] hcd-musb: fix dereference null return value |
Date: |
Mon, 17 Nov 2014 20:55:15 +0800 |
User-agent: |
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20120327 Thunderbird/11.0.1 |
On 2014/11/17 19:18, Gonglei wrote:
> On 2014/11/17 18:58, Paolo Bonzini wrote:
>
>>
>>
>> On 15/11/2014 11:06, address@hidden wrote:
>>> From: Gonglei <address@hidden>
>>>
>>> Signed-off-by: Gonglei <address@hidden>
>>> ---
>>> hw/usb/hcd-musb.c | 4 ++++
>>> 1 file changed, 4 insertions(+)
>>>
>>> diff --git a/hw/usb/hcd-musb.c b/hw/usb/hcd-musb.c
>>> index 66bc61a..f2cb73c 100644
>>> --- a/hw/usb/hcd-musb.c
>>> +++ b/hw/usb/hcd-musb.c
>>> @@ -624,6 +624,10 @@ static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
>>>
>>> /* A wild guess on the FADDR semantics... */
>>> dev = usb_find_device(&s->port, ep->faddr[idx]);
>>> + if (!dev) {
>>> + TRACE("Do not find an usb device");
>>> + return;
>>> + }
>>> uep = usb_ep_get(dev, pid, ep->type[idx] & 0xf);
>>> usb_packet_setup(&ep->packey[dir].p, pid, uep, 0,
>>> (dev->addr << 16) | (uep->nr << 8) | pid, false,
>>> true);
>>>
>>
>> I think this patch is not the real fix. usb_ep_get and
>> usb_handle_packet can deal with a NULL device, but we have to avoid
>> dereferencing NULL pointers when building the id.
>>
>
> Good catch :)
>
>> Paolo
>>
>> diff --git a/hw/usb/hcd-musb.c b/hw/usb/hcd-musb.c
>> index 66bc61a..40809f6 100644
>> --- a/hw/usb/hcd-musb.c
>> +++ b/hw/usb/hcd-musb.c
>> @@ -608,6 +608,7 @@ static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
>> USBDevice *dev;
>> USBEndpoint *uep;
>> int idx = epnum && dir;
>> + int id;
>> int ttype;
>>
>> /* ep->type[0,1] contains:
>> @@ -625,8 +626,11 @@ static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
>> /* A wild guess on the FADDR semantics... */
>> dev = usb_find_device(&s->port, ep->faddr[idx]);
>> uep = usb_ep_get(dev, pid, ep->type[idx] & 0xf);
>> - usb_packet_setup(&ep->packey[dir].p, pid, uep, 0,
>> - (dev->addr << 16) | (uep->nr << 8) | pid, false, true);
>> + id = pid;
>> + if (uep) {
>> + id |= (dev->addr << 16) | (uep->nr << 8);
>> + }
>> + usb_packet_setup(&ep->packey[dir].p, pid, uep, 0, id, false, true);
>> usb_packet_addbuf(&ep->packey[dir].p, ep->buf[idx], len);
>> ep->packey[dir].ep = ep;
>> ep->packey[dir].dir = dir;
>
> This is a good approach, id is just a identifying. Thanks,
>
Let me split the patch from this series as a separate patch
and add Paolo's signed-off-by.
Asking for Gerd's reviewing, Thanks.
Best regards,
-Gonglei
- Re: [Qemu-trivial] [PATCH 1/9] l2tpv3: fix fd leak, (continued)
[Qemu-trivial] [PATCH 2/9] mips_mipssim: fix use-after-free for filename, arei.gonglei, 2014/11/15
[Qemu-trivial] [PATCH 6/9] acl: fix memory leak, arei.gonglei, 2014/11/15
[Qemu-trivial] [PATCH 8/9] shpc: fix dead code, arei.gonglei, 2014/11/15
[Qemu-trivial] [PATCH 9/9] hcd-musb: fix dereference null return value, arei.gonglei, 2014/11/15