qemu-trivial
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-trivial] [PATCH 9/9] hcd-musb: fix dereference null return val

From: Gonglei
Subject: Re: [Qemu-trivial] [PATCH 9/9] hcd-musb: fix dereference null return value
Date: Mon, 17 Nov 2014 20:55:15 +0800
User-agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20120327 Thunderbird/11.0.1 
On 2014/11/17 19:18, Gonglei wrote:

> On 2014/11/17 18:58, Paolo Bonzini wrote:
> 
>>
>>
>> On 15/11/2014 11:06, address@hidden wrote:
>>> From: Gonglei <address@hidden>
>>>
>>> Signed-off-by: Gonglei <address@hidden>
>>> ---
>>>  hw/usb/hcd-musb.c | 4 ++++
>>>  1 file changed, 4 insertions(+)
>>>
>>> diff --git a/hw/usb/hcd-musb.c b/hw/usb/hcd-musb.c
>>> index 66bc61a..f2cb73c 100644
>>> --- a/hw/usb/hcd-musb.c
>>> +++ b/hw/usb/hcd-musb.c
>>> @@ -624,6 +624,10 @@ static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
>>>  
>>>      /* A wild guess on the FADDR semantics... */
>>>      dev = usb_find_device(&s->port, ep->faddr[idx]);
>>> +    if (!dev) {
>>> +        TRACE("Do not find an usb device");
>>> +        return;
>>> +    }
>>>      uep = usb_ep_get(dev, pid, ep->type[idx] & 0xf);
>>>      usb_packet_setup(&ep->packey[dir].p, pid, uep, 0,
>>>                       (dev->addr << 16) | (uep->nr << 8) | pid, false, 
>>> true);
>>>
>>
>> I think this patch is not the real fix.  usb_ep_get and
>> usb_handle_packet can deal with a NULL device, but we have to avoid 
>> dereferencing NULL pointers when building the id.
>>
> 
> Good catch :)
> 
>> Paolo
>>
>> diff --git a/hw/usb/hcd-musb.c b/hw/usb/hcd-musb.c
>> index 66bc61a..40809f6 100644
>> --- a/hw/usb/hcd-musb.c
>> +++ b/hw/usb/hcd-musb.c
>> @@ -608,6 +608,7 @@ static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
>>      USBDevice *dev;
>>      USBEndpoint *uep;
>>      int idx = epnum && dir;
>> +    int id;
>>      int ttype;
>>  
>>      /* ep->type[0,1] contains:
>> @@ -625,8 +626,11 @@ static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
>>      /* A wild guess on the FADDR semantics... */
>>      dev = usb_find_device(&s->port, ep->faddr[idx]);
>>      uep = usb_ep_get(dev, pid, ep->type[idx] & 0xf);
>> -    usb_packet_setup(&ep->packey[dir].p, pid, uep, 0,
>> -                     (dev->addr << 16) | (uep->nr << 8) | pid, false, true);
>> +    id = pid;
>> +    if (uep) {
>> +        id |= (dev->addr << 16) | (uep->nr << 8);
>> +    }
>> +    usb_packet_setup(&ep->packey[dir].p, pid, uep, 0, id, false, true);
>>      usb_packet_addbuf(&ep->packey[dir].p, ep->buf[idx], len);
>>      ep->packey[dir].ep = ep;
>>      ep->packey[dir].dir = dir;
> 
> This is a good approach, id is just a identifying. Thanks,
> 

Let me split the patch from this series as a separate patch
and add Paolo's signed-off-by.

Asking for Gerd's reviewing, Thanks.

Best regards,
-Gonglei
reply via email to
[Prev in Thread] Current Thread [Next in Thread]