LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* drivers/usb/misc/iowarrior.c: NULL dereference
@ 2007-03-19 9:25 Adrian Bunk
2007-03-19 10:17 ` [linux-usb-devel] " Oliver Neukum
2007-03-19 10:39 ` [PATCH]Re: " Oliver Neukum
0 siblings, 2 replies; 3+ messages in thread
From: Adrian Bunk @ 2007-03-19 9:25 UTC (permalink / raw)
To: Christian Lucht, Robert Marquardt, Greg Kroah-Hartman
Cc: linux-usb-devel, linux-kernel
The Coverity checker spotted the following NULL dereference:
<-- snip -->
...
static ssize_t iowarrior_write(struct file *file,
const char __user *user_buffer,
size_t count, loff_t *ppos)
{
...
if (!int_out_urb) {
retval = -ENOMEM;
dbg("%s Unable to allocate urb ", __func__);
goto error;
...
error:
usb_buffer_free(dev->udev, dev->report_size, buf,
int_out_urb->transfer_dma);
... ^^^^^^^^^^^^^^^^^^^^^^^^^
<-- snip -->
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [linux-usb-devel] drivers/usb/misc/iowarrior.c: NULL dereference
2007-03-19 9:25 drivers/usb/misc/iowarrior.c: NULL dereference Adrian Bunk
@ 2007-03-19 10:17 ` Oliver Neukum
2007-03-19 10:39 ` [PATCH]Re: " Oliver Neukum
1 sibling, 0 replies; 3+ messages in thread
From: Oliver Neukum @ 2007-03-19 10:17 UTC (permalink / raw)
To: linux-usb-devel
Cc: Adrian Bunk, Christian Lucht, Robert Marquardt,
Greg Kroah-Hartman, linux-kernel
Am Montag, 19. März 2007 10:25 schrieb Adrian Bunk:
> static ssize_t iowarrior_write(struct file *file,
> const char __user *user_buffer,
> size_t count, loff_t *ppos)
> {
> ...
> if (!int_out_urb) {
> retval = -ENOMEM;
> dbg("%s Unable to allocate urb ", __func__);
> goto error;
> ...
> error:
> usb_buffer_free(dev->udev, dev->report_size, buf,
> int_out_urb->transfer_dma);
> ... ^^^^^^^^^^^^^^^^^^^^^^^^^
Yes, that's a bug. The fix is compiling.
Regards
Oliver
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH]Re: [linux-usb-devel] drivers/usb/misc/iowarrior.c: NULL dereference
2007-03-19 9:25 drivers/usb/misc/iowarrior.c: NULL dereference Adrian Bunk
2007-03-19 10:17 ` [linux-usb-devel] " Oliver Neukum
@ 2007-03-19 10:39 ` Oliver Neukum
1 sibling, 0 replies; 3+ messages in thread
From: Oliver Neukum @ 2007-03-19 10:39 UTC (permalink / raw)
To: linux-usb-devel
Cc: Adrian Bunk, Christian Lucht, Robert Marquardt,
Greg Kroah-Hartman, linux-kernel
Am Montag, 19. März 2007 10:25 schrieb Adrian Bunk:
> The Coverity checker spotted the following NULL dereference:
And this fixes an oops upon allocation failures.
Regards
Oliver
Signed-off-by: Oliver Neukum <oneukum@suse.de>
-----
--- linux-2.6.21-rc4/drivers/usb/misc/iowarrior.c.alt 2007-03-19 11:05:37.000000000 +0100
+++ linux-2.6.21-rc4/drivers/usb/misc/iowarrior.c 2007-03-19 11:07:30.000000000 +0100
@@ -417,14 +417,14 @@
if (!int_out_urb) {
retval = -ENOMEM;
dbg("%s Unable to allocate urb ", __func__);
- goto error;
+ goto error_no_urb;
}
buf = usb_buffer_alloc(dev->udev, dev->report_size,
GFP_KERNEL, &int_out_urb->transfer_dma);
if (!buf) {
retval = -ENOMEM;
dbg("%s Unable to allocate buffer ", __func__);
- goto error;
+ goto error_no_buffer;
}
usb_fill_int_urb(int_out_urb, dev->udev,
usb_sndintpipe(dev->udev,
@@ -459,7 +459,9 @@
error:
usb_buffer_free(dev->udev, dev->report_size, buf,
int_out_urb->transfer_dma);
+error_no_buffer:
usb_free_urb(int_out_urb);
+error_no_urb:
atomic_dec(&dev->write_busy);
wake_up_interruptible(&dev->write_wait);
exit:
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-03-19 10:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-03-19 9:25 drivers/usb/misc/iowarrior.c: NULL dereference Adrian Bunk
2007-03-19 10:17 ` [linux-usb-devel] " Oliver Neukum
2007-03-19 10:39 ` [PATCH]Re: " Oliver Neukum
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).