From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756387AbbCCM6u (ORCPT <rfc822;w@1wt.eu>);
	Tue, 3 Mar 2015 07:58:50 -0500
Received: from mail-pd0-f172.google.com ([209.85.192.172]:45650 "EHLO
	mail-pd0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752490AbbCCM6t (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 3 Mar 2015 07:58:49 -0500
Date: Tue, 3 Mar 2015 18:28:42 +0530
From: Tapasweni Pathak <tapaswenipathak@gmail.com>
To: balbi@ti.com, gregkh@linuxfoundation.org, peter.chen@freescale.com,
        jg1.han@samsung.com, benoit.taine@lip6.fr, linux-usb@vger.kernel.org,
        linux-kernel@vger.kernel.org
Cc: julia.lawall@lip6.fr, tapaswenipathak@gmail.com
Subject: [PATCH] drivers: usb: gadget: udc: Fix NULL dereference
Message-ID: <20150303125841.GA9671@kt-Inspiron-3542>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This patch fixes multiple instances of null pointer dereference in this code.

ep->udc is assigned to udc. ep is just an offset from _ep. _ep is then
checked for NULL. udc is dereferenced under the NULL check for _ep, making
an invalid pointer reference.

udc is then checked for NULL, if NULL, it is then dereferenced as
udc->dev.

To fix these issues, shift assignment of udc by dereferencing ep after
null check for _ep, replace both dev_dbg statements with pr_debug.

Found using Coccinelle.

Signed-off-by: Tapasweni Pathak <tapaswenipathak@gmail.com>
Suggested-by : Julia Lawall <julia.lawall@lip6.fr>
Reviewed-by : Julia Lawall <julia.lawall@lip6.fr>
---
 drivers/usb/gadget/udc/lpc32xx_udc.c |    7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/usb/gadget/udc/lpc32xx_udc.c b/drivers/usb/gadget/udc/lpc32xx_udc.c
index 27fd413..6398539 100644
--- a/drivers/usb/gadget/udc/lpc32xx_udc.c
+++ b/drivers/usb/gadget/udc/lpc32xx_udc.c
@@ -1807,17 +1807,16 @@ static int lpc32xx_ep_queue(struct usb_ep *_ep,
 	    !list_empty(&req->queue))
 		return -EINVAL;

-	udc = ep->udc;
-
 	if (!_ep) {
-		dev_dbg(udc->dev, "invalid ep\n");
+		pr_debug("invalid ep\n");
 		return -EINVAL;
 	}

+	udc = ep->udc;

 	if ((!udc) || (!udc->driver) ||
 	    (udc->gadget.speed == USB_SPEED_UNKNOWN)) {
-		dev_dbg(udc->dev, "invalid device\n");
+		pr_debug("invalid device\n");
 		return -EINVAL;
 	}

--
1.7.9.5