| Message ID | 20190729090428.29508-1-baijiaju1990@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | usb: musb: Fix a possible null-pointer dereference in musb_handle_intr_connect() | expand |
On Mon, Jul 29, 2019 at 05:04:28PM +0800, Jia-Ju Bai wrote: > In musb_handle_intr_connect(), there is an if statement on line 783 to > check whether musb->hcd is NULL: > if (musb->hcd) > > When musb->hcd is NULL, it is used on line 797: > musb_host_poke_root_hub(musb); > if (musb->hcd->status_urb) > > Thus, a possible null-pointer dereference may occur. > > To fix this bug, musb->hcd is checked before calling > musb_host_poke_root_hub(). > > This bug is found by a static analysis tool STCheck written by us. > > Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> Applied. Thanks. -Bin.
diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c index 9f5a4819a744..329ff52f8167 100644 --- a/drivers/usb/musb/musb_core.c +++ b/drivers/usb/musb/musb_core.c @@ -794,7 +794,8 @@ static void musb_handle_intr_connect(struct musb *musb, u8 devctl, u8 int_usb) break; } - musb_host_poke_root_hub(musb); + if (musb->hcd) + musb_host_poke_root_hub(musb); musb_dbg(musb, "CONNECT (%s) devctl %02x", usb_otg_state_string(musb->xceiv->otg->state), devctl);
In musb_handle_intr_connect(), there is an if statement on line 783 to check whether musb->hcd is NULL: if (musb->hcd) When musb->hcd is NULL, it is used on line 797: musb_host_poke_root_hub(musb); if (musb->hcd->status_urb) Thus, a possible null-pointer dereference may occur. To fix this bug, musb->hcd is checked before calling musb_host_poke_root_hub(). This bug is found by a static analysis tool STCheck written by us. Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> --- drivers/usb/musb/musb_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)