From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date: Tue, 26 Aug 2014 15:21:37 +0300
> Hello David S. Miller,
>
> The patch 4798248e4e02: "net: Add ops->ndo_xmit_flush()" from Aug 22,
> 2014, leads to the following static checker warning:
>
> drivers/usb/gadget/function/f_ncm.c:1104 ncm_tx_tasklet()
> error: NULL dereference inside function.
>
> drivers/usb/gadget/function/f_ncm.c
> 1094 static void ncm_tx_tasklet(unsigned long data)
> 1095 {
> 1096 struct f_ncm *ncm = (void *)data;
> 1097
> 1098 if (ncm->timer_stopping)
> 1099 return;
> 1100
> 1101 /* Only send if data is available. */
> 1102 if (ncm->skb_tx_data) {
> 1103 ncm->timer_force_tx = true;
> 1104 netdev_start_xmit(NULL, ncm->netdev);
> ^^^^
> You can't pass a NULL skb to netdev_start_xmit() or it leads to a NULL
> dereference when we set "skb->xmit_more = 0;" in __netdev_start_xmit().
>
> 1105 ncm->timer_force_tx = false;
> 1106 }
> 1107 }
Sigh, this code.
The u_ether stuff has an ndo_start_xmit function which is invoked
sometimes with a NULL skb argument, just to trigger the calls to the
dev->wrap() methods which occurs in this eth_start_xmit() routine.
This is really outside of the acceptable call pattern for this method,
and the gadget folks really have to redesign this so that
ndo_start_xmit() behaves and is invoked with proper, sane, arguments.
For now I'll put back the direct invocation of ops->ndo_start_xmit()
but with a huge comment.
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
