Hi Alexey,
On 26.03.2016 21:42, Alexey Khoroshilov wrote:
> Fixing checks for dma mapping error in qset_fill_page_list(),
> I have missed two similar problems in qset_add_urb_sg() and
> in qset_add_urb_sg_linearize().
>
> v2: check validity of dma_addr with dma_mapping_error()
> in qset_free_std() as suggested by Vladimir Zapolskiy.
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> Signed-off-by: Alexey Khoroshilov <khoroshilov@xxxxxxxxx>
Reviewed-by: Vladimir Zapolskiy <vz@xxxxxxxxx>
> ---
> drivers/usb/host/whci/qset.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/host/whci/qset.c b/drivers/usb/host/whci/qset.c
> index 1a8e960d073b..c0e6812426b3 100644
> --- a/drivers/usb/host/whci/qset.c
> +++ b/drivers/usb/host/whci/qset.c
> @@ -314,7 +314,7 @@ void qset_free_std(struct whc *whc, struct whc_std *std)
> kfree(std->bounce_buf);
> }
> if (std->pl_virt) {
> - if (std->dma_addr)
> + if (!dma_mapping_error(whc->wusbhc.dev, std->dma_addr))
> dma_unmap_single(whc->wusbhc.dev, std->dma_addr,
> std->num_pointers * sizeof(struct whc_page_list_entry),
> DMA_TO_DEVICE);
> @@ -535,9 +535,11 @@ static int qset_add_urb_sg(struct whc *whc, struct whc_qset *qset, struct urb *u
> list_for_each_entry(std, &qset->stds, list_node) {
> if (std->ntds_remaining == -1) {
> pl_len = std->num_pointers * sizeof(struct whc_page_list_entry);
> - std->ntds_remaining = ntds--;
> std->dma_addr = dma_map_single(whc->wusbhc.dev, std->pl_virt,
> pl_len, DMA_TO_DEVICE);
> + if (dma_mapping_error(whc->wusbhc.dev, std->dma_addr))
> + return -EFAULT;
> + std->ntds_remaining = ntds--;
> }
> }
> return 0;
> @@ -618,6 +620,8 @@ static int qset_add_urb_sg_linearize(struct whc *whc, struct whc_qset *qset,
>
> std->dma_addr = dma_map_single(&whc->umc->dev, std->bounce_buf, std->len,
> is_out ? DMA_TO_DEVICE : DMA_FROM_DEVICE);
> + if (dma_mapping_error(&whc->umc->dev, std->dma_addr))
> + return -EFAULT;
>From whc_probe() looks like &whc->umc->dev is the same as whc->wusbhc.dev,
so the change is correct, but I would suggest to unify the pointer to a device.
Still the driver has many problems, e.g. double kfree() -- error path
in qset_fill_page_list() and qset_free_stds() etc.
> if (qset_fill_page_list(whc, std, mem_flags) < 0)
> return -ENOMEM;
>
--
With best wishes,
Vladimir
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
