Hi,
Alexey Khoroshilov <khoroshilov@xxxxxxxxx> writes:
> mv_u3d_req_to_trb() does not check for dma mapping errors.
>
> By the way, the patch improves readability of mv_u3d_start_queue()
> by rearranging its code with two semantic modifications:
> - assignment zero to ep->processing if usb_gadget_map_request() fails;
> - propagation of error code from mv_u3d_req_to_trb() instead of
> hardcoded -ENOMEM.
cleanups and fixes should be done separately.
> Found by Linux Driver Verification project (linuxtesting.org).
>
> Signed-off-by: Alexey Khoroshilov <khoroshilov@xxxxxxxxx>
> ---
> drivers/usb/gadget/udc/mv_u3d_core.c | 34 +++++++++++++++++++++-------------
> 1 file changed, 21 insertions(+), 13 deletions(-)
>
> diff --git a/drivers/usb/gadget/udc/mv_u3d_core.c b/drivers/usb/gadget/udc/mv_u3d_core.c
> index b9e19a591322..8d726bd767fd 100644
> --- a/drivers/usb/gadget/udc/mv_u3d_core.c
> +++ b/drivers/usb/gadget/udc/mv_u3d_core.c
> @@ -462,6 +462,12 @@ static int mv_u3d_req_to_trb(struct mv_u3d_req *req)
> req->trb_head->trb_hw,
> trb_num * sizeof(*trb_hw),
> DMA_BIDIRECTIONAL);
> + if (dma_mapping_error(u3d->gadget.dev.parent,
> + req->trb_head->trb_dma)) {
> + kfree(req->trb_head->trb_hw);
> + kfree(req->trb_head);
> + return -EFAULT;
> + }
>
> req->chain = 1;
> }
this is one patch: add dma_mapping_error() check
AKA $subject :-p
> @@ -487,30 +493,32 @@ mv_u3d_start_queue(struct mv_u3d_ep *ep)
> ret = usb_gadget_map_request(&u3d->gadget, &req->req,
> mv_u3d_ep_dir(ep));
> if (ret)
> - return ret;
> + goto break_processing;
>
> req->req.status = -EINPROGRESS;
> req->req.actual = 0;
> req->trb_count = 0;
>
> - /* build trbs and push them to device queue */
> - if (!mv_u3d_req_to_trb(req)) {
> - ret = mv_u3d_queue_trb(ep, req);
> - if (ret) {
> - ep->processing = 0;
> - return ret;
> - }
> - } else {
> - ep->processing = 0;
> + /* build trbs */
> + ret = mv_u3d_req_to_trb(req);
> + if (ret) {
> dev_err(u3d->dev, "%s, mv_u3d_req_to_trb fail\n", __func__);
> - return -ENOMEM;
> + goto break_processing;
> }
>
> + /* and push them to device queue */
> + ret = mv_u3d_queue_trb(ep, req);
> + if (ret)
> + goto break_processing;
> +
> /* irq handler advances the queue */
> - if (req)
> - list_add_tail(&req->queue, &ep->queue);
> + list_add_tail(&req->queue, &ep->queue);
>
> return 0;
> +
> +break_processing:
> + ep->processing = 0;
> + return ret;
> }
>
> static int mv_u3d_ep_enable(struct usb_ep *_ep,
this is another, unrelated patch. Please split
--
balbi
Attachment:
signature.asc
Description: PGP signature
