[PATCH 7/9 v2] usb: usb251xb: Fix property_u32 NULL pointer dereference

Serge Semin <fancer.lancer@xxxxxxxxx> · Sat, 16 Sep 2017 13:42:18 +0300

The methods like of_property_read_u32 utilizing the specified
pointer permit only the pointer to a preallocated u32 storage as the
third argument. As a result the driver crashes on NULL pointer
dereference in case if "oc-delay-us" or "power-on-time-ms" declared
in dts file.

Signed-off-by: Serge Semin <fancer.lancer@xxxxxxxxx>
---
 drivers/usb/misc/usb251xb.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/drivers/usb/misc/usb251xb.c b/drivers/usb/misc/usb251xb.c
index 51cc53ddc..c308b0006 100644
--- a/drivers/usb/misc/usb251xb.c
+++ b/drivers/usb/misc/usb251xb.c
@@ -348,7 +348,7 @@ static int usb251xb_get_ofdata(struct usb251xb *hub,
 	struct device *dev = hub->dev;
 	struct device_node *np = dev->of_node;
 	int len, err, i;
-	u32 *property_u32 = NULL;
+	u32 property_u32 = 0;
 	const u32 *cproperty_u32;
 	const char *cproperty_char;
 	char str[USB251XB_STRING_BUFSIZE / 2];
@@ -425,16 +425,16 @@ static int usb251xb_get_ofdata(struct usb251xb *hub,
 	if (of_get_property(np, "dynamic-power-switching", NULL))
 		hub->conf_data2 |= BIT(7);
 
-	if (!of_property_read_u32(np, "oc-delay-us", property_u32)) {
-		if (*property_u32 == 100) {
+	if (!of_property_read_u32(np, "oc-delay-us", &property_u32)) {
+		if (property_u32 == 100) {
 			/* 100 us*/
 			hub->conf_data2 &= ~BIT(5);
 			hub->conf_data2 &= ~BIT(4);
-		} else if (*property_u32 == 4000) {
+		} else if (property_u32 == 4000) {
 			/* 4 ms */
 			hub->conf_data2 &= ~BIT(5);
 			hub->conf_data2 |= BIT(4);
-		} else if (*property_u32 == 16000) {
+		} else if (property_u32 == 16000) {
 			/* 16 ms */
 			hub->conf_data2 |= BIT(5);
 			hub->conf_data2 |= BIT(4);
@@ -498,8 +498,8 @@ static int usb251xb_get_ofdata(struct usb251xb *hub,
 	}
 
 	hub->power_on_time = USB251XB_DEF_POWER_ON_TIME;
-	if (!of_property_read_u32(np, "power-on-time-ms", property_u32))
-		hub->power_on_time = min_t(u8, *property_u32 / 2, 255);
+	if (!of_property_read_u32(np, "power-on-time-ms", &property_u32))
+		hub->power_on_time = min_t(u8, property_u32 / 2, 255);
 
 	if (of_property_read_u16_array(np, "language-id", &hub->lang_id, 1))
 		hub->lang_id = USB251XB_DEF_LANGUAGE_ID;
-- 
2.12.0

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






