Hi,
I am reading the source code of drivers/usb/host/ehci-q.c, and
following is the source code of function end_unlink_async().
My question is, is there a potential NULL pointer dereference issue in
this function, I mean, in line 1136 we get 'qh', but if this pointer
is NULL, then when we run line 1142 and the lines after that, we may
encounter NULL pointer dereference issue. I guess we have to ensure
if(qh!=NULL) it true before we do any operation with its member.
Regards
Jason
1132 /* the async qh for the qtds being reclaimed are now unlinked
from the HC */
1133
1134 static void end_unlink_async (struct ehci_hcd *ehci)
1135 {
1136 struct ehci_qh *qh = ehci->reclaim;
1137 struct ehci_qh *next;
1138
1139 iaa_watchdog_done(ehci);
1140
1141 // qh->hw_next = cpu_to_hc32(qh->qh_dma);
1142 qh->qh_state = QH_STATE_IDLE;
1143 qh->qh_next.qh = NULL;
1144 qh_put (qh); // refcount from reclaim
1145
1146 /* other unlink(s) may be pending (in QH_STATE_UNLINK_WAIT) */
1147 next = qh->reclaim;
1148 ehci->reclaim = next;
1149 qh->reclaim = NULL;
1150
1151 qh_completions (ehci, qh);
1152
1153 if (!list_empty (&qh->qtd_list)
1154 && HC_IS_RUNNING (ehci_to_hcd(ehci)->state))
1155 qh_link_async (ehci, qh);
1156 else {
1157 /* it's not free to turn the async schedule
on/off; leave it
1158 * active but idle for a while once it empties.
1159 */
1160 if (HC_IS_RUNNING (ehci_to_hcd(ehci)->state)
1161 && ehci->async->qh_next.qh == NULL)
1162 timer_action (ehci, TIMER_ASYNC_OFF);
1163 }
1164 qh_put(qh); /* refcount from async list */
1165
1166 if (next) {
1167 ehci->reclaim = NULL;
1168 start_unlink_async (ehci, next);
1169 }
1170 }
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
