Hello.
On 07-01-2011 22:26, Felipe Balbi wrote:
From: Felipe Balbi<balbi@xxxxxx>
Case we can't allocate struct musb_request,
prevent a NULL pointer dereference by returning
early.
It's the first time I see this patch, so have no choice but comment here.
Signed-off-by: Felipe Balbi<balbi@xxxxxx>
[...]
diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c
index 5d81504..edff014 100644
--- a/drivers/usb/musb/musb_gadget.c
+++ b/drivers/usb/musb/musb_gadget.c
@@ -1072,13 +1072,16 @@ struct usb_request *musb_alloc_request(struct usb_ep *ep, gfp_t gfp_flags)
struct musb_request *request = NULL;
request = kzalloc(sizeof *request, gfp_flags);
- if (request) {
- INIT_LIST_HEAD(&request->request.list);
- request->request.dma = DMA_ADDR_INVALID;
- request->epnum = musb_ep->current_epnum;
- request->ep = musb_ep;
+ if (!request) {
+ DBG(4, "not enough memory\n");
+ return NULL;
}
+ INIT_LIST_HEAD(&request->request.list);
+ request->request.dma = DMA_ADDR_INVALID;
+ request->epnum = musb_ep->current_epnum;
+ request->ep = musb_ep;
+
return&request->request;
I see no dereference here... Felipe, could you elaborate?
request would have been dereferenced even if request was NULL, see the
return statement:
return &request->request;
There is no actual dereference here -- we're just taking the address of
the field. This code works well unless the offset of the 'request' field is
not 0 (in which case the caller will oops) but it is 0. So this is only a
potential error...
WBR, Sergei
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
