[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 9/9] hcd-musb: fix dereference null return value
From: |
Paolo Bonzini |
Subject: |
Re: [Qemu-devel] [PATCH 9/9] hcd-musb: fix dereference null return value |
Date: |
Mon, 17 Nov 2014 11:58:12 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 |
On 15/11/2014 11:06, address@hidden wrote:
> From: Gonglei <address@hidden>
>
> Signed-off-by: Gonglei <address@hidden>
> ---
> hw/usb/hcd-musb.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/hw/usb/hcd-musb.c b/hw/usb/hcd-musb.c
> index 66bc61a..f2cb73c 100644
> --- a/hw/usb/hcd-musb.c
> +++ b/hw/usb/hcd-musb.c
> @@ -624,6 +624,10 @@ static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
>
> /* A wild guess on the FADDR semantics... */
> dev = usb_find_device(&s->port, ep->faddr[idx]);
> + if (!dev) {
> + TRACE("Do not find an usb device");
> + return;
> + }
> uep = usb_ep_get(dev, pid, ep->type[idx] & 0xf);
> usb_packet_setup(&ep->packey[dir].p, pid, uep, 0,
> (dev->addr << 16) | (uep->nr << 8) | pid, false, true);
>
I think this patch is not the real fix. usb_ep_get and
usb_handle_packet can deal with a NULL device, but we have to avoid
dereferencing NULL pointers when building the id.
Paolo
diff --git a/hw/usb/hcd-musb.c b/hw/usb/hcd-musb.c
index 66bc61a..40809f6 100644
--- a/hw/usb/hcd-musb.c
+++ b/hw/usb/hcd-musb.c
@@ -608,6 +608,7 @@ static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
USBDevice *dev;
USBEndpoint *uep;
int idx = epnum && dir;
+ int id;
int ttype;
/* ep->type[0,1] contains:
@@ -625,8 +626,11 @@ static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
/* A wild guess on the FADDR semantics... */
dev = usb_find_device(&s->port, ep->faddr[idx]);
uep = usb_ep_get(dev, pid, ep->type[idx] & 0xf);
- usb_packet_setup(&ep->packey[dir].p, pid, uep, 0,
- (dev->addr << 16) | (uep->nr << 8) | pid, false, true);
+ id = pid;
+ if (uep) {
+ id |= (dev->addr << 16) | (uep->nr << 8);
+ }
+ usb_packet_setup(&ep->packey[dir].p, pid, uep, 0, id, false, true);
usb_packet_addbuf(&ep->packey[dir].p, ep->buf[idx], len);
ep->packey[dir].ep = ep;
ep->packey[dir].dir = dir;
- [Qemu-devel] [PATCH 0/9] Fix Coverity warning reports, arei.gonglei, 2014/11/15
- [Qemu-devel] [PATCH 7/9] qemu-char: fix MISSING_COMMA, arei.gonglei, 2014/11/15
- [Qemu-devel] [PATCH 3/9] qga: fix false negative argument passing, arei.gonglei, 2014/11/15
- [Qemu-devel] [PATCH 6/9] acl: fix memory leak, arei.gonglei, 2014/11/15
- [Qemu-devel] [PATCH 5/9] nvme: remove superfluous check, arei.gonglei, 2014/11/15
- [Qemu-devel] [PATCH 4/9] loader: fix NEGATIVE_RETURNS, arei.gonglei, 2014/11/15
- [Qemu-devel] [PATCH 1/9] l2tpv3: fix fd leak, arei.gonglei, 2014/11/15
- [Qemu-devel] [PATCH 2/9] mips_mipssim: fix use-after-free for filename, arei.gonglei, 2014/11/15
- [Qemu-devel] [PATCH 9/9] hcd-musb: fix dereference null return value, arei.gonglei, 2014/11/15
- Re: [Qemu-devel] [PATCH 9/9] hcd-musb: fix dereference null return value,
Paolo Bonzini <=
[Qemu-devel] [PATCH 8/9] shpc: fix dead code, arei.gonglei, 2014/11/15