[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-trivial] [PATCH 9/9] hcd-musb: fix dereference null return val
|
From: |
Gonglei |
|
Subject: |
Re: [Qemu-trivial] [PATCH 9/9] hcd-musb: fix dereference null return value |
|
Date: |
Mon, 17 Nov 2014 19:18:34 +0800 |
|
User-agent: |
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20120327 Thunderbird/11.0.1 |
On 2014/11/17 18:58, Paolo Bonzini wrote:
>
>
> On 15/11/2014 11:06, address@hidden wrote:
>> From: Gonglei <address@hidden>
>>
>> Signed-off-by: Gonglei <address@hidden>
>> ---
>> hw/usb/hcd-musb.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/hw/usb/hcd-musb.c b/hw/usb/hcd-musb.c
>> index 66bc61a..f2cb73c 100644
>> --- a/hw/usb/hcd-musb.c
>> +++ b/hw/usb/hcd-musb.c
>> @@ -624,6 +624,10 @@ static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
>>
>> /* A wild guess on the FADDR semantics... */
>> dev = usb_find_device(&s->port, ep->faddr[idx]);
>> + if (!dev) {
>> + TRACE("Do not find an usb device");
>> + return;
>> + }
>> uep = usb_ep_get(dev, pid, ep->type[idx] & 0xf);
>> usb_packet_setup(&ep->packey[dir].p, pid, uep, 0,
>> (dev->addr << 16) | (uep->nr << 8) | pid, false, true);
>>
>
> I think this patch is not the real fix. usb_ep_get and
> usb_handle_packet can deal with a NULL device, but we have to avoid
> dereferencing NULL pointers when building the id.
>
Good catch :)
> Paolo
>
> diff --git a/hw/usb/hcd-musb.c b/hw/usb/hcd-musb.c
> index 66bc61a..40809f6 100644
> --- a/hw/usb/hcd-musb.c
> +++ b/hw/usb/hcd-musb.c
> @@ -608,6 +608,7 @@ static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
> USBDevice *dev;
> USBEndpoint *uep;
> int idx = epnum && dir;
> + int id;
> int ttype;
>
> /* ep->type[0,1] contains:
> @@ -625,8 +626,11 @@ static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
> /* A wild guess on the FADDR semantics... */
> dev = usb_find_device(&s->port, ep->faddr[idx]);
> uep = usb_ep_get(dev, pid, ep->type[idx] & 0xf);
> - usb_packet_setup(&ep->packey[dir].p, pid, uep, 0,
> - (dev->addr << 16) | (uep->nr << 8) | pid, false, true);
> + id = pid;
> + if (uep) {
> + id |= (dev->addr << 16) | (uep->nr << 8);
> + }
> + usb_packet_setup(&ep->packey[dir].p, pid, uep, 0, id, false, true);
> usb_packet_addbuf(&ep->packey[dir].p, ep->buf[idx], len);
> ep->packey[dir].ep = ep;
> ep->packey[dir].dir = dir;
This is a good approach, id is just a identifying. Thanks,
Best regards,
-Gonglei
- Re: [Qemu-trivial] [Qemu-devel] [PATCH 1/9] l2tpv3: fix fd leak, (continued)
[Qemu-trivial] [PATCH 2/9] mips_mipssim: fix use-after-free for filename, arei.gonglei, 2014/11/15
[Qemu-trivial] [PATCH 6/9] acl: fix memory leak, arei.gonglei, 2014/11/15
[Qemu-trivial] [PATCH 8/9] shpc: fix dead code, arei.gonglei, 2014/11/15
[Qemu-trivial] [PATCH 9/9] hcd-musb: fix dereference null return value, arei.gonglei, 2014/11/15