Re: [PATCH] usb: gadget: amd5536udc: fix NULL pointer dereference
From: David Cohen
Date: Thu Sep 10 2015 - 13:59:57 EST
Hi Sudip,
On Fri, Sep 04, 2015 at 05:12:23PM +0530, Sudip Mukherjee wrote:
> We were checking if dev->regs is NULL but it was done after
> dereferencing it. Lets reset the controller and iounmap dev->regs only
> if it is not NULL.
> free_irq() does not need dev->regs, so unmaping it before freeing the
> irq should not matter.
>
> Signed-off-by: Sudip Mukherjee <sudip@xxxxxxxxxxxxxxx>
> ---
> drivers/usb/gadget/udc/amd5536udc.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/usb/gadget/udc/amd5536udc.c b/drivers/usb/gadget/udc/amd5536udc.c
> index fdacddb..26066d3 100644
> --- a/drivers/usb/gadget/udc/amd5536udc.c
> +++ b/drivers/usb/gadget/udc/amd5536udc.c
> @@ -3135,11 +3135,12 @@ static void udc_pci_remove(struct pci_dev *pdev)
> }
>
> /* reset controller */
> - writel(AMD_BIT(UDC_DEVCFG_SOFTRESET), &dev->regs->cfg);
> + if (dev->regs) {
> + writel(AMD_BIT(UDC_DEVCFG_SOFTRESET), &dev->regs->cfg);
> + iounmap(dev->regs);
I'm not familiar with the driver, but you're iounmap'ing before freeing
irq. Looks fishy to me.
Br, David
> + }
> if (dev->irq_registered)
> free_irq(pdev->irq, dev);
> - if (dev->regs)
> - iounmap(dev->regs);
> if (dev->mem_region)
> release_mem_region(pci_resource_start(pdev, 0),
> pci_resource_len(pdev, 0));
> --
> 1.9.1
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-usb" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/