From 2d50ef2cf3860caea1fc70e41986c58a8a9b0a50 Mon Sep 17 00:00:00 2001 From: Jack Pham Date: Tue, 13 Sep 2016 10:17:25 -0700 Subject: [PATCH 1/2] usb: pd: Avoid potential NULL ptr dereferences Check that a valid pointer was passed in addition to non-zero length to avoid dereferencing NULL pointers in functions where data is copied from policy engine to the PD PHY. Issues were identified with static analysis tool. Change-Id: Ib42aad9e0d838eda4653e0bab9f074b3031983dd Signed-off-by: Jack Pham --- drivers/usb/pd/policy_engine.c | 3 ++- drivers/usb/pd/qpnp-pdphy.c | 8 +++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/usb/pd/policy_engine.c b/drivers/usb/pd/policy_engine.c index b011efe189e7..845c5e384964 100644 --- a/drivers/usb/pd/policy_engine.c +++ b/drivers/usb/pd/policy_engine.c @@ -925,7 +925,8 @@ int usbpd_send_vdm(struct usbpd *pd, u32 vdm_hdr, const u32 *vdos, int num_vdos) return -ENOMEM; vdm_tx->data[0] = vdm_hdr; - memcpy(&vdm_tx->data[1], vdos, num_vdos * sizeof(u32)); + if (vdos && num_vdos) + memcpy(&vdm_tx->data[1], vdos, num_vdos * sizeof(u32)); vdm_tx->size = num_vdos + 1; /* include the header */ /* VDM will get sent in PE_SRC/SNK_READY state handling */ diff --git a/drivers/usb/pd/qpnp-pdphy.c b/drivers/usb/pd/qpnp-pdphy.c index 8cf294306efd..5b5e6210a1bb 100644 --- a/drivers/usb/pd/qpnp-pdphy.c +++ b/drivers/usb/pd/qpnp-pdphy.c @@ -445,8 +445,10 @@ int pd_phy_write(u16 hdr, const u8 *data, size_t data_len, dev_dbg(pdphy->dev, "%s: hdr %x frame type %d timeout %u\n", __func__, hdr, type, timeout_ms); - print_hex_dump_debug("tx data obj:", DUMP_PREFIX_NONE, 32, 4, - data, data_len, false); + + if (data && data_len) + print_hex_dump_debug("tx data obj:", DUMP_PREFIX_NONE, 32, 4, + data, data_len, false); if (!pdphy) { pr_err("%s: pdphy not found\n", __func__); @@ -472,7 +474,7 @@ int pd_phy_write(u16 hdr, const u8 *data, size_t data_len, if (ret) return ret; - if (data_len) { + if (data && data_len) { /* write data objects of SOP message */ ret = pdphy_bulk_reg_write(pdphy, USB_PDPHY_TX_BUFFER_DATA, data, data_len); From 19e19a171072c56fd3203a8d68e703963e5a90db Mon Sep 17 00:00:00 2001 From: Peter Chen Date: Fri, 1 Jul 2016 15:33:28 +0800 Subject: [PATCH 2/2] usb: gadget: composite: fix dereference after null check coverify warning cdev->config is checked for null pointer at above code, so cdev->config might be null, fix it by adding null pointer check. Change-Id: Ie919a2a886924f1b1e01415bfdaa53f74046f5b0 Signed-off-by: Peter Chen Signed-off-by: Felipe Balbi Git-commit: c526c62d565ea5a5bba9433f28756079734f430d Git-repo: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git Signed-off-by: Jack Pham --- drivers/usb/gadget/composite.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c index 3d17fd93c787..457d0cf6135a 100644 --- a/drivers/usb/gadget/composite.c +++ b/drivers/usb/gadget/composite.c @@ -1962,6 +1962,8 @@ unknown: break; case USB_RECIP_ENDPOINT: + if (!cdev->config) + break; endp = ((w_index & 0x80) >> 3) | (w_index & 0x0f); list_for_each_entry(f, &cdev->config->functions, list) { if (test_bit(endp, f->endpoints))