Searched hist:c69b8186945c10d245586e9f9703486e9574170c (Results 1 – 1 of 1) sorted by relevance
| /openbmc/linux/drivers/usb/gadget/legacy/ |
| H A D | printer.c | diff c69b8186945c10d245586e9f9703486e9574170c Tue Mar 03 03:52:07 CST 2015 Andrzej Pietrasiewicz <andrzej.p@samsung.com> usb: gadget: printer: eliminate random pointer dereference
struct printer_dev contains 3 list heads: tx_reqs, rx_reqs and rx_buffers.
There is just one instance of this structure in the driver and it is
file static, and as such initialized with all zeros.
If device_create() or cdev_add() fails then "goto fail" branch is taken,
which results in printer_cfg_unbind() call. The latter checks if
tx_reqs, rx_reqs and rx_buffers lists are empty. The check for emptiness
is in fact a check whether the "next" member of struct list_head points
to the head of the list. But the heads of the lists in question have
not been initialized yet and, as mentioned above, contain all zeros,
so list_empty() returns false and respective "while" loop body starts
executing. Here, container_of() just subtracts the offset of a struct
usb_request member from an address of this same member, which results in
a value somewhere near 0 or 0xfff...ff. And the argument to list_del()
dereferences such a pointer which causes a disaster.
This patch moves respective INIT_LIST_HEAD() invocations to a point before
"goto fail" branch can be taken.
Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
|