| Message ID | 20190118212931.18482-2-skhan@linuxfoundation.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | usbip: Fix vhci_urb_enqueue() URB null transfer buffer error path | expand |
On Fri, Jan 18, 2019 at 02:29:31PM -0700, Shuah Khan wrote: > From: Shuah Khan <shuah@kernel.org> > > Fix vhci_urb_enqueue() to print error and return error instead of > failing with WARN_ON. > > Signed-off-by: Shuah Khan <shuah@kernel.org> > --- > drivers/usb/usbip/vhci_hcd.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c > index 1e592ec94ba4..849ebfde87b5 100644 > --- a/drivers/usb/usbip/vhci_hcd.c > +++ b/drivers/usb/usbip/vhci_hcd.c > @@ -702,8 +702,10 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag > } > vdev = &vhci_hcd->vdev[portnum-1]; > > - /* patch to usb_sg_init() is in 2.5.60 */ > - BUG_ON(!urb->transfer_buffer && urb->transfer_buffer_length); > + if (!urb->transfer_buffer && urb->transfer_buffer_length) { > + dev_err(dev, "Null URB transfer buffer\n"); > + return -EINVAL; > + } Could that BUG_ON be hit by userspace somehow? Or is this just an internal check for the api usage? And sending out a 0 buffer length might be a valid thing (or at least a crazy attempt at something), so you might want to make that dev_dbg() in case userspace could trigger this to keep the log spam down. thanks, greg k-h
Hello! On 01/19/2019 12:29 AM, Shuah Khan wrote: > From: Shuah Khan <shuah@kernel.org> > > Fix vhci_urb_enqueue() to print error and return error instead of > failing with WARN_ON. It's BUG_ON(). > Signed-off-by: Shuah Khan <shuah@kernel.org> > --- > drivers/usb/usbip/vhci_hcd.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c > index 1e592ec94ba4..849ebfde87b5 100644 > --- a/drivers/usb/usbip/vhci_hcd.c > +++ b/drivers/usb/usbip/vhci_hcd.c > @@ -702,8 +702,10 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag > } > vdev = &vhci_hcd->vdev[portnum-1]; > > - /* patch to usb_sg_init() is in 2.5.60 */ > - BUG_ON(!urb->transfer_buffer && urb->transfer_buffer_length); > + if (!urb->transfer_buffer && urb->transfer_buffer_length) { > + dev_err(dev, "Null URB transfer buffer\n"); > + return -EINVAL; > + } > > spin_lock_irqsave(&vhci->lock, flags); > MBR, Sergei
On 1/19/19 9:58 AM, Sergei Shtylyov wrote: > Hello! > > On 01/19/2019 12:29 AM, Shuah Khan wrote: > >> From: Shuah Khan <shuah@kernel.org> >> >> Fix vhci_urb_enqueue() to print error and return error instead of >> failing with WARN_ON. > > It's BUG_ON(). Thanks. I will fix it. -- Shuah
diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c index 1e592ec94ba4..849ebfde87b5 100644 --- a/drivers/usb/usbip/vhci_hcd.c +++ b/drivers/usb/usbip/vhci_hcd.c @@ -702,8 +702,10 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag } vdev = &vhci_hcd->vdev[portnum-1]; - /* patch to usb_sg_init() is in 2.5.60 */ - BUG_ON(!urb->transfer_buffer && urb->transfer_buffer_length); + if (!urb->transfer_buffer && urb->transfer_buffer_length) { + dev_err(dev, "Null URB transfer buffer\n"); + return -EINVAL; + } spin_lock_irqsave(&vhci->lock, flags);