USB: EHCI: fix NULL pointer dererence in HCDs that use HCD_LOCAL_MEM

Andrea Righi · gregkh · commit 4307a28eb012 · 2010-08-10T14:35:38.000-07:00
If we use the HCD_LOCAL_MEM flag and dma_declare_coherent_memory() to
enforce the host controller's local memory utilization we also need to
disable native scatter-gather support, otherwise hcd_alloc_coherent() in
map_urb_for_dma() is called with urb-&gt;transfer_buffer == NULL, that
triggers a NULL pointer dereference.

We can also consider to add a WARN_ON() and return an error code to
better catch this problem in the future.

At the moment no driver seems to hit this bug, so I should
consider this a low-priority fix.

Signed-off-by: Andrea Righi &lt;arighi@develer.com&gt;
Acked-by: Alan Stern &lt;stern@rowland.harvard.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
@@ -1218,6 +1218,11 @@ static int hcd_alloc_coherent(struct usb_bus *bus,
 {
 	unsigned char *vaddr;
 
+	if (*vaddr_handle == NULL) {
+		WARN_ON_ONCE(1);
+		return -EFAULT;
+	}
+
 	vaddr = hcd_buffer_alloc(bus, size + sizeof(vaddr),
 				 mem_flags, dma_handle);
 	if (!vaddr)
diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c
@@ -629,7 +629,8 @@ static int ehci_init(struct usb_hcd *hcd)
 	ehci->command = temp;
 
 	/* Accept arbitrarily long scatter-gather lists */
-	hcd->self.sg_tablesize = ~0;
+	if (!(hcd->driver->flags & HCD_LOCAL_MEM))
+		hcd->self.sg_tablesize = ~0;
 	return 0;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -629,7 +629,8 @@ static int ehci_init(struct usb_hcd *hcd)`
`629`	`629`	`ehci->command = temp;`
`630`	`630`
`631`	`631`	`/* Accept arbitrarily long scatter-gather lists */`
`632`		`- hcd->self.sg_tablesize = ~0;`
	`632`	`+ if (!(hcd->driver->flags & HCD_LOCAL_MEM))`
	`633`	`+ hcd->self.sg_tablesize = ~0;`
`633`	`634`	`return 0;`
`634`	`635`	`}`
`635`	`636`