usb: usb251xb: Fix property_u32 NULL pointer dereference
authorSerge Semin <fancer.lancer@gmail.com>
Sun, 22 Oct 2017 20:38:10 +0000 (23:38 +0300)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 1 Nov 2017 16:14:21 +0000 (17:14 +0100)
The methods like of_property_read_u32 utilizing the specified
pointer permit only the pointer to a preallocated u32 storage as the
third argument. As a result the driver crashes on NULL pointer
dereference in case if "oc-delay-us" or "power-on-time-ms" declared
in dts file.

Signed-off-by: Serge Semin <fancer.lancer@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/misc/usb251xb.c

index 5263b8acc772fb15802030594f61d4d2ce2c6db8..333f61baf14538eb8c8e681c05c4de83c1154766 100644 (file)
@@ -347,7 +347,7 @@ static int usb251xb_get_ofdata(struct usb251xb *hub,
        struct device *dev = hub->dev;
        struct device_node *np = dev->of_node;
        int len, err, i;
-       u32 *property_u32 = NULL;
+       u32 property_u32 = 0;
        const u32 *cproperty_u32;
        const char *cproperty_char;
        char str[USB251XB_STRING_BUFSIZE / 2];
@@ -424,16 +424,16 @@ static int usb251xb_get_ofdata(struct usb251xb *hub,
        if (of_get_property(np, "dynamic-power-switching", NULL))
                hub->conf_data2 |= BIT(7);
 
-       if (!of_property_read_u32(np, "oc-delay-us", property_u32)) {
-               if (*property_u32 == 100) {
+       if (!of_property_read_u32(np, "oc-delay-us", &property_u32)) {
+               if (property_u32 == 100) {
                        /* 100 us*/
                        hub->conf_data2 &= ~BIT(5);
                        hub->conf_data2 &= ~BIT(4);
-               } else if (*property_u32 == 4000) {
+               } else if (property_u32 == 4000) {
                        /* 4 ms */
                        hub->conf_data2 &= ~BIT(5);
                        hub->conf_data2 |= BIT(4);
-               } else if (*property_u32 == 16000) {
+               } else if (property_u32 == 16000) {
                        /* 16 ms */
                        hub->conf_data2 |= BIT(5);
                        hub->conf_data2 |= BIT(4);
@@ -500,8 +500,8 @@ static int usb251xb_get_ofdata(struct usb251xb *hub,
        }
 
        hub->power_on_time = USB251XB_DEF_POWER_ON_TIME;
-       if (!of_property_read_u32(np, "power-on-time-ms", property_u32))
-               hub->power_on_time = min_t(u8, *property_u32 / 2, 255);
+       if (!of_property_read_u32(np, "power-on-time-ms", &property_u32))
+               hub->power_on_time = min_t(u8, property_u32 / 2, 255);
 
        if (of_property_read_u16_array(np, "language-id", &hub->lang_id, 1))
                hub->lang_id = USB251XB_DEF_LANGUAGE_ID;