From 651d8dd4f6562e1176d87b7dfe7210507a622f55 Mon Sep 17 00:00:00 2001
From: Francois Toguo <francois.toguo.fotso@intel.com>
Date: Wed, 27 Mar 2019 10:30:20 -0700
Subject: libpayload: Fix potential NULL pointer dereference

Found-by: Klockwork
BUG=NONE
TEST=Boot to OS on GLK Sparky

Signed-off-by: Francois Toguo <francois.toguo.fotso@intel.com>
Change-Id: I9d4636f0429de829e746909492c2f543026a02ac
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32083
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Lijian Zhao <lijian.zhao@intel.com>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
---
 payloads/libpayload/drivers/usb/ehci.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

(limited to 'payloads/libpayload/drivers/usb/ehci.c')

diff --git a/payloads/libpayload/drivers/usb/ehci.c b/payloads/libpayload/drivers/usb/ehci.c
index 30cf191433..3d6c077b31 100644
--- a/payloads/libpayload/drivers/usb/ehci.c
+++ b/payloads/libpayload/drivers/usb/ehci.c
@@ -634,6 +634,8 @@ static void *ehci_create_intr_queue(
 
 	/* create #reqcount transfer descriptors (qTDs) */
 	intrq->head = (intr_qtd_t *)dma_memalign(64, sizeof(intr_qtd_t));
+	if (!intrq->head)
+		fatal("Not enough DMA memory to create #reqcount TD.\n");
 	intr_qtd_t *cur_td = intrq->head;
 	for (i = 0; i < reqcount; ++i) {
 		fill_intr_queue_td(intrq, cur_td, data);
@@ -642,6 +644,8 @@ static void *ehci_create_intr_queue(
 			/* create one more qTD */
 			intr_qtd_t *const next_td =
 				(intr_qtd_t *)dma_memalign(64, sizeof(intr_qtd_t));
+			if (!next_td)
+				fatal("Not enough DMA memory to create TD.\n");
 			cur_td->td.next_qtd = virt_to_phys(&next_td->td);
 			cur_td->next = next_td;
 			cur_td = next_td;
@@ -651,6 +655,8 @@ static void *ehci_create_intr_queue(
 
 	/* create spare qTD */
 	intrq->spare = (intr_qtd_t *)dma_memalign(64, sizeof(intr_qtd_t));
+	if (!intrq->spare)
+		fatal("Not enough DMA memory to create spare qTD.\n");
 	intrq->spare->data = data;
 
 	/* initialize QH */
@@ -824,14 +830,17 @@ ehci_init (unsigned long physical_bar)
 	 * and doesn't violate the standard.
 	 */
 	EHCI_INST(controller)->dummy_qh = (ehci_qh_t *)dma_memalign(64, sizeof(ehci_qh_t));
+	if (!EHCI_INST(controller)->dummy_qh)
+		fatal("Not enough DMA memory for EHCI dummy TD.\n");
 	memset((void *)EHCI_INST(controller)->dummy_qh, 0,
 		sizeof(*EHCI_INST(controller)->dummy_qh));
 	EHCI_INST(controller)->dummy_qh->horiz_link_ptr = QH_TERMINATE;
 	EHCI_INST(controller)->dummy_qh->td.next_qtd = QH_TERMINATE;
 	EHCI_INST(controller)->dummy_qh->td.alt_next_qtd = QH_TERMINATE;
 	for (i = 0; i < 1024; ++i)
-		periodic_list[i] = virt_to_phys(EHCI_INST(controller)->dummy_qh)
-				   | PS_TYPE_QH;
+		periodic_list[i] =
+			virt_to_phys(EHCI_INST(controller)->dummy_qh)
+				| PS_TYPE_QH;
 
 	/* Make sure periodic schedule is disabled */
 	ehci_set_periodic_schedule(EHCI_INST(controller), 0);
-- 
cgit v1.2.3