On Tue, 7 Jun 2016, Michał Pecio wrote: > > Greg, in principle this should go to -stable. However, it looks like > > this might break some applications that currently sort-of work, even > > though they shouldn't. Therefore we have decided not to mark this > > patch for -stable at present. > > This means leaving three longterm branches with a known panic trigger. > > Maybe an explicit check for NULL and LIST_POISON would be a cheap way to > kill the bug and have it too. These two are the only wrong values those > pointers can ever get. If the list pointer contains LIST_POISON then it's already too late; we've been accessing memory that was deallocated. (This shouldn't happen, though, because the ED structures are allocated from a coherent DMA pool.) They could contain a different value, though -- stale pointers from an earlier time when they _were_ on the list. The best way to protect against this is to call INIT_LIST_HEAD in ed_alloc() and list_del_init() in finish_unlinks(). Then you don't even have to check for invalid values. And such a patch could be accepted for the mainline kernel, because it wouldn't hurt anything. That will make it easier for the fix to get into the -stable kernels. Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
