Re: [PATCH] USB: EHCI: adjust ehci_iso_stream for changes in ehci_qh

Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> · Mon, 1 Mar 2010 10:36:07 -0500 (EST)

On Mon, 1 Mar 2010, Clemens Ladisch wrote:

> The EHCI driver stores in usb_host_endpoint.hcpriv a pointer to either
> an ehci_qh or an ehci_iso_stream structure, and uses the contents of the
> hw_info1 field to distinguish the two cases.
> 
> After ehci_qh was split into hw and sw parts, ehci_iso_stream must also
> be adjusted so that it again looks like an ehci_qh structure.
> 
> This fixes a NULL pointer access in ehci_endpoint_disable() when it
> tries to access qh->hw->hw_info1.
> 
> Signed-off-by: Clemens Ladisch <clemens@xxxxxxxxxx>
> Reported-by: Colin Fletcher <colin.m.fletcher@xxxxxxxxxxxxxx>
> Cc: <stable@xxxxxxxxxx>
> ---
>  drivers/usb/host/ehci-sched.c |    3 ++-
>  drivers/usb/host/ehci.h       |   11 ++++++++---
>  2 files changed, 10 insertions(+), 4 deletions(-)
> 
> --- linux/drivers/usb/host/ehci.h
> +++ linux/drivers/usb/host/ehci.h
> @@ -394,9 +394,8 @@ struct ehci_iso_sched {
>   * acts like a qh would, if EHCI had them for ISO.
>   */
>  struct ehci_iso_stream {
> -	/* first two fields match QH, but info1 == 0 */
> -	__hc32			hw_next;
> -	__hc32			hw_info1;
> +	/* first field matches ehci_qh; points to fake_qh_hw */
> +	struct ehci_qh_hw	*fake_hw;
>  
>  	u32			refcount;
>  	u8			bEndpointAddress;
> @@ -431,6 +430,12 @@ struct ehci_iso_stream {
>  
>  	/* this is used to initialize sITD's tt info */
>  	__hc32			address;
> +
> +	struct {
> +		/* first two fields match ehci_qh_hw, but info1 == 0 */
> +		__hc32		hw_next;
> +		__hc32		hw_info1;
> +	} fake_qh_hw;
>  };
>  
>  /*-------------------------------------------------------------------------*/
> --- linux/drivers/usb/host/ehci-sched.c
> +++ linux/drivers/usb/host/ehci-sched.c
> @@ -932,6 +932,7 @@ iso_stream_alloc (gfp_t mem_flags)
>  		INIT_LIST_HEAD(&stream->free_list);
>  		stream->next_uframe = -1;
>  		stream->refcount = 1;
> +		stream->fake_hw = (struct ehci_qh_hw *)&stream->fake_qh_hw;

This is silly.  It's ridiculous to allocate two unused words in every
ehci_iso_stream structure just to have something to point at.  Why not
instead replace the test for qh->hw->hw_info1 == 0 with a test for
qh->hw == NULL?

Alan Stern

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html