It is possible that we fail on xhci_mem_init, just before doing
the INIT_LIST_HEAD, and calling xhci_mem_cleanup.
Problem is that, the list_for_each_entry_safe macro, dereferences next
assuming is not NULL (which is the case for a uninitialized list).
Let's protect from that.
Signed-off-by: Sergio Aguirre <sergio.a.aguirre.rodriguez@xxxxxxxxx>
---
drivers/usb/host/xhci-mem.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index 6dc238c..0f701f7 100644
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -1820,9 +1820,17 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci)
scratchpad_free(xhci);
spin_lock_irqsave(&xhci->lock, flags);
- list_for_each_entry_safe(dev_info, next, &xhci->lpm_failed_devs, list) {
- list_del(&dev_info->list);
- kfree(dev_info);
+ /*
+ * It is possible that we fail during xhci_mem_init, just before
+ * initializing the list head, and causing a NULL pointer dereference
+ * on below macro. So, let's be safe, and do a simple null check here.
+ */
+ if (xhci->lpm_failed_devs.next) {
+ list_for_each_entry_safe(dev_info, next,
+ &xhci->lpm_failed_devs, list) {
+ list_del(&dev_info->list);
+ kfree(dev_info);
+ }
}
spin_unlock_irqrestore(&xhci->lock, flags);
--
1.7.9.5
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
