Hi Sergio,
Thanks for catching this! However, the inline comment is a bit much for
a simple NULL pointer check. Can you remove the comment and resubmit
this patch?
Thanks,
Sarah Sharp
On Wed, Apr 03, 2013 at 03:52:07PM -0700, Sergio Aguirre wrote:
> It is possible that we fail on xhci_mem_init, just before doing
> the INIT_LIST_HEAD, and calling xhci_mem_cleanup.
>
> Problem is that, the list_for_each_entry_safe macro, dereferences next
> assuming is not NULL (which is the case for a uninitialized list).
>
> Let's protect from that.
>
> Signed-off-by: Sergio Aguirre <sergio.a.aguirre.rodriguez@xxxxxxxxx>
> ---
> drivers/usb/host/xhci-mem.c | 14 +++++++++++---
> 1 file changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
> index 6dc238c..0f701f7 100644
> --- a/drivers/usb/host/xhci-mem.c
> +++ b/drivers/usb/host/xhci-mem.c
> @@ -1820,9 +1820,17 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci)
> scratchpad_free(xhci);
>
> spin_lock_irqsave(&xhci->lock, flags);
> - list_for_each_entry_safe(dev_info, next, &xhci->lpm_failed_devs, list) {
> - list_del(&dev_info->list);
> - kfree(dev_info);
> + /*
> + * It is possible that we fail during xhci_mem_init, just before
> + * initializing the list head, and causing a NULL pointer dereference
> + * on below macro. So, let's be safe, and do a simple null check here.
> + */
> + if (xhci->lpm_failed_devs.next) {
> + list_for_each_entry_safe(dev_info, next,
> + &xhci->lpm_failed_devs, list) {
> + list_del(&dev_info->list);
> + kfree(dev_info);
> + }
> }
> spin_unlock_irqrestore(&xhci->lock, flags);
>
> --
> 1.7.9.5
>
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
