RE: [PATCH] xhci: prevent from potential null pointer dereference on failed init

"Aguirre Rodriguez, Sergio A" <sergio.a.aguirre.rodriguez@xxxxxxxxx> · Thu, 4 Apr 2013 16:51:01 +0000

> -----Original Message-----
> From: Sarah Sharp [mailto:sarah.a.sharp@xxxxxxxxxxxxxxx]
> Sent: Thursday, April 04, 2013 9:33 AM
> To: Aguirre Rodriguez, Sergio A
> Cc: linux-usb@xxxxxxxxxxxxxxx
> Subject: Re: [PATCH] xhci: prevent from potential null pointer dereference
> on failed init
> 
> Hi Sergio,

Hi Sarah,

> 
> Thanks for catching this!  However, the inline comment is a bit much for a
> simple NULL pointer check.  Can you remove the comment and resubmit this
> patch?

Sure, no problem. I'll do that and resubmit.

Regards,
Sergio

> 
> Thanks,
> Sarah Sharp
> 
> On Wed, Apr 03, 2013 at 03:52:07PM -0700, Sergio Aguirre wrote:
> > It is possible that we fail on xhci_mem_init, just before doing the
> > INIT_LIST_HEAD, and calling xhci_mem_cleanup.
> >
> > Problem is that, the list_for_each_entry_safe macro, dereferences next
> > assuming is not NULL (which is the case for a uninitialized list).
> >
> > Let's protect from that.
> >
> > Signed-off-by: Sergio Aguirre <sergio.a.aguirre.rodriguez@xxxxxxxxx>
> > ---
> >  drivers/usb/host/xhci-mem.c |   14 +++++++++++---
> >  1 file changed, 11 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
> > index 6dc238c..0f701f7 100644
> > --- a/drivers/usb/host/xhci-mem.c
> > +++ b/drivers/usb/host/xhci-mem.c
> > @@ -1820,9 +1820,17 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci)
> >  	scratchpad_free(xhci);
> >
> >  	spin_lock_irqsave(&xhci->lock, flags);
> > -	list_for_each_entry_safe(dev_info, next, &xhci->lpm_failed_devs,
> list) {
> > -		list_del(&dev_info->list);
> > -		kfree(dev_info);
> > +	/*
> > +	 * It is possible that we fail during xhci_mem_init, just before
> > +	 * initializing the list head, and causing a NULL pointer dereference
> > +	 * on below macro. So, let's be safe, and do a simple null check here.
> > +	 */
> > +	if (xhci->lpm_failed_devs.next) {
> > +		list_for_each_entry_safe(dev_info, next,
> > +					 &xhci->lpm_failed_devs, list) {
> > +			list_del(&dev_info->list);
> > +			kfree(dev_info);
> > +		}
> >  	}
> >  	spin_unlock_irqrestore(&xhci->lock, flags);
> >
> > --
> > 1.7.9.5
> >
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html