From: Greg KH <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Takashi Iwai <tiwai@suse.de>,
Sarah Sharp <sarah.a.sharp@linux.intel.com>,
Oliver Neukum <oneukum@suse.de>
Subject: [ 29/61] xhci: Fix invalid loop check in xhci_free_tt_info()
Date: Wed, 20 Jun 2012 10:30:49 -0700 [thread overview]
Message-ID: <20120620173023.426251194@linuxfoundation.org> (raw)
In-Reply-To: <20120620173033.GA5634@kroah.com>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 46ed8f00d8982e49f8fe2c1a9cea192f640cb3ba upstream.
xhci_free_tt_info() may access the invalid memory when it removes the
last entry but the list is not empty. Then tt_next reaches to the
list head but it still tries to check the tt_info of that entry.
This patch fixes the bug and cleans up the messy code by rewriting
with a simple list_for_each_entry_safe().
This patch should be backported to kernels as old as 3.2, that contain
the commit 839c817ce67178ca3c7c7ad534c571bba1e69ebe "xhci: Store
information about roothubs and TTs."
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Reviewed-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-mem.c | 39 ++++++++++-----------------------------
1 file changed, 10 insertions(+), 29 deletions(-)
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -793,10 +793,9 @@ static void xhci_free_tt_info(struct xhc
struct xhci_virt_device *virt_dev,
int slot_id)
{
- struct list_head *tt;
struct list_head *tt_list_head;
- struct list_head *tt_next;
- struct xhci_tt_bw_info *tt_info;
+ struct xhci_tt_bw_info *tt_info, *next;
+ bool slot_found = false;
/* If the device never made it past the Set Address stage,
* it may not have the real_port set correctly.
@@ -808,34 +807,16 @@ static void xhci_free_tt_info(struct xhc
}
tt_list_head = &(xhci->rh_bw[virt_dev->real_port - 1].tts);
- if (list_empty(tt_list_head))
- return;
-
- list_for_each(tt, tt_list_head) {
- tt_info = list_entry(tt, struct xhci_tt_bw_info, tt_list);
- if (tt_info->slot_id == slot_id)
+ list_for_each_entry_safe(tt_info, next, tt_list_head, tt_list) {
+ /* Multi-TT hubs will have more than one entry */
+ if (tt_info->slot_id == slot_id) {
+ slot_found = true;
+ list_del(&tt_info->tt_list);
+ kfree(tt_info);
+ } else if (slot_found) {
break;
+ }
}
- /* Cautionary measure in case the hub was disconnected before we
- * stored the TT information.
- */
- if (tt_info->slot_id != slot_id)
- return;
-
- tt_next = tt->next;
- tt_info = list_entry(tt, struct xhci_tt_bw_info,
- tt_list);
- /* Multi-TT hubs will have more than one entry */
- do {
- list_del(tt);
- kfree(tt_info);
- tt = tt_next;
- if (list_empty(tt_list_head))
- break;
- tt_next = tt->next;
- tt_info = list_entry(tt, struct xhci_tt_bw_info,
- tt_list);
- } while (tt_info->slot_id == slot_id);
}
int xhci_alloc_tt_info(struct xhci_hcd *xhci,
next prev parent reply other threads:[~2012-06-20 18:22 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-20 17:30 [ 00/61] 3.4.4-stable review Greg KH
2012-06-20 17:30 ` [ 01/61] ARM i.MX53: Fix PLL4 base address Greg KH
2012-06-20 17:30 ` [ 02/61] ARM: imx6: exit coherency when shutting down a cpu Greg KH
2012-06-20 17:30 ` [ 03/61] ARM i.MX imx21ads: Fix overlapping static i/o mappings Greg KH
2012-06-20 17:30 ` [ 04/61] Revert "drm/i915/dp: Use auxch precharge value of 5 everywhere" Greg KH
2012-06-20 18:51 ` Adam Jackson
2012-06-20 19:01 ` Greg KH
2012-06-21 11:48 ` Wouter M. Koolen
2012-06-20 17:30 ` [ 05/61] drm/radeon: add some additional 6xx/7xx/EG register init Greg KH
2012-06-20 17:30 ` [ 06/61] drm via: initialize object_idr Greg KH
2012-06-20 17:30 ` [ 07/61] drm/udl: only bind to the video devices on the hub Greg KH
2012-06-20 17:30 ` [ 08/61] drm sis: initialize object_idr Greg KH
2012-06-20 17:30 ` [ 09/61] xen/hvc: Collapse error logic Greg KH
2012-06-20 17:30 ` [ 10/61] xen/hvc: Fix error cases around HVM_PARAM_CONSOLE_PFN Greg KH
2012-06-20 17:30 ` [ 11/61] xen/hvc: Check HVM_PARAM_CONSOLE_[EVTCHN|PFN] for correctness Greg KH
2012-06-20 17:30 ` [ 12/61] xen/setup: filter APERFMPERF cpuid feature out Greg KH
2012-06-20 17:30 ` [ 13/61] NFSv4.1: Fix a request leak on the back channel Greg KH
2012-06-20 17:30 ` [ 14/61] NFSv4: Fix unnecessary delegation returns in nfs4_do_open Greg KH
2012-06-20 17:30 ` [ 15/61] nfsd4: BUG_ON(!is_spin_locked()) no good on UP kernels Greg KH
2012-06-20 17:30 ` [ 16/61] tracing: Have tracing_off() actually turn tracing off Greg KH
2012-06-20 17:30 ` [ 17/61] rpc_pipefs: allow rpc_purge_list to take a NULL waitq pointer Greg KH
2012-06-20 17:30 ` [ 18/61] SCSI: mpt2sas: Fix unsafe using smp_processor_id() in preemptible Greg KH
2012-06-20 17:30 ` [ 19/61] swap: fix shmem swapping when more than 8 areas Greg KH
2012-06-20 17:30 ` [ 20/61] USB: option: Add Vodafone/Huawei K5005 support Greg KH
2012-06-20 17:30 ` [ 21/61] USB: option: Updated Huawei K4605 has better id Greg KH
2012-06-20 17:30 ` [ 22/61] USB: option: add more YUGA device ids Greg KH
2012-06-20 17:30 ` [ 23/61] USB: option: fix memory leak Greg KH
2012-06-20 17:30 ` [ 24/61] USB: option: fix port-data abuse Greg KH
2012-06-20 17:30 ` [ 25/61] kdump: Execute kmsg_dump(KMSG_DUMP_PANIC) after smp_send_stop() Greg KH
2012-06-20 17:30 ` [ 26/61] hfsplus: fix overflow in sector calculations in hfsplus_submit_bio Greg KH
2012-06-20 17:30 ` [ 27/61] hfsplus: fix bless ioctl when used with hardlinks Greg KH
2012-06-20 17:30 ` [ 28/61] Make hard_irq_disable() actually hard-disable interrupts Greg KH
2012-06-20 17:30 ` Greg KH [this message]
2012-06-20 17:30 ` [ 30/61] xhci: Dont free endpoints in xhci_mem_cleanup() Greg KH
2012-06-20 17:30 ` [ 31/61] xHCI: Increase the timeout for controller save/restore state operation Greg KH
2012-06-20 17:30 ` [ 32/61] usb-storage: Add 090c:1000 to unusal-devs Greg KH
2012-06-20 17:30 ` [ 33/61] USB: mos7840: Fix compilation of usb serial driver Greg KH
2012-06-20 17:30 ` [ 34/61] USB: qcserial: Add Sierra Wireless device IDs Greg KH
2012-06-20 17:30 ` [ 35/61] USB: mct_u232: Fix incorrect TIOCMSET return Greg KH
2012-06-20 17:30 ` [ 36/61] usb: musb: davinci: Fix build breakage Greg KH
2012-06-20 17:30 ` [ 37/61] usb: musb_gadget: fix crash caused by dangling pointer Greg KH
2012-06-20 17:30 ` [ 38/61] USB: fix PS3 EHCI systems Greg KH
2012-06-20 17:30 ` [ 39/61] USB: serial: cp210x: add Optris MS Pro usb id Greg KH
2012-06-20 17:31 ` [ 40/61] USB: ftdi-sio: Add support for RT Systems USB-RTS01 serial adapter Greg KH
2012-06-20 17:31 ` [ 41/61] USB: add NO_D3_DURING_SLEEP flag and revert 151b61284776be2 Greg KH
2012-06-20 17:31 ` [ 42/61] USB: cdc-wdm: Add Vodafone/Huawei K5005 support Greg KH
2012-06-20 17:31 ` [ 43/61] usb: cdc-acm: fix devices not unthrottled on open Greg KH
2012-06-20 17:31 ` [ 44/61] USB: serial: sierra: Add support for Sierra Wireless AirCard 320U modem Greg KH
2012-06-20 17:31 ` [ 45/61] USB: serial: Enforce USB driver and USB serial driver match Greg KH
2012-06-20 17:31 ` [ 46/61] USB: fix gathering of interface associations Greg KH
2012-06-20 17:31 ` [ 47/61] ASoC: wm8904: Fix GPIO and MICBIAS initialisation for regmap conversion Greg KH
2012-06-20 17:31 ` [ 48/61] hwrng: atmel-rng - fix data valid check Greg KH
2012-06-20 17:31 ` Greg KH
2012-06-20 17:31 ` [ 49/61] edac: avoid mce decoding crash after edac driver unloaded Greg KH
2012-06-20 17:31 ` [ 50/61] edac: fix the error about memory type detection on SandyBridge Greg KH
2012-06-20 17:31 ` [ 51/61] 9p: BUG before corrupting memory Greg KH
2012-06-20 17:31 ` [ 52/61] remoteproc/omap: fix dev_err typo Greg KH
2012-06-20 17:31 ` [ 53/61] remoteproc: fix print format warnings Greg KH
2012-06-20 17:31 ` [ 54/61] remoteproc: fix missing fault indication in error-path Greg KH
2012-06-20 17:31 ` [ 55/61] e1000e: Disable ASPM L1 on 82574 Greg KH
2012-06-20 17:31 ` [ 56/61] e1000e: Remove special case for 82573/82574 ASPM L1 disablement Greg KH
2012-06-20 17:31 ` [ 57/61] ntp: Correct TAI offset during leap second Greg KH
2012-06-20 17:31 ` [ 58/61] iwlwifi: fix the Transmit Frame Descriptor rings Greg KH
2012-06-20 17:31 ` [ 59/61] iwlwifi: use correct supported firmware for 6035 and 6000g2 Greg KH
2012-06-20 17:31 ` [ 60/61] iwlwifi: fix TX power antenna access Greg KH
2012-06-20 17:31 ` [ 61/61] target: Return error to initiator if SET TARGET PORT GROUPS emulation fails Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120620173023.426251194@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=oneukum@suse.de \
--cc=sarah.a.sharp@linux.intel.com \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.