Re: [PATCH 2/9] usb: host: max3421-hcd: use list_for_each_entry*

From: Julia Lawall
Date: Fri Dec 18 2015 - 12:53:31 EST

Geliang,

Please check whether line 762 can be reached in the case where the
list_for_each_entry reaches the end of the list. If that can happen,
max3421_ep should not be dereferenced.

julia

On Sat, 19 Dec 2015, kbuild test robot wrote:

> CC: kbuild-all@xxxxxx
> In-Reply-To: <45e8397e370ed99ceb8aa1719c2b56a7ce741eb3.1450455485.git.geliangtang@xxxxxxx>
> TO: Geliang Tang <geliangtang@xxxxxxx>
> CC: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>, Sergei Shtylyov <sergei.shtylyov@xxxxxxxxxxxxxxxxxx>
> CC: Geliang Tang <geliangtang@xxxxxxx>, linux-usb@xxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx
>
> Hi Geliang,
>
> [auto build test WARNING on usb/usb-testing]
> [also build test WARNING on v4.4-rc5 next-20151218]
>
> url: https://github.com/0day-ci/linux/commits/Geliang-Tang/usb-host-fotg210-use-list_for_each_entry_safe/20151219-003955
> base: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> :::::: branch date: 66 minutes ago
> :::::: commit date: 66 minutes ago
>
> >> drivers/usb/host/max3421-hcd.c:762:5-15: ERROR: invalid reference to the index variable of the iterator on line 675
>
> git remote add linux-review https://github.com/0day-ci/linux
> git remote update linux-review
> git checkout 610e92adf2a45ef78039582494d8023f385d12ec
> vim +762 drivers/usb/host/max3421-hcd.c
>
> 2d53139f David Mosberger 2014-04-28 669
> 2d53139f David Mosberger 2014-04-28 670 spin_lock_irqsave(&max3421_hcd->lock, flags);
> 2d53139f David Mosberger 2014-04-28 671
> 2d53139f David Mosberger 2014-04-28 672 for (;
> 2d53139f David Mosberger 2014-04-28 673 max3421_hcd->sched_pass < SCHED_PASS_DONE;
> 2d53139f David Mosberger 2014-04-28 674 ++max3421_hcd->sched_pass)
> 610e92ad Geliang Tang 2015-12-19 @675 list_for_each_entry(max3421_ep, &max3421_hcd->ep_list,
> 610e92ad Geliang Tang 2015-12-19 676 ep_list) {
> 2d53139f David Mosberger 2014-04-28 677 urb = NULL;
> 2d53139f David Mosberger 2014-04-28 678 ep = max3421_ep->ep;
> 2d53139f David Mosberger 2014-04-28 679
> 2d53139f David Mosberger 2014-04-28 680 switch (usb_endpoint_type(&ep->desc)) {
> 2d53139f David Mosberger 2014-04-28 681 case USB_ENDPOINT_XFER_ISOC:
> 2d53139f David Mosberger 2014-04-28 682 case USB_ENDPOINT_XFER_INT:
> 2d53139f David Mosberger 2014-04-28 683 if (max3421_hcd->sched_pass !=
> 2d53139f David Mosberger 2014-04-28 684 SCHED_PASS_PERIODIC)
> 2d53139f David Mosberger 2014-04-28 685 continue;
> 2d53139f David Mosberger 2014-04-28 686 break;
> 2d53139f David Mosberger 2014-04-28 687
> 2d53139f David Mosberger 2014-04-28 688 case USB_ENDPOINT_XFER_CONTROL:
> 2d53139f David Mosberger 2014-04-28 689 case USB_ENDPOINT_XFER_BULK:
> 2d53139f David Mosberger 2014-04-28 690 if (max3421_hcd->sched_pass !=
> 2d53139f David Mosberger 2014-04-28 691 SCHED_PASS_NON_PERIODIC)
> 2d53139f David Mosberger 2014-04-28 692 continue;
> 2d53139f David Mosberger 2014-04-28 693 break;
> 2d53139f David Mosberger 2014-04-28 694 }
> 2d53139f David Mosberger 2014-04-28 695
> 2d53139f David Mosberger 2014-04-28 696 if (list_empty(&ep->urb_list))
> 2d53139f David Mosberger 2014-04-28 697 continue; /* nothing to do */
> 2d53139f David Mosberger 2014-04-28 698 urb = list_first_entry(&ep->urb_list, struct urb,
> 2d53139f David Mosberger 2014-04-28 699 urb_list);
> 2d53139f David Mosberger 2014-04-28 700 if (urb->unlinked) {
> 2d53139f David Mosberger 2014-04-28 701 dev_dbg(&spi->dev, "%s: URB %p unlinked=%d",
> 2d53139f David Mosberger 2014-04-28 702 __func__, urb, urb->unlinked);
> 2d53139f David Mosberger 2014-04-28 703 max3421_hcd->curr_urb = urb;
> 2d53139f David Mosberger 2014-04-28 704 max3421_hcd->urb_done = 1;
> 2d53139f David Mosberger 2014-04-28 705 spin_unlock_irqrestore(&max3421_hcd->lock,
> 2d53139f David Mosberger 2014-04-28 706 flags);
> 2d53139f David Mosberger 2014-04-28 707 return 1;
> 2d53139f David Mosberger 2014-04-28 708 }
> 2d53139f David Mosberger 2014-04-28 709
> 2d53139f David Mosberger 2014-04-28 710 switch (usb_endpoint_type(&ep->desc)) {
> 2d53139f David Mosberger 2014-04-28 711 case USB_ENDPOINT_XFER_CONTROL:
> 2d53139f David Mosberger 2014-04-28 712 /*
> 2d53139f David Mosberger 2014-04-28 713 * Allow one control transaction per
> 2d53139f David Mosberger 2014-04-28 714 * frame per endpoint:
> 2d53139f David Mosberger 2014-04-28 715 */
> 2d53139f David Mosberger 2014-04-28 716 if (frame_diff(max3421_ep->last_active,
> 2d53139f David Mosberger 2014-04-28 717 max3421_hcd->frame_number) == 0)
> 2d53139f David Mosberger 2014-04-28 718 continue;
> 2d53139f David Mosberger 2014-04-28 719 break;
> 2d53139f David Mosberger 2014-04-28 720
> 2d53139f David Mosberger 2014-04-28 721 case USB_ENDPOINT_XFER_BULK:
> 2d53139f David Mosberger 2014-04-28 722 if (max3421_ep->retransmit
> 2d53139f David Mosberger 2014-04-28 723 && (frame_diff(max3421_ep->last_active,
> 2d53139f David Mosberger 2014-04-28 724 max3421_hcd->frame_number)
> 2d53139f David Mosberger 2014-04-28 725 == 0))
> 2d53139f David Mosberger 2014-04-28 726 /*
> 2d53139f David Mosberger 2014-04-28 727 * We already tried this EP
> 2d53139f David Mosberger 2014-04-28 728 * during this frame and got a
> 2d53139f David Mosberger 2014-04-28 729 * NAK or error; wait for next frame
> 2d53139f David Mosberger 2014-04-28 730 */
> 2d53139f David Mosberger 2014-04-28 731 continue;
> 2d53139f David Mosberger 2014-04-28 732 break;
> 2d53139f David Mosberger 2014-04-28 733
> 2d53139f David Mosberger 2014-04-28 734 case USB_ENDPOINT_XFER_ISOC:
> 2d53139f David Mosberger 2014-04-28 735 case USB_ENDPOINT_XFER_INT:
> 2d53139f David Mosberger 2014-04-28 736 if (frame_diff(max3421_hcd->frame_number,
> 2d53139f David Mosberger 2014-04-28 737 max3421_ep->last_active)
> 2d53139f David Mosberger 2014-04-28 738 < urb->interval)
> 2d53139f David Mosberger 2014-04-28 739 /*
> 2d53139f David Mosberger 2014-04-28 740 * We already processed this
> 2d53139f David Mosberger 2014-04-28 741 * end-point in the current
> 2d53139f David Mosberger 2014-04-28 742 * frame
> 2d53139f David Mosberger 2014-04-28 743 */
> 2d53139f David Mosberger 2014-04-28 744 continue;
> 2d53139f David Mosberger 2014-04-28 745 break;
> 2d53139f David Mosberger 2014-04-28 746 }
> 2d53139f David Mosberger 2014-04-28 747
> 2d53139f David Mosberger 2014-04-28 748 /* move current ep to tail: */
> 610e92ad Geliang Tang 2015-12-19 749 list_move_tail(&max3421_ep->ep_list,
> 610e92ad Geliang Tang 2015-12-19 750 &max3421_hcd->ep_list);
> 2d53139f David Mosberger 2014-04-28 751 curr_urb = urb;
> 2d53139f David Mosberger 2014-04-28 752 goto done;
> 2d53139f David Mosberger 2014-04-28 753 }
> 2d53139f David Mosberger 2014-04-28 754 done:
> 2d53139f David Mosberger 2014-04-28 755 if (!curr_urb) {
> 2d53139f David Mosberger 2014-04-28 756 spin_unlock_irqrestore(&max3421_hcd->lock, flags);
> 2d53139f David Mosberger 2014-04-28 757 return 0;
> 2d53139f David Mosberger 2014-04-28 758 }
> 2d53139f David Mosberger 2014-04-28 759
> 2d53139f David Mosberger 2014-04-28 760 urb = max3421_hcd->curr_urb = curr_urb;
> 2d53139f David Mosberger 2014-04-28 761 epnum = usb_endpoint_num(&urb->ep->desc);
> 2d53139f David Mosberger 2014-04-28 @762 if (max3421_ep->retransmit)
> 2d53139f David Mosberger 2014-04-28 763 /* restart (part of) a USB transaction: */
> 2d53139f David Mosberger 2014-04-28 764 max3421_ep->retransmit = 0;
> 2d53139f David Mosberger 2014-04-28 765 else {
>
> :::::: The code at line 762 was first introduced by commit
> :::::: 2d53139f31626bad6f8983d8e519ddde2cbba921 Add support for using a MAX3421E chip as a host driver.
>
> :::::: TO: David Mosberger <davidm@xxxxxxxxxx>
> :::::: CC: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
>
> ---
> 0-DAY kernel test infrastructure Open Source Technology Center
> https://lists.01.org/pipermail/kbuild-all Intel Corporation
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/