Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753543AbbLRRx3 (ORCPT <rfc822;w@1wt.eu>);
	Fri, 18 Dec 2015 12:53:29 -0500
Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:6196 "EHLO
	mail2-relais-roc.national.inria.fr" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1751674AbbLRRx1 (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Fri, 18 Dec 2015 12:53:27 -0500
X-IronPort-AV: E=Sophos;i="5.20,447,1444687200"; 
   d="scan'208";a="193029875"
Date: Fri, 18 Dec 2015 18:53:19 +0100 (CET)
From: Julia Lawall <julia.lawall@lip6.fr>
X-X-Sender: jll@hadrien
To: Geliang Tang <geliangtang@163.com>
cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>,
        linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/9] usb: host: max3421-hcd: use list_for_each_entry*
In-Reply-To: <201512190149.tp8A4V4C%fengguang.wu@intel.com>
Message-ID: <alpine.DEB.2.10.1512181851100.2499@hadrien>
References: <201512190149.tp8A4V4C%fengguang.wu@intel.com>
User-Agent: Alpine 2.10 (DEB 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 8627
Lines: 146

Geliang,

Please check whether line 762 can be reached in the case where the
list_for_each_entry reaches the end of the list.  If that can happen,
max3421_ep should not be dereferenced.

julia

On Sat, 19 Dec 2015, kbuild test robot wrote:

> CC: kbuild-all@01.org
> In-Reply-To: <45e8397e370ed99ceb8aa1719c2b56a7ce741eb3.1450455485.git.geliangtang@163.com>
> TO: Geliang Tang <geliangtang@163.com>
> CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
> CC: Geliang Tang <geliangtang@163.com>, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
>
> Hi Geliang,
>
> [auto build test WARNING on usb/usb-testing]
> [also build test WARNING on v4.4-rc5 next-20151218]
>
> url:    https://github.com/0day-ci/linux/commits/Geliang-Tang/usb-host-fotg210-use-list_for_each_entry_safe/20151219-003955
> base:   https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> :::::: branch date: 66 minutes ago
> :::::: commit date: 66 minutes ago
>
> >> drivers/usb/host/max3421-hcd.c:762:5-15: ERROR: invalid reference to the index variable of the iterator on line 675
>
> git remote add linux-review https://github.com/0day-ci/linux
> git remote update linux-review
> git checkout 610e92adf2a45ef78039582494d8023f385d12ec
> vim +762 drivers/usb/host/max3421-hcd.c
>
> 2d53139f David Mosberger 2014-04-28  669
> 2d53139f David Mosberger 2014-04-28  670  	spin_lock_irqsave(&max3421_hcd->lock, flags);
> 2d53139f David Mosberger 2014-04-28  671
> 2d53139f David Mosberger 2014-04-28  672  	for (;
> 2d53139f David Mosberger 2014-04-28  673  	     max3421_hcd->sched_pass < SCHED_PASS_DONE;
> 2d53139f David Mosberger 2014-04-28  674  	     ++max3421_hcd->sched_pass)
> 610e92ad Geliang Tang    2015-12-19 @675  		list_for_each_entry(max3421_ep, &max3421_hcd->ep_list,
> 610e92ad Geliang Tang    2015-12-19  676  				    ep_list) {
> 2d53139f David Mosberger 2014-04-28  677  			urb = NULL;
> 2d53139f David Mosberger 2014-04-28  678  			ep = max3421_ep->ep;
> 2d53139f David Mosberger 2014-04-28  679
> 2d53139f David Mosberger 2014-04-28  680  			switch (usb_endpoint_type(&ep->desc)) {
> 2d53139f David Mosberger 2014-04-28  681  			case USB_ENDPOINT_XFER_ISOC:
> 2d53139f David Mosberger 2014-04-28  682  			case USB_ENDPOINT_XFER_INT:
> 2d53139f David Mosberger 2014-04-28  683  				if (max3421_hcd->sched_pass !=
> 2d53139f David Mosberger 2014-04-28  684  				    SCHED_PASS_PERIODIC)
> 2d53139f David Mosberger 2014-04-28  685  					continue;
> 2d53139f David Mosberger 2014-04-28  686  				break;
> 2d53139f David Mosberger 2014-04-28  687
> 2d53139f David Mosberger 2014-04-28  688  			case USB_ENDPOINT_XFER_CONTROL:
> 2d53139f David Mosberger 2014-04-28  689  			case USB_ENDPOINT_XFER_BULK:
> 2d53139f David Mosberger 2014-04-28  690  				if (max3421_hcd->sched_pass !=
> 2d53139f David Mosberger 2014-04-28  691  				    SCHED_PASS_NON_PERIODIC)
> 2d53139f David Mosberger 2014-04-28  692  					continue;
> 2d53139f David Mosberger 2014-04-28  693  				break;
> 2d53139f David Mosberger 2014-04-28  694  			}
> 2d53139f David Mosberger 2014-04-28  695
> 2d53139f David Mosberger 2014-04-28  696  			if (list_empty(&ep->urb_list))
> 2d53139f David Mosberger 2014-04-28  697  				continue;	/* nothing to do */
> 2d53139f David Mosberger 2014-04-28  698  			urb = list_first_entry(&ep->urb_list, struct urb,
> 2d53139f David Mosberger 2014-04-28  699  					       urb_list);
> 2d53139f David Mosberger 2014-04-28  700  			if (urb->unlinked) {
> 2d53139f David Mosberger 2014-04-28  701  				dev_dbg(&spi->dev, "%s: URB %p unlinked=%d",
> 2d53139f David Mosberger 2014-04-28  702  					__func__, urb, urb->unlinked);
> 2d53139f David Mosberger 2014-04-28  703  				max3421_hcd->curr_urb = urb;
> 2d53139f David Mosberger 2014-04-28  704  				max3421_hcd->urb_done = 1;
> 2d53139f David Mosberger 2014-04-28  705  				spin_unlock_irqrestore(&max3421_hcd->lock,
> 2d53139f David Mosberger 2014-04-28  706  						       flags);
> 2d53139f David Mosberger 2014-04-28  707  				return 1;
> 2d53139f David Mosberger 2014-04-28  708  			}
> 2d53139f David Mosberger 2014-04-28  709
> 2d53139f David Mosberger 2014-04-28  710  			switch (usb_endpoint_type(&ep->desc)) {
> 2d53139f David Mosberger 2014-04-28  711  			case USB_ENDPOINT_XFER_CONTROL:
> 2d53139f David Mosberger 2014-04-28  712  				/*
> 2d53139f David Mosberger 2014-04-28  713  				 * Allow one control transaction per
> 2d53139f David Mosberger 2014-04-28  714  				 * frame per endpoint:
> 2d53139f David Mosberger 2014-04-28  715  				 */
> 2d53139f David Mosberger 2014-04-28  716  				if (frame_diff(max3421_ep->last_active,
> 2d53139f David Mosberger 2014-04-28  717  					       max3421_hcd->frame_number) == 0)
> 2d53139f David Mosberger 2014-04-28  718  					continue;
> 2d53139f David Mosberger 2014-04-28  719  				break;
> 2d53139f David Mosberger 2014-04-28  720
> 2d53139f David Mosberger 2014-04-28  721  			case USB_ENDPOINT_XFER_BULK:
> 2d53139f David Mosberger 2014-04-28  722  				if (max3421_ep->retransmit
> 2d53139f David Mosberger 2014-04-28  723  				    && (frame_diff(max3421_ep->last_active,
> 2d53139f David Mosberger 2014-04-28  724  						   max3421_hcd->frame_number)
> 2d53139f David Mosberger 2014-04-28  725  					== 0))
> 2d53139f David Mosberger 2014-04-28  726  					/*
> 2d53139f David Mosberger 2014-04-28  727  					 * We already tried this EP
> 2d53139f David Mosberger 2014-04-28  728  					 * during this frame and got a
> 2d53139f David Mosberger 2014-04-28  729  					 * NAK or error; wait for next frame
> 2d53139f David Mosberger 2014-04-28  730  					 */
> 2d53139f David Mosberger 2014-04-28  731  					continue;
> 2d53139f David Mosberger 2014-04-28  732  				break;
> 2d53139f David Mosberger 2014-04-28  733
> 2d53139f David Mosberger 2014-04-28  734  			case USB_ENDPOINT_XFER_ISOC:
> 2d53139f David Mosberger 2014-04-28  735  			case USB_ENDPOINT_XFER_INT:
> 2d53139f David Mosberger 2014-04-28  736  				if (frame_diff(max3421_hcd->frame_number,
> 2d53139f David Mosberger 2014-04-28  737  					       max3421_ep->last_active)
> 2d53139f David Mosberger 2014-04-28  738  				    < urb->interval)
> 2d53139f David Mosberger 2014-04-28  739  					/*
> 2d53139f David Mosberger 2014-04-28  740  					 * We already processed this
> 2d53139f David Mosberger 2014-04-28  741  					 * end-point in the current
> 2d53139f David Mosberger 2014-04-28  742  					 * frame
> 2d53139f David Mosberger 2014-04-28  743  					 */
> 2d53139f David Mosberger 2014-04-28  744  					continue;
> 2d53139f David Mosberger 2014-04-28  745  				break;
> 2d53139f David Mosberger 2014-04-28  746  			}
> 2d53139f David Mosberger 2014-04-28  747
> 2d53139f David Mosberger 2014-04-28  748  			/* move current ep to tail: */
> 610e92ad Geliang Tang    2015-12-19  749  			list_move_tail(&max3421_ep->ep_list,
> 610e92ad Geliang Tang    2015-12-19  750  				       &max3421_hcd->ep_list);
> 2d53139f David Mosberger 2014-04-28  751  			curr_urb = urb;
> 2d53139f David Mosberger 2014-04-28  752  			goto done;
> 2d53139f David Mosberger 2014-04-28  753  		}
> 2d53139f David Mosberger 2014-04-28  754  done:
> 2d53139f David Mosberger 2014-04-28  755  	if (!curr_urb) {
> 2d53139f David Mosberger 2014-04-28  756  		spin_unlock_irqrestore(&max3421_hcd->lock, flags);
> 2d53139f David Mosberger 2014-04-28  757  		return 0;
> 2d53139f David Mosberger 2014-04-28  758  	}
> 2d53139f David Mosberger 2014-04-28  759
> 2d53139f David Mosberger 2014-04-28  760  	urb = max3421_hcd->curr_urb = curr_urb;
> 2d53139f David Mosberger 2014-04-28  761  	epnum = usb_endpoint_num(&urb->ep->desc);
> 2d53139f David Mosberger 2014-04-28 @762  	if (max3421_ep->retransmit)
> 2d53139f David Mosberger 2014-04-28  763  		/* restart (part of) a USB transaction: */
> 2d53139f David Mosberger 2014-04-28  764  		max3421_ep->retransmit = 0;
> 2d53139f David Mosberger 2014-04-28  765  	else {
>
> :::::: The code at line 762 was first introduced by commit
> :::::: 2d53139f31626bad6f8983d8e519ddde2cbba921 Add support for using a MAX3421E chip as a host driver.
>
> :::::: TO: David Mosberger <davidm@egauge.net>
> :::::: CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>
> ---
> 0-DAY kernel test infrastructure                Open Source Technology Center
> https://lists.01.org/pipermail/kbuild-all                   Intel Corporation
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/