Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp4837630pxb; Mon, 28 Mar 2022 04:21:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzjeJVWkHemUKpKXpBrJNeCUl9OAh6nVG7JTXt8SoAaN6KcnRVhGGglCdjMdhEAoMxxTN4M X-Received: by 2002:a17:907:72c3:b0:6df:91a4:32f4 with SMTP id du3-20020a17090772c300b006df91a432f4mr27151074ejc.638.1648466481396; Mon, 28 Mar 2022 04:21:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648466481; cv=none; d=google.com; s=arc-20160816; b=06+oIPZ8JufU838RQB3SNlDr24FmMjuIO/tMBSNWeDyKw5lWj6b8h5k3//nXf/gy3F NK1G/fZuA8xfLTRHuPxzvjOpEo+Rj9p0kA2IJHlrJoJJa7J3AvY4/EcqRjefDvE4U1Xy Y6mSNj9E2ZhDfwAzwYZdB9EcMt/KcbiNCl/iGQrLyZXMP//GZPa1VY6mbH6DmqL2izK2 SMNIIlxRjZjYtfiD2jOqfzS0syBZSoT/PcNhTfhFe0y77m9kjaHqpv5+r90GP5S4lufo eYPCmnkLpQcvSyOjMK5LCxEkT8ICT7ThCWZvYOoCVja/uwoV9c86z2jqN8ihp8PazRBD DXFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from :dkim-signature; bh=dr1pfWEjH/LtXsB7tWBt6bQIyc8GynNaruocx5UK+p4=; b=MjkUElTJnCqNag/td8WckJ0K01VYRzIdQZ6RWEUL2aC24Odb5LZKc9C4u6HyXd+Gno YzlDa4QCIhTCy21cSIzV880/8JECAoYEh4rz5PdsUrljje6Cxs3qlXYgNl2mgSzIG+i9 HjYRgeFpNBt+Z3a1bfEy5eU86HfDaYTV3W1jd4mwxFvi6YKKFlCd7xYhbqul+HHRYAUT z/vTmNl9/auhFz2ecNzrypvoi8ZClgOu+AkNMJ0yuqo93uMjjeXMzLw01PEbkNoFk1Ww 4+6vd9n5X+DCwVZJ64NTUHLSmH7sbAs4ITPgGgRDGl2dHpuus0QJ11jx3SKmc2XH/Afr Vnog== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=NrLU0Tud; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y19-20020a056402441300b00419dbec993fsi5370330eda.374.2022.03.28.04.20.55; Mon, 28 Mar 2022 04:21:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=NrLU0Tud; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235259AbiC0G0S (ORCPT + 99 others); Sun, 27 Mar 2022 02:26:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56300 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229485AbiC0G0R (ORCPT ); Sun, 27 Mar 2022 02:26:17 -0400 Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3CDBA2B6; Sat, 26 Mar 2022 23:24:39 -0700 (PDT) Received: by mail-pj1-x102d.google.com with SMTP id gb19so11194529pjb.1; Sat, 26 Mar 2022 23:24:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id; bh=dr1pfWEjH/LtXsB7tWBt6bQIyc8GynNaruocx5UK+p4=; b=NrLU0Tud7dKyPrRn8FqNdKPZ7B+J9NM5tUooHHg3BkdUnZcMyXyEWggcERwvymf/D5 NHttV+aFJg3cbs6CYTIPfr6oAxg1Uik0CQ5xkH6Pk8XYDOOtm0Sc+VPIDE8v5FIcDER4 ujPKjNuz0Im4hQ5LXHN+57P1RWpXRdLtM3HNNeNaIr8RIulQStfCfLil2W2gN7rXDTfL qqFGTlabkl4FVmxP8AM/qfqWNnAshka/ZgPMYw974Yl1LonF47klbzkITdVK6S87SVZh pGxeGJHwamPBf0b9qkfcoMoMnpQTuRIIurLdpeOiEeyDEfQFSElvZxFP9ZNzo2CTM9mw yELw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=dr1pfWEjH/LtXsB7tWBt6bQIyc8GynNaruocx5UK+p4=; b=wRbHMkWSlgb9XGm9OLhLhivtyNvvoS3TnvaGCmNIU9b2OML0VlXYsx4LcOZGzZO6Gx vbjm9SLtLX/b9qxUPMvqbLPs0nQHyf3y/3DpdGMJlDQ7sx5LyB2zhe3HQuhyZcT622V/ FlshoQRbYQYnZ4Unfj/zUoqEHftE/xEjpqPQus3qmmcdtj5SWj+9rp5YgClBrRbqRBnL Q4RbE9i0NW76L9CGABU9IPDO4XWSIYtS8yJn2F4eKPFXPJqbCvyFFt/NPc+unYOEJsB+ 38ccrqGgal9PUEcwXt1PnneTaTQdeNtD1DNSIr8tDO0YtIdc0f9k9LrNfrBEiurq9B8A QsPw== X-Gm-Message-State: AOAM533ZlAFZHvP/VYE51Sm7Zbd95Gb+tn6j4RsIBdeb0gfrj6/cBikU Brgr7oN2E+CHICAR+Co/jBw= X-Received: by 2002:a17:90a:ca96:b0:1c6:b478:788e with SMTP id y22-20020a17090aca9600b001c6b478788emr22401255pjt.162.1648362278797; Sat, 26 Mar 2022 23:24:38 -0700 (PDT) Received: from localhost.localdomain ([115.220.243.108]) by smtp.googlemail.com with ESMTPSA id l5-20020a056a0016c500b004f768db4c94sm12228443pfc.212.2022.03.26.23.24.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 26 Mar 2022 23:24:38 -0700 (PDT) From: Xiaomeng Tong To: balbi@kernel.org Cc: gregkh@linuxfoundation.org, joel@jms.id.au, andrew@aj.id.au, rentao.bupt@gmail.com, caihuoqing@baidu.com, benh@kernel.crashing.org, linux-usb@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-aspeed@lists.ozlabs.org, linux-kernel@vger.kernel.org, Xiaomeng Tong , stable@vger.kernel.org Subject: [PATCH] aspeed-vhub: epn: fix an incorrect member check on list iterator Date: Sun, 27 Mar 2022 14:24:31 +0800 Message-Id: <20220327062431.5847-1-xiam0nd.tong@gmail.com> X-Mailer: git-send-email 2.17.1 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The bug is here: if (&req->req == u_req) { The list iterator 'req' will point to a bogus position containing HEAD if the list is empty or no element is found. This case must be checked before any use of the iterator, otherwise it may bypass the 'if (&req->req == u_req) {' check in theory, if '*u_req' obj is just allocated in the same addr with '&req->req'. To fix this bug, just mova all thing inside the loop and return 0, otherwise return error. Cc: stable@vger.kernel.org Fixes: 7ecca2a4080cb ("usb/gadget: Add driver for Aspeed SoC virtual hub") Signed-off-by: Xiaomeng Tong --- drivers/usb/gadget/udc/aspeed-vhub/epn.c | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/drivers/usb/gadget/udc/aspeed-vhub/epn.c b/drivers/usb/gadget/udc/aspeed-vhub/epn.c index 917892ca8753..aae4ce3e1029 100644 --- a/drivers/usb/gadget/udc/aspeed-vhub/epn.c +++ b/drivers/usb/gadget/udc/aspeed-vhub/epn.c @@ -468,27 +468,24 @@ static int ast_vhub_epn_dequeue(struct usb_ep* u_ep, struct usb_request *u_req) struct ast_vhub *vhub = ep->vhub; struct ast_vhub_req *req; unsigned long flags; - int rc = -EINVAL; spin_lock_irqsave(&vhub->lock, flags); /* Make sure it's actually queued on this endpoint */ list_for_each_entry (req, &ep->queue, queue) { - if (&req->req == u_req) - break; - } - - if (&req->req == u_req) { - EPVDBG(ep, "dequeue req @%p active=%d\n", - req, req->active); - if (req->active) - ast_vhub_stop_active_req(ep, true); - ast_vhub_done(ep, req, -ECONNRESET); - rc = 0; + if (&req->req == u_req) { + EPVDBG(ep, "dequeue req @%p active=%d\n", + req, req->active); + if (req->active) + ast_vhub_stop_active_req(ep, true); + ast_vhub_done(ep, req, -ECONNRESET); + spin_unlock_irqrestore(&vhub->lock, flags); + return 0; + } } spin_unlock_irqrestore(&vhub->lock, flags); - return rc; + return -EINVAL; } void ast_vhub_update_epn_stall(struct ast_vhub_ep *ep) -- 2.17.1