From patchwork Mon Dec 5 07:51:49 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "\(Exiting\) Baolin Wang" X-Patchwork-Id: 86509 Delivered-To: patch@linaro.org Received: by 10.140.20.101 with SMTP id 92csp1355087qgi; Sun, 4 Dec 2016 23:58:43 -0800 (PST) X-Received: by 10.99.126.94 with SMTP id o30mr100401467pgn.66.1480924723401; Sun, 04 Dec 2016 23:58:43 -0800 (PST) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r12si13745238pgn.241.2016.12.04.23.58.43; Sun, 04 Dec 2016 23:58:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-usb-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org; spf=pass (google.com: best guess record for domain of linux-usb-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-usb-owner@vger.kernel.org; dmarc=fail (p=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751223AbcLEH6l (ORCPT + 4 others); Mon, 5 Dec 2016 02:58:41 -0500 Received: from mail-pf0-f177.google.com ([209.85.192.177]:33771 "EHLO mail-pf0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750841AbcLEH6l (ORCPT ); Mon, 5 Dec 2016 02:58:41 -0500 Received: by mail-pf0-f177.google.com with SMTP id d2so62387679pfd.0 for ; Sun, 04 Dec 2016 23:58:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=RqCRIXjLjVWKiqb+6f1A3F22z6ETHT18Jx9mwo8uwi0=; b=Of3cnPnyX+XPr88gzPGD3EaTZTuMclxTZ6fh1gPELyQPooyAyDrRDpwNBE6wQ4l32y Qd3jCgFuZeJjRCUrNywx/xygMvZ7wtJOhKp9sj1RUCq4xApLjLOH0Q82ssAT5ggloQEc omUNwsusKtZofF6E+b5KKjg8YQubLmtDyr1wE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=RqCRIXjLjVWKiqb+6f1A3F22z6ETHT18Jx9mwo8uwi0=; b=ZfLzVX9vcBx1+UErPeX9O9SHLgAPLZMxlF7865Q0P/uQSo1cJezrEWuNcacBRZnO/s ckayU5z/usbhVVPigDgERdi712AvHsJCKlz/2+FkBVlibVd2S2WDFXu/Gc9SVoDm74Gk oKe/O785zo+COWaYYcnWxny/Z5I+o54lS3S4/pSnJhqw1+JJaKvzZm2jCyojqHZ8hENw 1Pg5HkbJfVAv7Y5uxBfX6gUvk3ODCBlGu7O7aMmA83DTjcUdpirzN4qLeAPCRnUI8t4/ RgH2SYAVsrrBQFI46rssbmfIsjLhFg8u7mlt8CSalGfopTcMYOiqUQVT3sRemmolMX+v Q75w== X-Gm-Message-State: AKaTC02tbEBwcunCWQDKpj8M6btZlCGnw7Sg6BVndYasHp1vJKxEWJ8sVSIrTtcO33fOFnKY X-Received: by 10.98.36.195 with SMTP id k64mr56056052pfk.126.1480924346106; Sun, 04 Dec 2016 23:52:26 -0800 (PST) Received: from baolinwangubtpc.spreadtrum.com ([175.111.195.49]) by smtp.gmail.com with ESMTPSA id t20sm24947924pfk.48.2016.12.04.23.52.21 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 04 Dec 2016 23:52:25 -0800 (PST) From: Baolin Wang To: mathias.nyman@intel.com, gregkh@linuxfoundation.org Cc: baolu.lu@linux.intel.com, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, broonie@kernel.org, baolin.wang@linaro.org Subject: [PATCH 1/2] usb: host: xhci: Fix possible wild pointer when handling abort command Date: Mon, 5 Dec 2016 15:51:49 +0800 Message-Id: X-Mailer: git-send-email 1.7.9.5 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org When current command was supposed to be aborted, host will free the command in handle_cmd_completion() function. But it might be still referenced by xhci->current_cmd, which need to set NULL. Signed-off-by: Baolin Wang --- This patch is based on Lu Baolu's new fix patch: usb: xhci: fix possible wild pointer https://www.spinics.net/lists/linux-usb/msg150219.html --- drivers/usb/host/xhci-ring.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) -- 1.7.9.5 -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 62dd1c7..9965a4c 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -1362,8 +1362,11 @@ static void handle_cmd_completion(struct xhci_hcd *xhci, */ if (cmd_comp_code == COMP_CMD_ABORT) { xhci->cmd_ring_state = CMD_RING_STATE_STOPPED; - if (cmd->status == COMP_CMD_ABORT) + if (cmd->status == COMP_CMD_ABORT) { + if (xhci->current_cmd == cmd) + xhci->current_cmd = NULL; goto event_handled; + } } cmd_type = TRB_FIELD_TO_TYPE(le32_to_cpu(cmd_trb->generic.field[3]));