tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

usb: gadget: bdc: remove usage of list iterator past the loop body

If the list representing the request queue does not contain the expected
request, the value of the list_for_each_entry() iterator will not point
to a valid structure. To avoid type confusion in such case, the list
iterator scope will be limited to the list_for_each_entry() loop.

In preparation to limiting scope of the list iterator to the list traversal
loop, use a dedicated pointer to point to the found request object [1].

Link: https://lore.kernel.org/all/YhdfEIwI4EdtHdym@kroah.com/
Signed-off-by: Jakob Koschel <jakobkoschel@gmail.com>
Link: https://lore.kernel.org/r/20220308171818.384491-3-jakobkoschel@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Jakob Koschel and committed by
Greg Kroah-Hartman b6af5544 83888411

+9 -4
+9 -4
drivers/usb/gadget/udc/bdc/bdc_ep.c
··· 1757 1757 struct usb_request *_req) 1758 1758 { 1759 1759 struct bdc_req *req; 1760 + struct bdc_req *iter; 1760 1761 unsigned long flags; 1761 1762 struct bdc_ep *ep; 1762 1763 struct bdc *bdc; ··· 1772 1771 dev_dbg(bdc->dev, "%s ep:%s req:%p\n", __func__, ep->name, req); 1773 1772 bdc_dbg_bd_list(bdc, ep); 1774 1773 spin_lock_irqsave(&bdc->lock, flags); 1774 + 1775 + req = NULL; 1775 1776 /* make sure it's still queued on this endpoint */ 1776 - list_for_each_entry(req, &ep->queue, queue) { 1777 - if (&req->usb_req == _req) 1778 - break; 1777 + list_for_each_entry(iter, &ep->queue, queue) { 1778 + if (&iter->usb_req != _req) 1779 + continue; 1780 + req = iter; 1781 + break; 1779 1782 } 1780 - if (&req->usb_req != _req) { 1783 + if (!req) { 1781 1784 spin_unlock_irqrestore(&bdc->lock, flags); 1782 1785 dev_err(bdc->dev, "usb_req !=req n"); 1783 1786 return -EINVAL;