NetBSD Problem Report #43808

From www@NetBSD.org  Fri Aug 27 20:23:10 2010
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 7931163B89F
	for <gnats-bugs@gnats.NetBSD.org>; Fri, 27 Aug 2010 20:23:10 +0000 (UTC)
Message-Id: <20100827202310.17CB863B89A@www.NetBSD.org>
Date: Fri, 27 Aug 2010 20:23:10 +0000 (UTC)
From: sfisher@cradlepoint.com
Reply-To: sfisher@cradlepoint.com
To: gnats-bugs@NetBSD.org
Subject: Unchecked queue size and call to SIMPLEQ_REMOVE_HEAD could cause kernel exception
X-Send-Pr-Version: www-1.0

>Number:         43808
>Category:       kern
>Synopsis:       Unchecked queue size and call to SIMPLEQ_REMOVE_HEAD could cause kernel exception
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Aug 27 20:25:00 +0000 2010
>Originator:     Shawn Fisher
>Release:        5.0.2
>Organization:
Cradlepoint
>Environment:
NetBSD  5.0.2 NetBSD 5.0.2 (XXXXX) #37: Fri Aug 27 12:07:16 MDT 2010  
>Description:
I am not sure if this is really a bug or not, I ran into it while working on a Synopsis USB host controller driver.  The problem I ran into was that when usb_transfer_complete() is called, there could be the possibility of calling SIMPLEQ_REMOVE_HEAD on pipe->queue which could be empty.
>How-To-Repeat:

>Fix:
Index: sys/dev/usb/usbdi.c
===================================================================
--- sys/dev/usb/usbdi.c	(revision 2348)
+++ sys/dev/usb/usbdi.c	(working copy)
@@ -797,7 +797,9 @@
 			       xfer, SIMPLEQ_FIRST(&pipe->queue));
 		xfer->busy_free = XFER_BUSY;
 #endif
-		SIMPLEQ_REMOVE_HEAD(&pipe->queue, next);
+		if (!SIMPLEQ_EMPTY(&pipe->queue)) {
+			SIMPLEQ_REMOVE_HEAD(&pipe->queue, next);
+		}
 	}
 	DPRINTFN(5,("usb_transfer_complete: repeat=%d new head=%p\n",
 		    repeat, SIMPLEQ_FIRST(&pipe->queue)));

Home	PR Database Search