NetBSD Problem Report #43808
From www@NetBSD.org Fri Aug 27 20:23:10 2010
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 7931163B89F
for <gnats-bugs@gnats.NetBSD.org>; Fri, 27 Aug 2010 20:23:10 +0000 (UTC)
Message-Id: <20100827202310.17CB863B89A@www.NetBSD.org>
Date: Fri, 27 Aug 2010 20:23:10 +0000 (UTC)
From: sfisher@cradlepoint.com
Reply-To: sfisher@cradlepoint.com
To: gnats-bugs@NetBSD.org
Subject: Unchecked queue size and call to SIMPLEQ_REMOVE_HEAD could cause kernel exception
X-Send-Pr-Version: www-1.0
>Number: 43808
>Category: kern
>Synopsis: Unchecked queue size and call to SIMPLEQ_REMOVE_HEAD could cause kernel exception
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Aug 27 20:25:00 +0000 2010
>Originator: Shawn Fisher
>Release: 5.0.2
>Organization:
Cradlepoint
>Environment:
NetBSD 5.0.2 NetBSD 5.0.2 (XXXXX) #37: Fri Aug 27 12:07:16 MDT 2010
>Description:
I am not sure if this is really a bug or not, I ran into it while working on a Synopsis USB host controller driver. The problem I ran into was that when usb_transfer_complete() is called, there could be the possibility of calling SIMPLEQ_REMOVE_HEAD on pipe->queue which could be empty.
>How-To-Repeat:
>Fix:
Index: sys/dev/usb/usbdi.c
===================================================================
--- sys/dev/usb/usbdi.c (revision 2348)
+++ sys/dev/usb/usbdi.c (working copy)
@@ -797,7 +797,9 @@
xfer, SIMPLEQ_FIRST(&pipe->queue));
xfer->busy_free = XFER_BUSY;
#endif
- SIMPLEQ_REMOVE_HEAD(&pipe->queue, next);
+ if (!SIMPLEQ_EMPTY(&pipe->queue)) {
+ SIMPLEQ_REMOVE_HEAD(&pipe->queue, next);
+ }
}
DPRINTFN(5,("usb_transfer_complete: repeat=%d new head=%p\n",
repeat, SIMPLEQ_FIRST(&pipe->queue)));
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.