diff mbox series

[v2,3/4] usb: mtu3: fix list_head check warning

Message ID 20211218095749.6250-3-chunfeng.yun@mediatek.com
State New
Headers show
Series [v2,1/4] usb: mtu3: fix interval value for intr and isoc | expand

Commit Message

Chunfeng Yun (云春峰) Dec. 18, 2021, 9:57 a.m. UTC 
This is caused by uninitialization of list_head.

BUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4

Call trace:
dump_backtrace+0x0/0x298
show_stack+0x24/0x34
dump_stack+0x130/0x1a8
print_address_description+0x88/0x56c
__kasan_report+0x1b8/0x2a0
kasan_report+0x14/0x20
__asan_load8+0x9c/0xa0
__list_del_entry_valid+0x34/0xe4
mtu3_req_complete+0x4c/0x300 [mtu3]
mtu3_gadget_stop+0x168/0x448 [mtu3]
usb_gadget_unregister_driver+0x204/0x3a0
unregister_gadget_item+0x44/0xa4

Fixes: 83374e035b62 ("usb: mtu3: add tracepoints to help debug")
Cc: stable@vger.kernel.org
Reported-by: Yuwen Ng <yuwen.ng@mediatek.com>
Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
---
v2: add Fixes and Cc suggested by Greg
---
 drivers/usb/mtu3/mtu3_gadget.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Greg Kroah-Hartman Dec. 19, 2021, 10:40 a.m. UTC | #1 
On Sun, Dec 19, 2021 at 01:14:25PM +0300, Sergei Shtylyov wrote:
> On 18.12.2021 12:57, Chunfeng Yun wrote:
> 
> > This is caused by uninitialization of list_head.
> 
>    Again, there's no such word as "uninitialization" (even if it existed, it
> wouldn't mean what you wanted to say); please replace by "not initializing".

We are not English language scholars, most of us do not have English as
their native language.  We all can understand what is being said here,
there's no need for any change, please do not be so critical.

thanks,

greg k-h
diff mbox series

Patch

diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c
index c51be015345b..b6c8a4a99c4d 100644
--- a/drivers/usb/mtu3/mtu3_gadget.c
+++ b/drivers/usb/mtu3/mtu3_gadget.c
@@ -235,6 +235,7 @@  struct usb_request *mtu3_alloc_request(struct usb_ep *ep, gfp_t gfp_flags)
 	mreq->request.dma = DMA_ADDR_INVALID;
 	mreq->epnum = mep->epnum;
 	mreq->mep = mep;
+	INIT_LIST_HEAD(&mreq->list);
 	trace_mtu3_alloc_request(mreq);
 
 	return &mreq->request;