Commit 32f1d2c5 authored by Takashi Iwai's avatar Takashi Iwai Committed by Sarah Sharp

xhci: Don't free endpoints in xhci_mem_cleanup()

This patch fixes a few issues introduced in the recent fix
[f8a9e72d: USB: fix resource leak in xhci power loss path]

- The endpoints listed in bw table are just links and each entry is an
 array member of dev->eps[].  But the commit above adds a kfree() call
 to these instances, and thus it results in memory corruption.

- It clears only the first entry of rh_bw[], but there can be multiple
  ports.

- It'd be safer to clear the list_head of ep as well, not only
  removing from the list, as it's checked in
  xhci_discover_or_reset_device().

This patch should be backported to kernels as old as 3.2, that contain
the commit 839c817c "xhci: Store
information about roothubs and TTs."
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
Reviewed-by: default avatarOliver Neukum <oneukum@suse.de>
Cc: <stable@vger.kernel.org>
parent 46ed8f00
...@@ -1772,17 +1772,9 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci) ...@@ -1772,17 +1772,9 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci)
{ {
struct pci_dev *pdev = to_pci_dev(xhci_to_hcd(xhci)->self.controller); struct pci_dev *pdev = to_pci_dev(xhci_to_hcd(xhci)->self.controller);
struct dev_info *dev_info, *next; struct dev_info *dev_info, *next;
struct list_head *tt_list_head;
struct list_head *tt;
struct list_head *endpoints;
struct list_head *ep, *q;
struct xhci_tt_bw_info *tt_info;
struct xhci_interval_bw_table *bwt;
struct xhci_virt_ep *virt_ep;
unsigned long flags; unsigned long flags;
int size; int size;
int i; int i, j, num_ports;
/* Free the Event Ring Segment Table and the actual Event Ring */ /* Free the Event Ring Segment Table and the actual Event Ring */
size = sizeof(struct xhci_erst_entry)*(xhci->erst.num_entries); size = sizeof(struct xhci_erst_entry)*(xhci->erst.num_entries);
...@@ -1841,21 +1833,22 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci) ...@@ -1841,21 +1833,22 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci)
} }
spin_unlock_irqrestore(&xhci->lock, flags); spin_unlock_irqrestore(&xhci->lock, flags);
bwt = &xhci->rh_bw->bw_table; num_ports = HCS_MAX_PORTS(xhci->hcs_params1);
for (i = 0; i < XHCI_MAX_INTERVAL; i++) { for (i = 0; i < num_ports; i++) {
endpoints = &bwt->interval_bw[i].endpoints; struct xhci_interval_bw_table *bwt = &xhci->rh_bw[i].bw_table;
list_for_each_safe(ep, q, endpoints) { for (j = 0; j < XHCI_MAX_INTERVAL; j++) {
virt_ep = list_entry(ep, struct xhci_virt_ep, bw_endpoint_list); struct list_head *ep = &bwt->interval_bw[j].endpoints;
list_del(&virt_ep->bw_endpoint_list); while (!list_empty(ep))
kfree(virt_ep); list_del_init(ep->next);
} }
} }
tt_list_head = &xhci->rh_bw->tts; for (i = 0; i < num_ports; i++) {
list_for_each_safe(tt, q, tt_list_head) { struct xhci_tt_bw_info *tt, *n;
tt_info = list_entry(tt, struct xhci_tt_bw_info, tt_list); list_for_each_entry_safe(tt, n, &xhci->rh_bw[i].tts, tt_list) {
list_del(tt); list_del(&tt->tt_list);
kfree(tt_info); kfree(tt);
}
} }
xhci->num_usb2_ports = 0; xhci->num_usb2_ports = 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment