diff options
author | Alan Stern <stern@rowland.harvard.edu> | 2010-06-18 10:16:33 -0400 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2010-06-30 08:16:06 -0700 |
commit | 64d65872f96e2a754caa12ef48949c314384bd9f (patch) | |
tree | 1fbd174ef9b2df672a68f81c960599c39b238286 /drivers/usb/core/message.c | |
parent | 3b49d2315c119b9ae8a9a33b07d4eb7d194c01a7 (diff) | |
download | linux-64d65872f96e2a754caa12ef48949c314384bd9f.tar.bz2 |
USB: fix oops in usb_sg_init()
This patch (as1401) fixes a bug in usb_sg_init() that can cause an
invalid pointer dereference. An inner loop reuses some local variables
in an unsafe manner, so new variables are introduced.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Ajay Kumar Gupta <ajay.gupta@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/usb/core/message.c')
-rw-r--r-- | drivers/usb/core/message.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c index a73e08fdab36..fd4c36ea5e46 100644 --- a/drivers/usb/core/message.c +++ b/drivers/usb/core/message.c @@ -416,8 +416,11 @@ int usb_sg_init(struct usb_sg_request *io, struct usb_device *dev, /* A length of zero means transfer the whole sg list */ len = length; if (len == 0) { - for_each_sg(sg, sg, nents, i) - len += sg->length; + struct scatterlist *sg2; + int j; + + for_each_sg(sg, sg2, nents, j) + len += sg2->length; } } else { /* |