greybus: manifest: fix bundle descriptor parse
authorRui Miguel Silva <rui.silva@linaro.org>
Mon, 16 Nov 2015 19:23:25 +0000 (19:23 +0000)
committerGreg Kroah-Hartman <gregkh@google.com>
Tue, 17 Nov 2015 06:26:43 +0000 (22:26 -0800)
The descriptor list is walked in two points, in the bundle parsing and
cport parsing, this can make the next descriptor pointer in bundle to be
already removed by the cport remove descriptor and become invalid.

So, just get the next bundle until there no more left.

Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
drivers/staging/greybus/manifest.c

index 3e61b6655a5f958a2568b17605cba9d8277df01f..084e07e195c02478b3c10b766f43bc69acab8a27 100644 (file)
@@ -60,6 +60,18 @@ static void release_manifest_descriptors(struct gb_interface *intf)
                release_manifest_descriptor(descriptor);
 }
 
+static struct manifest_desc *get_next_bundle_desc(struct gb_interface *intf)
+{
+       struct manifest_desc *descriptor;
+       struct manifest_desc *next;
+
+       list_for_each_entry_safe(descriptor, next, &intf->manifest_descs, links)
+               if (descriptor->type == GREYBUS_TYPE_BUNDLE)
+                       return descriptor;
+
+       return NULL;
+}
+
 /*
  * Validate the given descriptor.  Its reported size must fit within
  * the number of bytes remaining, and it must have a recognized
@@ -282,18 +294,14 @@ exit:
 static u32 gb_manifest_parse_bundles(struct gb_interface *intf)
 {
        struct manifest_desc *desc;
-       struct manifest_desc *next;
        struct gb_bundle *bundle;
        struct gb_bundle *bundle_next;
        u32 count = 0;
        u8 bundle_id;
 
-       list_for_each_entry_safe(desc, next, &intf->manifest_descs, links) {
+       while ((desc = get_next_bundle_desc(intf))) {
                struct greybus_descriptor_bundle *desc_bundle;
 
-               if (desc->type != GREYBUS_TYPE_BUNDLE)
-                       continue;
-
                /* Found one.  Set up its bundle structure*/
                desc_bundle = desc->data;
                bundle_id = desc_bundle->id;