USB: fix oops in usb_sg_init()

This patch (as1401) fixes a bug in usb_sg_init() that can cause an invalid pointer dereference. An inner loop reuses some local variables in an unsafe manner, so new variables are introduced. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Tested-by: Ajay Kumar Gupta <ajay.gupta@ti.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Alan Stern <stern@rowland.harvard.edu> 2010-06-18 10:16:33 -0400
committer: Greg Kroah-Hartman <gregkh@suse.de> 2010-06-30 11:16:06 -0400
commit: 64d65872f96e2a754caa12ef48949c314384bd9f (patch)
tree: 1fbd174ef9b2df672a68f81c960599c39b238286
parent: 3b49d2315c119b9ae8a9a33b07d4eb7d194c01a7 (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
index a73e08fdab36..fd4c36ea5e46 100644
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -416,8 +416,11 @@ int usb_sg_init(struct usb_sg_request *io, struct usb_device *dev,
                        /* A length of zero means transfer the whole sg list */
                        len = length;
                        if (len == 0) {
-                                for_each_sg(sg, sg, nents, i)
+                                struct scatterlist      *sg2;
-                                        len += sg->length;
+                                int                     j;
+                                for_each_sg(sg, sg2, nents, j)
+                                        len += sg2->length;
                        }
                } else {
                        /*
author	Alan Stern <stern@rowland.harvard.edu>	2010-06-18 10:16:33 -0400
committer	Greg Kroah-Hartman <gregkh@suse.de>	2010-06-30 11:16:06 -0400
commit	64d65872f96e2a754caa12ef48949c314384bd9f (patch)
tree	1fbd174ef9b2df672a68f81c960599c39b238286
parent	3b49d2315c119b9ae8a9a33b07d4eb7d194c01a7 (diff)