kern/43808: Unchecked queue size and call to SIMPLEQ_REMOVE_HEAD could cause kernel exception

[sfisher%cradlepoint.com@localhost]

>Number:         43808
>Category:       kern
>Synopsis:       Unchecked queue size and call to SIMPLEQ_REMOVE_HEAD could 
>cause kernel exception
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Aug 27 20:25:00 +0000 2010
>Originator:     Shawn Fisher
>Release:        5.0.2
>Organization:
Cradlepoint
>Environment:
NetBSD  5.0.2 NetBSD 5.0.2 (XXXXX) #37: Fri Aug 27 12:07:16 MDT 2010  
>Description:
I am not sure if this is really a bug or not, I ran into it while working on a 
Synopsis USB host controller driver.  The problem I ran into was that when 
usb_transfer_complete() is called, there could be the possibility of calling 
SIMPLEQ_REMOVE_HEAD on pipe->queue which could be empty.
>How-To-Repeat:

>Fix:
Index: sys/dev/usb/usbdi.c
===================================================================
--- sys/dev/usb/usbdi.c (revision 2348)
+++ sys/dev/usb/usbdi.c (working copy)
@@ -797,7 +797,9 @@
                               xfer, SIMPLEQ_FIRST(&pipe->queue));
                xfer->busy_free = XFER_BUSY;
 #endif
-               SIMPLEQ_REMOVE_HEAD(&pipe->queue, next);
+               if (!SIMPLEQ_EMPTY(&pipe->queue)) {
+                       SIMPLEQ_REMOVE_HEAD(&pipe->queue, next);
+               }
        }
        DPRINTFN(5,("usb_transfer_complete: repeat=%d new head=%p\n",
                    repeat, SIMPLEQ_FIRST(&pipe->queue)));