Issue #3192 has been reported by tse. ---------------------------------------- Bug #3192: Repeatable crash with usb midi device http://bugs.dragonflybsd.org/issues/3192
* Author: tse * Status: New * Priority: Normal * Assignee: * Category: * Target version: ---------------------------------------- Originally posted to [email protected], 6th June --- a/sys/bus/u4b/audio/uaudio.c +++ b/sys/bus/u4b/audio/uaudio.c @@ -4871,7 +4871,7 @@ uaudio_mixer_fill_info(struct uaudio_softc *sc, if (desc == NULL) { DPRINTF("no Audio Control header\n"); - goto done; + return; } acdp = desc; @@ -4879,7 +4879,7 @@ uaudio_mixer_fill_info(struct uaudio_softc *sc, (acdp->bDescriptorType != UDESC_CS_INTERFACE) || (acdp->bDescriptorSubtype != UDESCSUB_AC_HEADER)) { DPRINTF("invalid Audio Control header\n"); - goto done; + return; } /* "wTotalLen" is allowed to be corrupt */ wTotalLen = UGETW(acdp->wTotalLength) - acdp->bLength; @@ -4895,7 +4895,7 @@ uaudio_mixer_fill_info(struct uaudio_softc *sc, if (iot == NULL) { DPRINTF("no memory!\n"); - goto done; + return; } while ((desc = usb_desc_foreach(cd, desc))) { --- Note: middle goto->return fixes the problem, and is tested. Other two changes just seemed straightforward, but their pathways are untested Bug was a repeatable crash when plugging in a usb midi device: uaudio0: <vendor 0x16c0 MIDI EXpression BLUE, class 0/0, rev 2.00/1.03, addr 1> on usbus0 panic: trying to free NULL pointer cpuid = 1 Trace beginning at frame 0xfffff801eb967810 kfree() at kfree+0x5b0 0xffffffff8058e900 kfree() at kfree+0x5b0 0xffffffff8058e900 uaudio_attach() at uaudio_attach+0x1b5 0xffffffff862040a5 device_doattach() at device_doattach+0x369 0xffffffff805bd2a9 usb_probe_and_attach() at usb_probe_and_attach+0x176 0xffffffff809091a6 uhub_explore() at uhub_explore+0x221 0xffffffff8090ffa1 Debugger("panic") -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://bugs.dragonflybsd.org/my/account
