Re: [linux-usb-devel] 2.5.2-pre6 OOPS in usb_destroy_configuration

Fri, 04 Jan 2002 13:10:24 -0800 

On Fri, Jan 04, 2002 at 03:31:12PM +0100, Peter Osterlund wrote:
> Greg KH <[EMAIL PROTECTED]> writes:
> > First off, the usb-storage driver doesn't seem to work properly in
> > 2.5.2-pre6 due to the bio and scsi changes happening.  Have you got it
> > to work?
> 
> Yes, it does work with the patch I sent previously. The only problem
> is that my patch will stop working again sometime in the future, when
> the .address field is removed from struct scatterlist.

Ah, nice to know :)

> I think my device rapidly disappeared/reappeared and disappeared again
> on the bus, but I don't know for sure, because I didn't have serial
> console logging active at the time, and I can not repeat the problem.
> 
> Anyway, if (header->bLength < 2) is true in usb_parse_interface (line
> 1546), the endpoint, extra and extralen fields will never be
> initialized. This will lead to either corruption or a memory leak when
> usb_destroy_configuration is called. Therefore I think this patch is
> correct.

Good catch.  How about this patch instead which removes a bit of the
same logic elsewhere:

diff -Nru a/drivers/usb/usb.c b/drivers/usb/usb.c
--- a/drivers/usb/usb.c Fri Jan  4 13:05:08 2002
+++ b/drivers/usb/usb.c Fri Jan  4 13:05:08 2002
@@ -1535,6 +1535,9 @@
                }
 
                ifp = interface->altsetting + interface->num_altsetting;
+               ifp->endpoint = NULL;
+               ifp->extra = NULL;
+               ifp->extralen = 0;
                interface->num_altsetting++;
 
                memcpy(ifp, buffer, USB_DT_INTERFACE_SIZE);
@@ -1576,10 +1579,7 @@
                /* Copy any unknown descriptors into a storage area for */
                /*  drivers to later parse */
                len = (int)(buffer - begin);
-               if (!len) {
-                       ifp->extra = NULL;
-                       ifp->extralen = 0;
-               } else {
+               if (len) {
                        ifp->extra = kmalloc(len, GFP_KERNEL);
 
                        if (!ifp->extra) {


> Also, while analyzing this problem, I found a bug in usb-uhci.c. If
> the uhci_start_usb call fails in alloc_uhci, line 3004,
> uhci_pci_remove will oops, because the pci private data has not been
> initialized, so uhci_t *s will be zero, and s->bus will oops. Here is
> a patch to fix this bug:

Any of the usb-uhci authors want to say if this is a good fix or not?

thanks,

greg k-h

_______________________________________________
[EMAIL PROTECTED]
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel

Reply via email to