Re: [linux-usb-devel] [PATCH] iuu_phoenix new driver proposal 2 fixed

Thu, 19 Jul 2007 04:15:44 -0700 

Am Donnerstag 19 Juli 2007 schrieb [EMAIL PROTECTED]:
> OOps ;-)
> 
> 2 missing characters...
> 
> Now it compile without warning or error
> 

+               /* shutdown our urbs */
+               dbg("%s - shutting down urbs", __FUNCTION__);
+               result = usb_unlink_urb(port->write_urb);
+               if (result)
+                       dbg("%s - usb_unlink_urb (write_urb)"
+                           " failed with reason: %d", __FUNCTION__, result);
+
+               result = usb_unlink_urb(port->read_urb);
+               if (result)
+                       dbg("%s - usb_unlink_urb (read_urb) "
+                           "failed with reason: %d", __FUNCTION__, result);
+
+               result = usb_unlink_urb(port->interrupt_in_urb);
+               if (result)
+                       dbg("%s - usb_unlink_urb (voiderrupt_in_urb)"
+                           " failed with reason: %d", __FUNCTION__, result);

You must use usb_kill_urb() here.

+       serial = port->serial;
+       if (!serial)
+               return;
+       iuu_led(port, 0, 0, 0xF000, 0xFF);
+       dbg("%s - port %d", __FUNCTION__, port->number);
+
+       iuu_uart_off(port);
+       if (serial->dev) {

If serial->dev can be NULL, you must not use iuu_led unconditionally.

+static int iuu_uart_on(struct usb_serial_port *port)
+{
+       int status;
+       u8 *buf;
+
+       buf = kmalloc(sizeof(u8) * 4, GFP_KERNEL);

A simple 4 will do.

+       tmp = kmalloc(sizeof(struct iuu_buffers), GFP_KERNEL);
+       if (!tmp)
+               return -ENOMEM;
+
+       /* u_int8_t datain[256]; */
+
+       if (iuu_led(port, 0xF000, 0, 0, 0xFF) < 0) {
+               kfree(tmp);
+               return -EIO;
+       }
+
+       for (i = 0; i < 2; i++) {
+               status = bulk_immediate(port, &rxcmd, 1);
+               if (status != IUU_OPERATION_OK) {
+                       dbg("%s - uart_flush_write error", __FUNCTION__);
+                       return status;
+               }

Memory leak in error case

+               if (tmp->len > 0) {
+                       /* test buffer overflow */
+                       if (curpos + tmp->len > 256) {
+                               kfree(tmp);
+                               return -1;

What is -1 supposed to mean?

+       if (priv->write_busy)
+               return -1;
+
+       tmp = kmalloc(sizeof(struct iuu_buffers), GFP_KERNEL);
+       if (!tmp)
+               return -EIO;
+
+       priv->write_busy = 1;

This is a race condition. More than one task can succeed the test and proceed.

        Regards
                Oliver

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
linux-usb-devel@lists.sourceforge.net
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel

Reply via email to