On Mon, 16 Jul 2012, Oliver Neukum wrote:
> Am Freitag, 13. Juli 2012, 22:59:05 schrieb Alan Stern:
> > Also, you'll have to make sure that either all the keyboard LEDs are
> > off or else you modprobe usbhid with the ignoreled=1 option.
> >
> > Jiri and Oliver: What do you think of the patch? I can break it up
> > into several pieces, each making a single change.
> >
>
> I don't understand how raw_report can be NULL, otherwise
> it looks good to me.
Under some circumstances, a control or interrupt-OUT URB can be
submitted twice. This will happen if the first submission fails; the
queue pointers aren't updated, so the next time the queue is restarted
the same URB will be submitted again.
The problem is that raw_report gets deallocated during the first
submission. The second submission will then dereference and try to
free an already-freed region of memory. I saw this happen during
testing.
That's the reason for the change. During the second submission,
raw_report will be NULL because the new code clears it during the
first submission.
Alan Stern
P.S.: There are other bugs that my patch doesn't address. I can list
three mistakes right away:
The HID_SUSPENDED identifier isn't used for anything,
whereas HID_REPORTED_IDLE (whatever that means) is used
to indicate "suspended".
Some error pathways in hid_suspend() don't restart things
properly.
usbhid_restart_out_queue() and usbhid_restart_ctrl_queue()
don't check for disconnect or reset pending.
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
