Project

General

Profile

Bug #3192

Repeatable crash with usb midi device

Added by tse about 1 month ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
06/14/2019
Due date:
% Done:

0%

Estimated time:

Description

Originally posted to , 6th June

--- a/sys/bus/u4b/audio/uaudio.c
+++ b/sys/bus/u4b/audio/uaudio.c
@@ -4871,7 +4871,7 @@ uaudio_mixer_fill_info(struct uaudio_softc *sc,

if (desc == NULL) {
DPRINTF("no Audio Control header\n");
- goto done;
+ return;
}
acdp = desc;

@@ -4879,7 +4879,7 @@ uaudio_mixer_fill_info(struct uaudio_softc *sc,
(acdp->bDescriptorType != UDESC_CS_INTERFACE) ||
(acdp->bDescriptorSubtype != UDESCSUB_AC_HEADER)) {
DPRINTF("invalid Audio Control header\n");
- goto done;
+ return;
}
/* "wTotalLen" is allowed to be corrupt */
wTotalLen = UGETW(acdp->wTotalLength) - acdp->bLength;
@@ -4895,7 +4895,7 @@ uaudio_mixer_fill_info(struct uaudio_softc *sc,

if (iot == NULL) {
DPRINTF("no memory!\n");
- goto done;
+ return;
}
while ((desc = usb_desc_foreach(cd, desc))) {

---
Note: middle goto->return fixes the problem, and is tested. Other two changes just seemed straightforward, but their pathways are untested

Bug was a repeatable crash when plugging in a usb midi device:
uaudio0: <vendor 0x16c0 MIDI EXpression BLUE, class 0/0, rev 2.00/1.03, addr 1> on usbus0
panic: trying to free NULL pointer
cpuid = 1
Trace beginning at frame 0xfffff801eb967810
kfree() at kfree+0x5b0 0xffffffff8058e900
kfree() at kfree+0x5b0 0xffffffff8058e900
uaudio_attach() at uaudio_attach+0x1b5 0xffffffff862040a5
device_doattach() at device_doattach+0x369 0xffffffff805bd2a9
usb_probe_and_attach() at usb_probe_and_attach+0x176 0xffffffff809091a6
uhub_explore() at uhub_explore+0x221 0xffffffff8090ffa1
Debugger("panic")

History

#1

Updated by liweitianux about 1 month ago

  • Status changed from New to Resolved

Hi tse,

Thank you for the detailed bug report.

I've fixed the bug in both master and 5.6 release.

Also available in: Atom PDF