Bug #3192
closed
Repeatable crash with usb midi device
0%
Description
Originally posted to users@dragonflybsd.org, 6th June
--- a/sys/bus/u4b/audio/uaudio.c
+++ b/sys/bus/u4b/audio/uaudio.c@ -4871,7 +4871,7 @ uaudio_mixer_fill_info(struct uaudio_softc *sc,
if (desc == NULL) {
DPRINTF("no Audio Control header\n");
- goto done;
+ return;
}
acdp = desc;@ -4879,7 +4879,7 @ uaudio_mixer_fill_info(struct uaudio_softc sc,
(acdp->bDescriptorType != UDESC_CS_INTERFACE) ||
(acdp->bDescriptorSubtype != UDESCSUB_AC_HEADER)) {
DPRINTF;
- goto done;
+ return;
}
/ "wTotalLen" is allowed to be corrupt */
wTotalLen = UGETW - acdp->bLength;@ -4895,7 +4895,7 @ uaudio_mixer_fill_info(struct uaudio_softc *sc,
if (iot == NULL) {
DPRINTF("no memory!\n");
- goto done;
+ return;
}
while ((desc = usb_desc_foreach(cd, desc))) {---
Note: middle goto->return fixes the problem, and is tested. Other two changes just seemed straightforward, but their pathways are untested
Bug was a repeatable crash when plugging in a usb midi device:
uaudio0: <vendor 0x16c0 MIDI EXpression BLUE, class 0/0, rev 2.00/1.03, addr 1> on usbus0
panic: trying to free NULL pointer
cpuid = 1
Trace beginning at frame 0xfffff801eb967810
kfree() at kfree+0x5b0 0xffffffff8058e900
kfree() at kfree+0x5b0 0xffffffff8058e900
uaudio_attach() at uaudio_attach+0x1b5 0xffffffff862040a5
device_doattach() at device_doattach+0x369 0xffffffff805bd2a9
usb_probe_and_attach() at usb_probe_and_attach+0x176 0xffffffff809091a6
uhub_explore() at uhub_explore+0x221 0xffffffff8090ffa1
Debugger("panic")
Updated by liweitianux almost 5 years ago
- Status changed from New to Resolved
Hi tse,
Thank you for the detailed bug report.
I've fixed the bug in both master and 5.6 release.