[DragonFlyBSD - Bug #3192] (New) Repeatable crash with usb midi device

bugtracker-admin at leaf.dragonflybsd.org bugtracker-admin at leaf.dragonflybsd.org
Fri Jun 14 13:30:42 PDT 2019 

Issue #3192 has been reported by tse.

----------------------------------------
Bug #3192: Repeatable crash with usb midi device
http://bugs.dragonflybsd.org/issues/3192

* Author: tse
* Status: New
* Priority: Normal
* Assignee: 
* Category: 
* Target version: 
----------------------------------------
Originally posted to users at dragonflybsd.org, 6th June

--- a/sys/bus/u4b/audio/uaudio.c
+++ b/sys/bus/u4b/audio/uaudio.c
@@ -4871,7 +4871,7 @@ uaudio_mixer_fill_info(struct uaudio_softc *sc,
 
        if (desc == NULL) {
                DPRINTF("no Audio Control header\n");
-               goto done;
+               return;
        }
        acdp = desc;
 
@@ -4879,7 +4879,7 @@ uaudio_mixer_fill_info(struct uaudio_softc *sc,
            (acdp->bDescriptorType != UDESC_CS_INTERFACE) ||
            (acdp->bDescriptorSubtype != UDESCSUB_AC_HEADER)) {
                DPRINTF("invalid Audio Control header\n");
-               goto done;
+               return;
        }
        /* "wTotalLen" is allowed to be corrupt */
        wTotalLen = UGETW(acdp->wTotalLength) - acdp->bLength;
@@ -4895,7 +4895,7 @@ uaudio_mixer_fill_info(struct uaudio_softc *sc,
 
        if (iot == NULL) {
                DPRINTF("no memory!\n");
-               goto done;
+               return;
        }
        while ((desc = usb_desc_foreach(cd, desc))) {


---
Note: middle goto->return fixes the problem, and is tested. Other two changes just seemed straightforward, but their pathways are untested

Bug was a repeatable crash when plugging in a usb midi device:
uaudio0: <vendor 0x16c0 MIDI EXpression BLUE, class 0/0, rev 2.00/1.03, addr 1> on usbus0
panic: trying to free NULL pointer
cpuid = 1
Trace beginning at frame 0xfffff801eb967810
kfree() at kfree+0x5b0 0xffffffff8058e900
kfree() at kfree+0x5b0 0xffffffff8058e900
uaudio_attach() at uaudio_attach+0x1b5 0xffffffff862040a5
device_doattach() at device_doattach+0x369 0xffffffff805bd2a9
usb_probe_and_attach() at usb_probe_and_attach+0x176 0xffffffff809091a6
uhub_explore() at uhub_explore+0x221 0xffffffff8090ffa1
Debugger("panic")



-- 
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://bugs.dragonflybsd.org/my/account

More information about the Bugs mailing list