[DragonFlyBSD - Bug #3192] (Resolved) Repeatable crash with usb midi device

bugtracker-admin at leaf.dragonflybsd.org bugtracker-admin at leaf.dragonflybsd.org
Fri Jun 14 22:29:15 PDT 2019 

Issue #3192 has been updated by liweitianux.

Status changed from New to Resolved

Hi tse,

Thank you for the detailed bug report.

I've fixed the bug in both master and 5.6 release.

----------------------------------------
Bug #3192: Repeatable crash with usb midi device
http://bugs.dragonflybsd.org/issues/3192#change-13653

* Author: tse
* Status: Resolved
* Priority: Normal
* Assignee: 
* Category: 
* Target version: 
----------------------------------------
Originally posted to users at dragonflybsd.org, 6th June

--- a/sys/bus/u4b/audio/uaudio.c
+++ b/sys/bus/u4b/audio/uaudio.c
@@ -4871,7 +4871,7 @@ uaudio_mixer_fill_info(struct uaudio_softc *sc,
 
        if (desc == NULL) {
                DPRINTF("no Audio Control header\n");
-               goto done;
+               return;
        }
        acdp = desc;
 
@@ -4879,7 +4879,7 @@ uaudio_mixer_fill_info(struct uaudio_softc *sc,
            (acdp->bDescriptorType != UDESC_CS_INTERFACE) ||
            (acdp->bDescriptorSubtype != UDESCSUB_AC_HEADER)) {
                DPRINTF("invalid Audio Control header\n");
-               goto done;
+               return;
        }
        /* "wTotalLen" is allowed to be corrupt */
        wTotalLen = UGETW(acdp->wTotalLength) - acdp->bLength;
@@ -4895,7 +4895,7 @@ uaudio_mixer_fill_info(struct uaudio_softc *sc,
 
        if (iot == NULL) {
                DPRINTF("no memory!\n");
-               goto done;
+               return;
        }
        while ((desc = usb_desc_foreach(cd, desc))) {


---
Note: middle goto->return fixes the problem, and is tested. Other two changes just seemed straightforward, but their pathways are untested

Bug was a repeatable crash when plugging in a usb midi device:
uaudio0: <vendor 0x16c0 MIDI EXpression BLUE, class 0/0, rev 2.00/1.03, addr 1> on usbus0
panic: trying to free NULL pointer
cpuid = 1
Trace beginning at frame 0xfffff801eb967810
kfree() at kfree+0x5b0 0xffffffff8058e900
kfree() at kfree+0x5b0 0xffffffff8058e900
uaudio_attach() at uaudio_attach+0x1b5 0xffffffff862040a5
device_doattach() at device_doattach+0x369 0xffffffff805bd2a9
usb_probe_and_attach() at usb_probe_and_attach+0x176 0xffffffff809091a6
uhub_explore() at uhub_explore+0x221 0xffffffff8090ffa1
Debugger("panic")



-- 
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://bugs.dragonflybsd.org/my/account

More information about the Bugs mailing list