From: "Rafael J. Wysocki" <rjw@sisk.pl>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: Greg KH <greg@kroah.com>,
linux-usb@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Stefani Seibold <stefani@seibold.net>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [Regression, 2.6.33-rc1->current git] NULL pointer in usb_serial_probe() introduced by the recent kfifo changes
Date: Wed, 23 Dec 2009 17:16:40 +0100 [thread overview]
Message-ID: <200912231716.41004.rjw@sisk.pl> (raw)
In-Reply-To: <Pine.LNX.4.44L0.0912222304090.14449-100000@netrider.rowland.org>
On Wednesday 23 December 2009, Alan Stern wrote:
> On Wed, 23 Dec 2009, Rafael J. Wysocki wrote:
>
> > Hi,
> >
> > Something like the patch below is necessary to fix a new NULL pointer deref
> > in usb_serial_probe() that appeared after the recent kfifo changes (in short,
> > the kfifo changes modified the semantics of kfifo_alloc() that
> > usb_serial_probe() reiled on).
> >
> > Thanks,
> > Rafael
> >
> > ---
> > drivers/usb/serial/usb-serial.c | 10 +++++++++-
> > 1 file changed, 9 insertions(+), 1 deletion(-)
> >
> > Index: linux-2.6/drivers/usb/serial/usb-serial.c
> > ===================================================================
> > --- linux-2.6.orig/drivers/usb/serial/usb-serial.c
> > +++ linux-2.6/drivers/usb/serial/usb-serial.c
> > @@ -595,8 +595,10 @@ static void port_release(struct device *
> > usb_free_urb(port->write_urb);
> > usb_free_urb(port->interrupt_in_urb);
> > usb_free_urb(port->interrupt_out_urb);
> > - if (!IS_ERR(port->write_fifo) && port->write_fifo)
> > + if (port->write_fifo) {
> > kfifo_free(port->write_fifo);
> > + kfree(port->write_fifo);
> > + }
> > kfree(port->bulk_in_buffer);
> > kfree(port->bulk_out_buffer);
> > kfree(port->interrupt_in_buffer);
> > @@ -939,6 +941,12 @@ int usb_serial_probe(struct usb_interfac
> > dev_err(&interface->dev, "No free urbs available\n");
> > goto probe_error;
> > }
> > + port->write_fifo = kzalloc(sizeof(struct kfifo), GFP_KERNEL);
> > + if (!port->write_fifo) {
> > + dev_err(&interface->dev,
> > + "Couldn't allocate write_fifo\n");
> > + goto probe_error;
> > + }
> > if (kfifo_alloc(port->write_fifo, PAGE_SIZE, GFP_KERNEL))
> > goto probe_error;
> > buffer_size = le16_to_cpu(endpoint->wMaxPacketSize);
>
> Although this would mean further changes elsewhere, doesn't it make
> more sense to embed the struct kfifo directly in the usb_serial_port
> structure instead of allocating it dynamically?
I guess it would, but I wanted to avoid making any further changes.
Rafael
next prev parent reply other threads:[~2009-12-23 16:15 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-23 1:51 [Regression, 2.6.33-rc1->current git] NULL pointer in usb_serial_probe() introduced by the recent kfifo changes Rafael J. Wysocki
2009-12-23 4:06 ` Alan Stern
2009-12-23 16:16 ` Rafael J. Wysocki [this message]
2009-12-23 5:37 ` Greg KH
2009-12-23 8:10 ` Stefani Seibold
2009-12-23 16:46 ` Rafael J. Wysocki
2009-12-23 17:17 ` Greg KH
2009-12-23 17:41 ` Greg KH
2009-12-23 16:15 ` Rafael J. Wysocki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200912231716.41004.rjw@sisk.pl \
--to=rjw@sisk.pl \
--cc=akpm@linux-foundation.org \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=stefani@seibold.net \
--cc=stern@rowland.harvard.edu \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.