[PATCH] handle usb host allocation failures

[PATCH] handle usb host allocation failures

[Jesse Barnes]

[-- Attachment #1: Type: text/plain, Size: 493 bytes --]

It looks like a host (like ohci or whatever) could try to allocate a new 
usb_device structure with usb_alloc_dev and get back a valid pointer even if 
the allocation of its private data failed.  I first saw this in the 2.4 
sources, but it looks like 2.6 has the same problem.  This patch attempts to 
fix it by freeing dev if the ->allocate() routine fails, and then returns 
NULL instead of a potentially dangerous dev pointer.

Signed-off-by: Jesse Barnes <jbarnes@sgi.com>

Thanks,
Jesse

[-- Attachment #2: usb-alloc-dev-nomem.patch --]
[-- Type: text/plain, Size: 383 bytes --]

===== drivers/usb/core/usb.c 1.174 vs edited =====
--- 1.174/drivers/usb/core/usb.c	2004-08-03 07:18:53 -07:00
+++ edited/drivers/usb/core/usb.c	2004-09-27 15:13:25 -07:00
@@ -759,7 +759,10 @@
 	init_MUTEX(&dev->serialize);
 
 	if (dev->bus->op->allocate)
-		dev->bus->op->allocate(dev);
+		if (dev->bus->op->allocate(dev)) {
+			kfree(dev);
+			return NULL;
+		}
 
 	return dev;
 }

Re: [PATCH] handle usb host allocation failures

[Greg KH]

On Mon, Sep 27, 2004 at 03:17:32PM -0700, Jesse Barnes wrote:
> It looks like a host (like ohci or whatever) could try to allocate a new 
> usb_device structure with usb_alloc_dev and get back a valid pointer even if 
> the allocation of its private data failed.  I first saw this in the 2.4 
> sources, but it looks like 2.6 has the same problem.  This patch attempts to 
> fix it by freeing dev if the ->allocate() routine fails, and then returns 
> NULL instead of a potentially dangerous dev pointer.
> 
> Signed-off-by: Jesse Barnes <jbarnes@sgi.com>

Applied, thanks.

greg k-h