On Tue, Sep 21, 2010 at 02:23:26PM -0700, Stephen Hemminger wrote:
> The following happened after a KVM (Belkin Flip) event to
> change back to other machine. This is on last night's kernel
> 2.6.36-rc5+. This appears to be a regression since never seen this problem
> with earlier kernels.
{sigh}, it's as people don't look at the days archives of the mailing
list :)
The patch below is queued up to go to Linus to fix the issue.
thanks,
greg k-h
>From stern+4c863d94@xxxxxxxxxxxxxxxxxxx Tue Sep 21 13:01:42 2010
Date: Tue, 21 Sep 2010 15:01:53 -0400 (EDT)
From: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
To: Greg KH <greg@xxxxxxxxx>
cc: Jiri Kosina <jkosina@xxxxxxx>, Phil Turmel <philip@xxxxxxxxxx>,
Mat <jackdachef@xxxxxxxxx>, Guillaume Chazarain <guichaz@xxxxxxxxx>,
Andreas Bombe <aeb@xxxxxxxxxx>,
Alex Riesen <raa.lkml@xxxxxxxxx>, Gabriel C <nix.or.die@xxxxxxxxxxxxxx>
Subject: USB: fix bug in initialization of interface minor numbers
Message-ID: <Pine.LNX.4.44L0.1009211458000.1644-100000@xxxxxxxxxxxxxxxxxxxx>
Recent changes in the usbhid layer exposed a bug in usbcore. If
CONFIG_USB_DYNAMIC_MINORS is enabled then an interface may be assigned
a minor number of 0. However interfaces that aren't registered as USB
class devices also have their minor number set to 0, during
initialization. As a result usb_find_interface() may return the
wrong interface, leading to a crash.
This patch (as1418) fixes the problem by initializing every
interface's minor number to -1. It also cleans up the
usb_register_dev() function, which besides being somewhat awkwardly
written, does not unwind completely on all its error paths.
Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
Tested-by: Philip J. Turmel <philip@xxxxxxxxxx>
Tested-by: Gabriel Craciunescu <nix.or.die@xxxxxxxxxxxxxx>
Tested-by: Alex Riesen <raa.lkml@xxxxxxxxx>
CC: Jiri Kosina <jkosina@xxxxxxx>
Cc: stable <stable@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
---
drivers/usb/core/file.c | 35 ++++++++++++++++-------------------
drivers/usb/core/message.c | 1 +
2 files changed, 17 insertions(+), 19 deletions(-)
--- a/drivers/usb/core/file.c
+++ b/drivers/usb/core/file.c
@@ -159,9 +159,9 @@ void usb_major_cleanup(void)
int usb_register_dev(struct usb_interface *intf,
struct usb_class_driver *class_driver)
{
- int retval = -EINVAL;
+ int retval;
int minor_base = class_driver->minor_base;
- int minor = 0;
+ int minor;
char name[20];
char *temp;
@@ -173,12 +173,17 @@ int usb_register_dev(struct usb_interfac
*/
minor_base = 0;
#endif
- intf->minor = -1;
-
- dbg ("looking for a minor, starting at %d", minor_base);
if (class_driver->fops == NULL)
- goto exit;
+ return -EINVAL;
+ if (intf->minor >= 0)
+ return -EADDRINUSE;
+
+ retval = init_usb_class();
+ if (retval)
+ return retval;
+
+ dev_dbg(&intf->dev, "looking for a minor, starting at %d", minor_base);
down_write(&minor_rwsem);
for (minor = minor_base; minor < MAX_USB_MINORS; ++minor) {
@@ -186,20 +191,12 @@ int usb_register_dev(struct usb_interfac
continue;
usb_minors[minor] = class_driver->fops;
-
- retval = 0;
+ intf->minor = minor;
break;
}
up_write(&minor_rwsem);
-
- if (retval)
- goto exit;
-
- retval = init_usb_class();
- if (retval)
- goto exit;
-
- intf->minor = minor;
+ if (intf->minor < 0)
+ return -EXFULL;
/* create a usb class device for this usb interface */
snprintf(name, sizeof(name), class_driver->name, minor - minor_base);
@@ -213,11 +210,11 @@ int usb_register_dev(struct usb_interfac
"%s", temp);
if (IS_ERR(intf->usb_dev)) {
down_write(&minor_rwsem);
- usb_minors[intf->minor] = NULL;
+ usb_minors[minor] = NULL;
+ intf->minor = -1;
up_write(&minor_rwsem);
retval = PTR_ERR(intf->usb_dev);
}
-exit:
return retval;
}
EXPORT_SYMBOL_GPL(usb_register_dev);
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -1802,6 +1802,7 @@ free_interfaces:
intf->dev.groups = usb_interface_groups;
intf->dev.dma_mask = dev->dev.dma_mask;
INIT_WORK(&intf->reset_ws, __usb_queue_reset_device);
+ intf->minor = -1;
device_initialize(&intf->dev);
dev_set_name(&intf->dev, "%d-%s:%d.%d",
dev->bus->busnum, dev->devpath,
