On Mon, 16 Jul 2012, Oliver Neukum wrote: > Am Freitag, 13. Juli 2012, 22:59:05 schrieb Alan Stern: > > Also, you'll have to make sure that either all the keyboard LEDs are > > off or else you modprobe usbhid with the ignoreled=1 option. > > > > Jiri and Oliver: What do you think of the patch? I can break it up > > into several pieces, each making a single change. > > > > I don't understand how raw_report can be NULL, otherwise > it looks good to me. Under some circumstances, a control or interrupt-OUT URB can be submitted twice. This will happen if the first submission fails; the queue pointers aren't updated, so the next time the queue is restarted the same URB will be submitted again. The problem is that raw_report gets deallocated during the first submission. The second submission will then dereference and try to free an already-freed region of memory. I saw this happen during testing. That's the reason for the change. During the second submission, raw_report will be NULL because the new code clears it during the first submission. Alan Stern P.S.: There are other bugs that my patch doesn't address. I can list three mistakes right away: The HID_SUSPENDED identifier isn't used for anything, whereas HID_REPORTED_IDLE (whatever that means) is used to indicate "suspended". Some error pathways in hid_suspend() don't restart things properly. usbhid_restart_out_queue() and usbhid_restart_ctrl_queue() don't check for disconnect or reset pending. -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
