Ignoring usb_hub_create_port_device() errors cause later NULL pointer
deference when uninitialized hub->ports[i] entries are dereferenced
after port memory allocation error.
Signed-off-by: Krzysztof Mazur <krzysiek@xxxxxxxxxxxx>
---
I'm not sure if failing in that case is a good idea, but other solutions
are more complex.
I tried also changing hdev->maxchild and skiping initialization
of later ports, but it didn't work because in some cases
hub->descriptor->bNbrPorts is used instead of hdev->maxchild.
With simulated usb_hub_create_port_device() failure I have an Oops
in hub_power_on().
Another possible solution is allowing for uninitialized ports and
checking for hub->ports[i] == NULL.
drivers/usb/core/hub.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 588c3a3..afd334b 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -1557,10 +1557,15 @@ static int hub_configure(struct usb_hub *hub,
if (hub->has_indicators && blinkenlights)
hub->indicator [0] = INDICATOR_CYCLE;
- for (i = 0; i < hdev->maxchild; i++)
- if (usb_hub_create_port_device(hub, i + 1) < 0)
+ for (i = 0; i < hdev->maxchild; i++) {
+ ret = usb_hub_create_port_device(hub, i + 1);
+ if (ret < 0) {
dev_err(hub->intfdev,
"couldn't create port%d device.\n", i + 1);
+ hdev->maxchild = i;
+ goto fail;
+ }
+ }
usb_hub_adjust_deviceremovable(hdev, hub->descriptor);
--
1.8.4.rc1.409.gbd48715
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
