On Tue, 20 Aug 2013, Krzysztof Mazur wrote:
> If the hub_configure() fails after setting the hdev->maxchild
> the hub->ports might be NULL or point to uninitialized kzallocated
> memory causing NULL pointer dereference in hub_quiesce() during cleanup.
>
> Now after such error the hdev->maxchild is set to 0 to avoid cleanup
> of uninitialized ports.
The idea is good, but the implementation is a little silly...
> Suggested-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Krzysztof Mazur <krzysiek@xxxxxxxxxxxx>
> ---
> drivers/usb/core/hub.c | 12 +++++++-----
> 1 file changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
> index 558313d..588c3a3 100644
> --- a/drivers/usb/core/hub.c
> +++ b/drivers/usb/core/hub.c
> @@ -1339,7 +1339,7 @@ static int hub_configure(struct usb_hub *hub,
> GFP_KERNEL);
> if (!hub->ports) {
> ret = -ENOMEM;
> - goto fail;
> + goto fail_maxchild;
> }
>
> wHubCharacteristics = le16_to_cpu(hub->descriptor->wHubCharacteristics);
> @@ -1567,6 +1567,8 @@ static int hub_configure(struct usb_hub *hub,
> hub_activate(hub, HUB_INIT);
> return 0;
>
> +fail_maxchild:
> + hdev->maxchild = 0;
> fail:
> dev_err (hub_dev, "config failed, %s (err %d)\n",
> message, ret);
Why bother with a separate jump label? Just set maxchild to 0 whenever
a failure occurs.
Alan Stern
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
