[PATCH] USB: handle usb host allocation failures gracefully

It looks like a host (like ohci or whatever) could try to allocate a new usb_device structure with usb_alloc_dev and get back a valid pointer even if the allocation of its private data failed. I first saw this in the 2.4 sources, but it looks like 2.6 has the same problem. This patch attempts to fix it by freeing dev if the ->allocate() routine fails, and then returns NULL instead of a potentially dangerous dev pointer. Signed-off-by: Jesse Barnes <jbarnes@sgi.com> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>

[PATCH] USB: handle usb host allocation failures gracefully
It looks like a host (like ohci or whatever) could try to allocate a new usb_device structure with usb_alloc_dev and get back a valid pointer even if the allocation of its private data failed. I first saw this in the 2.4 sources, but it looks like 2.6 has the same problem. This patch attempts to fix it by freeing dev if the ->allocate() routine fails, and then returns NULL instead of a potentially dangerous dev pointer. Signed-off-by: Jesse Barnes <jbarnes@sgi.com> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
ec211cf2 · Jesse Barnes · Greg Kroah-Hartman · 888df350 · ec211cf2
Commit ec211cf2 authored Sep 29, 2004 by Jesse Barnes Committed by Greg Kroah-Hartman Sep 29, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

drivers/usb/core/usb.c drivers/usb/core/usb.c +4 -1

No files found.
--- a/drivers/usb/core/usb.c
+++ b/drivers/usb/core/usb.c
@@ -775,7 +775,10 @@ usb_alloc_dev(struct usb_device *parent, struct usb_bus *bus, unsigned port)
 	init_MUTEX(&dev->serialize);

 	if (dev->bus->op->allocate)
-		dev->bus->op->allocate(dev);
+		if (dev->bus->op->allocate(dev)) {
+			kfree(dev);
+			return NULL;
+		}

 	return dev;
 }