[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <200611141002.18946.m.kozlowski@tuxland.pl>
Date: Tue, 14 Nov 2006 10:02:17 +0100
From: Mariusz Kozlowski <m.kozlowski@...land.pl>
To: Luca Risolia <luca.risolia@...dio.unibo.it>,
Andrew Morton <akpm@...l.org>
Cc: Linux Kernel <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 10/33] usb: sn9c102_core free urb cleanup
Hello Luca,
> >- usb_free_urb() cleanup
> >
> >Signed-off-by: Mariusz Kozlowski <m.kozlowski@...land.pl>
> >
> >--- linux-2.6.19-rc4-orig/drivers/media/video/sn9c102/sn9c102_core.c
> > 2006-11-06 17:07:45.000000000 +0100 +++
> > linux-2.6.19-rc4/drivers/media/video/sn9c102/sn9c102_core.c 2006-11-06
> > 19:57:35.000000000 +0100 @@ -775,7 +775,7 @@ static int
> > sn9c102_start_transfer(struct
> > return 0;
> >
> > free_urbs:
> >- for (i = 0; (i < SN9C102_URBS) && cam->urb[i]; i++)
> >+ for (i = 0; i < SN9C102_URBS; i++)
> > usb_free_urb(cam->urb[i]);
> >
> > free_buffers:
>
> This patch might cause usb_free_urb() to fail if not all the URBs have been
> allocated successfully: in this case, the original loop stops as soon as
> cam->urb[i] == NULL (where NULL is given from the failed allocation),
> while in the second loop there might be a not null cam->urb[i+n]
> pointing to an URB that has already been deallocated elsewhere.
>
> The same bug is present in PATCH 12/33.
Err ... you are right :/ In most drivers urb pointers get zeroed right after
deallocation. Here they don't. So my patches might cause what you described.
Andrew can you please drop these two patches?
usb-zc0301_core-free-urb-cleanup.patch
usb-sn9c102_core-free-urb-cleanup.patch
Thanks.
--
Regards,
Mariusz Kozlowski
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists