tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

HID: fix start/stop cycle in usbhid driver

`stop' left out usbhid->urb* pointers and so the next `start' thought
it needs to allocate nothing and used the memory pointers previously
pointed to. This led to memory corruption and device malfunction.

Also don't forget to clear disconnect flag on start which was left set
by the previous `stop'.

This fixes

echo DEVICE > /sys/bus/hid/drivers/DRIVER/unbind
echo DEVICE > /sys/bus/hid/drivers/DRIVER/bind

failures.

Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>

authored by Jiri Slaby and committed by Jiri Kosina e3e14de5 43ff3a48

+8
unified split
+8
drivers/hid/usbhid/hid-core.c
··· 781 781 unsigned int n, insize = 0; 782 782 int ret; 783 783 784 + clear_bit(HID_DISCONNECTED, &usbhid->iofl); 785 + 784 786 usbhid->bufsize = HID_MIN_BUFFER_SIZE; 785 787 hid_find_max_report(hid, HID_INPUT_REPORT, &usbhid->bufsize); 786 788 hid_find_max_report(hid, HID_OUTPUT_REPORT, &usbhid->bufsize); ··· 890 888 usb_free_urb(usbhid->urbin); 891 889 usb_free_urb(usbhid->urbout); 892 890 usb_free_urb(usbhid->urbctrl); 891 + usbhid->urbin = NULL; 892 + usbhid->urbout = NULL; 893 + usbhid->urbctrl = NULL; 893 894 hid_free_buffers(dev, hid); 894 895 mutex_unlock(&usbhid->setup); 895 896 return ret; ··· 929 924 usb_free_urb(usbhid->urbin); 930 925 usb_free_urb(usbhid->urbctrl); 931 926 usb_free_urb(usbhid->urbout); 927 + usbhid->urbin = NULL; /* don't mess up next start */ 928 + usbhid->urbctrl = NULL; 929 + usbhid->urbout = NULL; 932 930 933 931 hid_free_buffers(hid_to_usb_dev(hid), hid); 934 932 mutex_unlock(&usbhid->setup);