Date: Thu, 7 Apr 2005 14:01:29 +0200 From: Hans Petter Selasky <hselasky@c2i.net> To: FreeBSD-gnats-submit@FreeBSD.org Subject: usb/79622: USB devices can be freed twice Message-ID: <200504071401.30349.hselasky@c2i.net> Resent-Message-ID: <200504071210.j37CA7SZ064487@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 79622 >Category: usb >Synopsis: USB devices can be freed twice >Confidential: no >Severity: critical >Priority: medium >Responsible: freebsd-usb >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Apr 07 12:10:07 GMT 2005 >Closed-Date: >Last-Modified: >Originator: HPS >Release: FreeBSD 6.0-CURRENT i386 >Organization: >Environment: System: FreeBSD 6.0-CURRENT FreeBSD 6.0-CURRENT #45: Mon Mar 21 15:40:17 CET 2005 root@:/usr/obj/usr/src/sys/custom i386 >Description: >How-To-Repeat: If one connects a USB-HUB with subdevices and unplugs the USB-HUB, the subdevices are freed twice! First from device_delete_child() and then from usb_disconnect_port(). >Fix: 1) usb_disconnect_port() must take another parameter "free_subdev". 2) When usb_disconnect_port() is called from any detach routine, it should only clear "dev->subdevs[..]" and not call config_detach()/device_delete_child(). The information from where this routine is called is passed via the "free_subdev" parameter. 3) at ehci/ohci/uhci_detach "usb_detach()" should be called. The pointer to the child device in devclass "usb" should be stored in the "usbd_bus" structure so that it can be cleared from "USB_DETACH(usb)". The ehci/ohci/uhci_detach routines should then check that the pointer to the child device has not been cleared before calling device_delete_child(). >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200504071401.30349.hselasky>