From owner-freebsd-usb@FreeBSD.ORG  Thu Apr  7 12:10:07 2005
Return-Path: <owner-freebsd-usb@FreeBSD.ORG>
Delivered-To: freebsd-usb@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F149B16A4CE
	for <freebsd-usb@hub.freebsd.org>;
	Thu,  7 Apr 2005 12:10:07 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B17FE43D31
	for <freebsd-usb@hub.freebsd.org>;
	Thu,  7 Apr 2005 12:10:07 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j37CA7TU064488
	for <freebsd-usb@freefall.freebsd.org>; Thu, 7 Apr 2005 12:10:07 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j37CA7SZ064487;
	Thu, 7 Apr 2005 12:10:07 GMT
	(envelope-from gnats)
Resent-Date: Thu, 7 Apr 2005 12:10:07 GMT
Resent-Message-Id: <200504071210.j37CA7SZ064487@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-usb@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, hselasky@c2i.net
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A620616A4D1
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu,  7 Apr 2005 12:00:30 +0000 (GMT)
Received: from swip.net (mailfe01.swip.net [212.247.154.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D198143D49
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu,  7 Apr 2005 12:00:29 +0000 (GMT)
	(envelope-from hselasky@c2i.net)
Received: from mp-217-229-169.daxnet.no ([193.217.229.169] verified)
	by mailfe01.swip.net (CommuniGate Pro SMTP 4.2.9)
	with ESMTP id 337947143 for FreeBSD-gnats-submit@freebsd.org;
	Thu, 07 Apr 2005 14:00:28 +0200
Message-Id: <200504071401.30349.hselasky@c2i.net>
Date: Thu, 7 Apr 2005 14:01:29 +0200
From: Hans Petter Selasky <hselasky@c2i.net>
To: FreeBSD-gnats-submit@FreeBSD.org
Subject: usb/79622: USB devices can be freed twice
X-BeenThere: freebsd-usb@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: hselasky@c2i.net
List-Id: FreeBSD support for USB <freebsd-usb.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-usb>,
	<mailto:freebsd-usb-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-usb>
List-Post: <mailto:freebsd-usb@freebsd.org>
List-Help: <mailto:freebsd-usb-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-usb>,
	<mailto:freebsd-usb-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2005 12:10:08 -0000


>Number:         79622
>Category:       usb
>Synopsis:       USB devices can be freed twice
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-usb
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 07 12:10:07 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     HPS
>Release:        FreeBSD 6.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD 6.0-CURRENT FreeBSD 6.0-CURRENT #45: Mon Mar 21 15:40:17 CET 
2005 root@:/usr/obj/usr/src/sys/custom i386

>Description:
>How-To-Repeat:

If one connects a USB-HUB with subdevices and unplugs the USB-HUB, the 
subdevices are freed twice! First from device_delete_child() and then from 
usb_disconnect_port().

>Fix:

1) usb_disconnect_port() must take another parameter "free_subdev". 

2) When usb_disconnect_port() is called from any detach routine, it should 
only clear "dev->subdevs[..]" and not call 
config_detach()/device_delete_child(). The information from where this 
routine is called is passed via the "free_subdev" parameter.

3) at ehci/ohci/uhci_detach "usb_detach()" should be called. The pointer to 
the child device in devclass "usb" should be stored in the "usbd_bus" 
structure so that it can be cleared from "USB_DETACH(usb)". The 
ehci/ohci/uhci_detach routines should then check that the pointer to the 
child device has not been cleared before calling device_delete_child().
>Release-Note:
>Audit-Trail:
>Unformatted: