Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 18 Aug 2001 05:41:29 -0700 (PDT)
From:      Bodo Rueskamp <br@clabsms.de>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/29847: USB usbd_probe_and_attach() is broken and may crash the system
Message-ID:  <200108181241.f7ICfTK59548@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         29847
>Category:       kern
>Synopsis:       USB usbd_probe_and_attach() is broken and may crash the system
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Aug 18 05:50:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Bodo Rueskamp
>Release:        4.3-RELEASE, 4-STABLE and 5-CURRENT
>Organization:
Communications Laboratories GmbH
>Environment:
>Description:
"usbd_probe_and_attach()" in "/sys/dev/usb/usb_subr.c" uses the
automatic variable "uaa"to store information for probe and attach
functions.

If an USB module with an active device is unloaded and reloaded,
the automatic variable "uaa" doesn't contain valid information
and the USB_MATCH function of the loaded driver (and others)
may crash the system.

>How-To-Repeat:
(1) boot a kernel without USB
(2) start "usbd" (this will load 'usbd.ko')
(3) load "ums.ko"
(4) attach a USB mouse
(5) unload "ums.ko"
(6) reload "ums.ko"
(you may use any other driver with a matching USB device in steps 3-6)

Now the USB_MATCH routine of "ums" (and "uhub") is called with a
pointer to an "uaa" which is invalid.

This causes a crash on my system, because "uaa->driver" is the
NULL pointer. This may vary on other systems.

>Fix:
Use "malloc()" to allocate "uaa" in "usbd_probe_and_attach()"
in file "/sys/dev/usb/usb_subr.c" and insert a "free()"
into the appropriate function after the device is removed
(unplugged) from the system.

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108181241.f7ICfTK59548>