usb/79622: USB devices can be freed twice
Hans Petter Selasky
hselasky at c2i.net
Thu Apr 7 05:10:08 PDT 2005
>Number: 79622
>Category: usb
>Synopsis: USB devices can be freed twice
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: freebsd-usb
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Apr 07 12:10:07 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: HPS
>Release: FreeBSD 6.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD 6.0-CURRENT FreeBSD 6.0-CURRENT #45: Mon Mar 21 15:40:17 CET
2005 root@:/usr/obj/usr/src/sys/custom i386
>Description:
>How-To-Repeat:
If one connects a USB-HUB with subdevices and unplugs the USB-HUB, the
subdevices are freed twice! First from device_delete_child() and then from
usb_disconnect_port().
>Fix:
1) usb_disconnect_port() must take another parameter "free_subdev".
2) When usb_disconnect_port() is called from any detach routine, it should
only clear "dev->subdevs[..]" and not call
config_detach()/device_delete_child(). The information from where this
routine is called is passed via the "free_subdev" parameter.
3) at ehci/ohci/uhci_detach "usb_detach()" should be called. The pointer to
the child device in devclass "usb" should be stored in the "usbd_bus"
structure so that it can be cleared from "USB_DETACH(usb)". The
ehci/ohci/uhci_detach routines should then check that the pointer to the
child device has not been cleared before calling device_delete_child().
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-usb
mailing list