From nobody Thu Feb 19 22:43:02 2026 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fH7gp5kGMz6Sb3P for ; Thu, 19 Feb 2026 22:43:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fH7gp5CNqz47qV for ; Thu, 19 Feb 2026 22:43:02 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771540982; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9c+JXiKS0GBauny/ARmlqh1PJjYNNsLWz+mYYauWYRo=; b=VwTQGf6Zo7jqdGxRehqbnL1dV6BDw2BTX2YtEhaYmJrwSj6ny7CzECdxc/OiRpjeEMvBeA uydzO6jsLjSLhaMShGeUWl/422nA4Za6/QPl9tbE2FHPF+sLPLrgJLfkv/Qyd+oG+sZChC +xajruHt9Gu14huS69ydpb/Ww7ffSyjwFjVHDatqx2IRFZ5Ln9/I/KwKt85zhf/fsxxXyl YAyfZgHkie95KVs48ir/qos2808YAqnv8b9/vN+zkVTbI53/zRmjv/z4ZSvNv98Px2kS4m wlicIEujPtvyczBAkXCo7/komAirPAX2SFauPPUXlsAuWugUDPornh0FDt3CVQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1771540982; a=rsa-sha256; cv=none; b=Nik47xj+inkKVe/zyY5cYhw26J5IUG/qYPDrKkkBHZTtgx5LhHvCnUVl5Agsoa1HTqxSv1 FNDDjk/4/sWel0avUgvN+H5gv054ZW+iRPMZuzCJRz9tUP477D/Ds8L5iTEWxQIO4li+Fb GpAWht2MN5TiV/+bWoLBvVukbuGY4E5sgKCKW41lc5pF4vUqEzFiE7zO6BfRFYsTr4x4oF IFASVgadZyNTbKdHlRuEIRrjvdN9ODefm29hlVf4H3rvEWZriXTTrAIl5uaphkPmUiGg+4 Szqk7tg3e3Mdi/QAl9hv/MXGLe9HKWo6wqlL9PVMTzEZ9Vzj9Z5F7nLHACRXSg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771540982; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9c+JXiKS0GBauny/ARmlqh1PJjYNNsLWz+mYYauWYRo=; b=EzIIYhrVyF8EPpaYus8lBVpxIIi5vpCheXvPnVgZRS7r11MJCRDF14ezqAuphSwspgkvut sBDMYp0oGsXiSpNBUw/hHUFWcwHfz9Rz0YiyeHcagYkHzgtes5vwkNzPRct8qY5E7mTYDS NZ4njxH8bc1lvBxh8iq9h6r/W+TWtDsn4HU4vNeecttdu0MdhxfHh2HbDKHxPZBeXeEFIN Qje+TTYe1NpDoGpEdAx+7NLECpyEfLcePDmjDOFwobawCDUhoU6JkNm4qQEQYN0EabjvvZ JasEZqxOXsUGmDBFib0p3SZVYvTEsCb0ut+PfxndtMlmm8tjyPJV42PMBQ9Dpw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fH7gp4mm2z11rT for ; Thu, 19 Feb 2026 22:43:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 27a7f by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Thu, 19 Feb 2026 22:43:02 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Chuck Tuffli Subject: git: 10d5404adb11 - main - bhyve: fix USB mouse requests List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: chuck X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 10d5404adb11773969a600428d1abeb4308d98aa Auto-Submitted: auto-generated Date: Thu, 19 Feb 2026 22:43:02 +0000 Message-Id: <699791f6.27a7f.2efd3a0@gitrepo.freebsd.org> The branch main has been updated by chuck: URL: https://cgit.FreeBSD.org/src/commit/?id=10d5404adb11773969a600428d1abeb4308d98aa commit 10d5404adb11773969a600428d1abeb4308d98aa Author: Chuck Tuffli AuthorDate: 2026-02-19 22:27:49 +0000 Commit: Chuck Tuffli CommitDate: 2026-02-19 22:27:49 +0000 bhyve: fix USB mouse requests USB HCI requests may not include HCI transfer block structures (i.e., xfer->data[] == NULL), but in several places, the USB mouse emulation code assumes one will exist. This can lead to a NULL pointer dereference and a SEGV in the bhyve process as observed via experiments with an Ubuntu guest and PyUSB code. Note that many of the cases processing other request types already checked for data == NULL. While in the neighborhood, fix a typo in the loop iterating over the usb_data_xfer_block array which used the wrong variable to check for valid data (idx vs. i). Reported by: danmcd@edgecast.io Obtained from: SmartOS MFC after: 1 week Relnotes: yes Reviewed by: imp Differential Revision: https://reviews.freebsd.org/D54661 --- usr.sbin/bhyve/usb_mouse.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/usr.sbin/bhyve/usb_mouse.c b/usr.sbin/bhyve/usb_mouse.c index 5caad886e082..6c0b051c67f2 100644 --- a/usr.sbin/bhyve/usb_mouse.c +++ b/usr.sbin/bhyve/usb_mouse.c @@ -343,7 +343,7 @@ umouse_request(void *scarg, struct usb_data_xfer *xfer) idx = xfer->head; for (i = 0; i < xfer->ndata; i++) { xfer->data[idx].bdone = 0; - if (data == NULL && USB_DATA_OK(xfer,i)) { + if (data == NULL && USB_DATA_OK(xfer, idx)) { data = &xfer->data[idx]; udata = data->buf; } @@ -529,7 +529,9 @@ umouse_request(void *scarg, struct usb_data_xfer *xfer) case UREQ(UR_GET_STATUS, UT_READ_DEVICE): DPRINTF(("umouse: (UR_GET_STATUS, UT_READ_DEVICE)")); - if (data != NULL && len > 1) { + if (data == NULL) + break; + if (len > 1) { if (sc->hid.feature == UF_DEVICE_REMOTE_WAKEUP) USETW(udata, UDS_REMOTE_WAKEUP); else @@ -538,18 +540,20 @@ umouse_request(void *scarg, struct usb_data_xfer *xfer) data->bdone += 2; } - eshort = data != NULL && data->blen > 0; + eshort = data->blen > 0; break; case UREQ(UR_GET_STATUS, UT_READ_INTERFACE): case UREQ(UR_GET_STATUS, UT_READ_ENDPOINT): DPRINTF(("umouse: (UR_GET_STATUS, UT_READ_INTERFACE)")); - if (data != NULL && len > 1) { + if (data == NULL) + break; + if (len > 1) { USETW(udata, 0); data->blen = len - 2; data->bdone += 2; } - eshort = data != NULL && data->blen > 0; + eshort = data->blen > 0; break; case UREQ(UR_SET_ADDRESS, UT_WRITE_DEVICE): @@ -629,21 +633,25 @@ umouse_request(void *scarg, struct usb_data_xfer *xfer) break; case UREQ(UMOUSE_GET_IDLE, UT_READ_CLASS_INTERFACE): - if (data != NULL && len > 0) { + if (data == NULL) + break; + if (len > 0) { *udata = sc->hid.idle; data->blen = len - 1; data->bdone += 1; } - eshort = data != NULL && data->blen > 0; + eshort = data->blen > 0; break; case UREQ(UMOUSE_GET_PROTOCOL, UT_READ_CLASS_INTERFACE): - if (data != NULL && len > 0) { + if (data == NULL) + break; + if (len > 0) { *udata = sc->hid.protocol; data->blen = len - 1; data->bdone += 1; } - eshort = data != NULL && data->blen > 0; + eshort = data->blen > 0; break; case UREQ(UMOUSE_SET_REPORT, UT_WRITE_CLASS_INTERFACE):