From owner-svn-src-stable@freebsd.org Mon Nov 7 09:23:10 2016 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D7386C34BF1; Mon, 7 Nov 2016 09:23:10 +0000 (UTC) (envelope-from hselasky@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A41CD6E4; Mon, 7 Nov 2016 09:23:10 +0000 (UTC) (envelope-from hselasky@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uA79N9S0051208; Mon, 7 Nov 2016 09:23:09 GMT (envelope-from hselasky@FreeBSD.org) Received: (from hselasky@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uA79N7hc051188; Mon, 7 Nov 2016 09:23:07 GMT (envelope-from hselasky@FreeBSD.org) Message-Id: <201611070923.uA79N7hc051188@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: hselasky set sender to hselasky@FreeBSD.org using -f From: Hans Petter Selasky Date: Mon, 7 Nov 2016 09:23:07 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r308403 - in stable/9/sys: dev/puc dev/usb dev/usb/controller kern mips/atheros mips/cavium/usb mips/rmi mips/rt305x X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Nov 2016 09:23:10 -0000 Author: hselasky Date: Mon Nov 7 09:23:07 2016 New Revision: 308403 URL: https://svnweb.freebsd.org/changeset/base/308403 Log: MFC r307518: Fix device delete child function. When detaching device trees parent devices must be detached prior to detaching its children. This is because parent devices can have pointers to the child devices in their softcs which are not invalidated by device_delete_child(). This can cause use after free issues and panic(). Device drivers implementing trees, must ensure its detach function detaches or deletes all its children before returning. While at it remove now redundant device_detach() calls before device_delete_child() and device_delete_children(), mostly in the USB controller drivers. Tested by: Jan Henrik Sylvester Reviewed by: jhb Differential Revision: https://reviews.freebsd.org/D8070 Modified: stable/9/sys/dev/puc/puc.c stable/9/sys/dev/usb/controller/at91dci_atmelarm.c stable/9/sys/dev/usb/controller/atmegadci_atmelarm.c stable/9/sys/dev/usb/controller/ehci_ixp4xx.c stable/9/sys/dev/usb/controller/ehci_mv.c stable/9/sys/dev/usb/controller/ehci_pci.c stable/9/sys/dev/usb/controller/musb_otg_atmelarm.c stable/9/sys/dev/usb/controller/ohci_pci.c stable/9/sys/dev/usb/controller/ohci_s3c24x0.c stable/9/sys/dev/usb/controller/uhci_pci.c stable/9/sys/dev/usb/controller/uss820dci_atmelarm.c stable/9/sys/dev/usb/controller/xhci_pci.c stable/9/sys/dev/usb/usb_device.c stable/9/sys/kern/subr_bus.c stable/9/sys/mips/atheros/ar71xx_ehci.c stable/9/sys/mips/atheros/ar71xx_ohci.c stable/9/sys/mips/cavium/usb/octusb_octeon.c stable/9/sys/mips/rmi/xls_ehci.c stable/9/sys/mips/rt305x/rt305x_dotg.c Directory Properties: stable/9/sys/ (props changed) stable/9/sys/boot/ (props changed) stable/9/sys/dev/puc/ (props changed) Modified: stable/9/sys/dev/puc/puc.c ============================================================================== --- stable/9/sys/dev/puc/puc.c Mon Nov 7 09:19:04 2016 (r308402) +++ stable/9/sys/dev/puc/puc.c Mon Nov 7 09:23:07 2016 (r308403) @@ -412,8 +412,7 @@ puc_bfe_detach(device_t dev) port = &sc->sc_port[idx]; if (port->p_dev == NULL) continue; - if (device_detach(port->p_dev) == 0) { - device_delete_child(dev, port->p_dev); + if (device_delete_child(dev, port->p_dev) == 0) { if (port->p_rres != NULL) rman_release_resource(port->p_rres); if (port->p_ires != NULL) Modified: stable/9/sys/dev/usb/controller/at91dci_atmelarm.c ============================================================================== --- stable/9/sys/dev/usb/controller/at91dci_atmelarm.c Mon Nov 7 09:19:04 2016 (r308402) +++ stable/9/sys/dev/usb/controller/at91dci_atmelarm.c Mon Nov 7 09:23:07 2016 (r308403) @@ -262,14 +262,8 @@ static int at91_udp_detach(device_t dev) { struct at91_udp_softc *sc = device_get_softc(dev); - device_t bdev; int err; - if (sc->sc_dci.sc_bus.bdev) { - bdev = sc->sc_dci.sc_bus.bdev; - device_detach(bdev); - device_delete_child(dev, bdev); - } /* during module unload there are lots of children leftover */ device_delete_children(dev); Modified: stable/9/sys/dev/usb/controller/atmegadci_atmelarm.c ============================================================================== --- stable/9/sys/dev/usb/controller/atmegadci_atmelarm.c Mon Nov 7 09:19:04 2016 (r308402) +++ stable/9/sys/dev/usb/controller/atmegadci_atmelarm.c Mon Nov 7 09:23:07 2016 (r308403) @@ -155,14 +155,8 @@ static int atmegadci_detach(device_t dev) { struct atmegadci_super_softc *sc = device_get_softc(dev); - device_t bdev; int err; - if (sc->sc_otg.sc_bus.bdev) { - bdev = sc->sc_otg.sc_bus.bdev; - device_detach(bdev); - device_delete_child(dev, bdev); - } /* during module unload there are lots of children leftover */ device_delete_children(dev); Modified: stable/9/sys/dev/usb/controller/ehci_ixp4xx.c ============================================================================== --- stable/9/sys/dev/usb/controller/ehci_ixp4xx.c Mon Nov 7 09:19:04 2016 (r308402) +++ stable/9/sys/dev/usb/controller/ehci_ixp4xx.c Mon Nov 7 09:23:07 2016 (r308403) @@ -207,14 +207,8 @@ ehci_ixp_detach(device_t self) { struct ixp_ehci_softc *isc = device_get_softc(self); ehci_softc_t *sc = &isc->base; - device_t bdev; int err; - if (sc->sc_bus.bdev) { - bdev = sc->sc_bus.bdev; - device_detach(bdev); - device_delete_child(self, bdev); - } /* during module unload there are lots of children leftover */ device_delete_children(self); Modified: stable/9/sys/dev/usb/controller/ehci_mv.c ============================================================================== --- stable/9/sys/dev/usb/controller/ehci_mv.c Mon Nov 7 09:19:04 2016 (r308402) +++ stable/9/sys/dev/usb/controller/ehci_mv.c Mon Nov 7 09:23:07 2016 (r308403) @@ -239,14 +239,8 @@ static int mv_ehci_detach(device_t self) { ehci_softc_t *sc = device_get_softc(self); - device_t bdev; int err; - if (sc->sc_bus.bdev) { - bdev = sc->sc_bus.bdev; - device_detach(bdev); - device_delete_child(self, bdev); - } /* during module unload there are lots of children leftover */ device_delete_children(self); Modified: stable/9/sys/dev/usb/controller/ehci_pci.c ============================================================================== --- stable/9/sys/dev/usb/controller/ehci_pci.c Mon Nov 7 09:19:04 2016 (r308402) +++ stable/9/sys/dev/usb/controller/ehci_pci.c Mon Nov 7 09:23:07 2016 (r308403) @@ -467,13 +467,7 @@ static int ehci_pci_detach(device_t self) { ehci_softc_t *sc = device_get_softc(self); - device_t bdev; - if (sc->sc_bus.bdev) { - bdev = sc->sc_bus.bdev; - device_detach(bdev); - device_delete_child(self, bdev); - } /* during module unload there are lots of children leftover */ device_delete_children(self); Modified: stable/9/sys/dev/usb/controller/musb_otg_atmelarm.c ============================================================================== --- stable/9/sys/dev/usb/controller/musb_otg_atmelarm.c Mon Nov 7 09:19:04 2016 (r308402) +++ stable/9/sys/dev/usb/controller/musb_otg_atmelarm.c Mon Nov 7 09:23:07 2016 (r308403) @@ -204,14 +204,8 @@ static int musbotg_detach(device_t dev) { struct musbotg_super_softc *sc = device_get_softc(dev); - device_t bdev; int err; - if (sc->sc_otg.sc_bus.bdev) { - bdev = sc->sc_otg.sc_bus.bdev; - device_detach(bdev); - device_delete_child(dev, bdev); - } /* during module unload there are lots of children leftover */ device_delete_children(dev); Modified: stable/9/sys/dev/usb/controller/ohci_pci.c ============================================================================== --- stable/9/sys/dev/usb/controller/ohci_pci.c Mon Nov 7 09:19:04 2016 (r308402) +++ stable/9/sys/dev/usb/controller/ohci_pci.c Mon Nov 7 09:23:07 2016 (r308403) @@ -332,13 +332,7 @@ static int ohci_pci_detach(device_t self) { ohci_softc_t *sc = device_get_softc(self); - device_t bdev; - if (sc->sc_bus.bdev) { - bdev = sc->sc_bus.bdev; - device_detach(bdev); - device_delete_child(self, bdev); - } /* during module unload there are lots of children leftover */ device_delete_children(self); Modified: stable/9/sys/dev/usb/controller/ohci_s3c24x0.c ============================================================================== --- stable/9/sys/dev/usb/controller/ohci_s3c24x0.c Mon Nov 7 09:19:04 2016 (r308402) +++ stable/9/sys/dev/usb/controller/ohci_s3c24x0.c Mon Nov 7 09:23:07 2016 (r308403) @@ -148,14 +148,8 @@ static int ohci_s3c24x0_detach(device_t dev) { struct ohci_softc *sc = device_get_softc(dev); - device_t bdev; int err; - if (sc->sc_bus.bdev) { - bdev = sc->sc_bus.bdev; - device_detach(bdev); - device_delete_child(dev, bdev); - } /* during module unload there are lots of children leftover */ device_delete_children(dev); Modified: stable/9/sys/dev/usb/controller/uhci_pci.c ============================================================================== --- stable/9/sys/dev/usb/controller/uhci_pci.c Mon Nov 7 09:19:04 2016 (r308402) +++ stable/9/sys/dev/usb/controller/uhci_pci.c Mon Nov 7 09:23:07 2016 (r308403) @@ -387,13 +387,7 @@ int uhci_pci_detach(device_t self) { uhci_softc_t *sc = device_get_softc(self); - device_t bdev; - if (sc->sc_bus.bdev) { - bdev = sc->sc_bus.bdev; - device_detach(bdev); - device_delete_child(self, bdev); - } /* during module unload there are lots of children leftover */ device_delete_children(self); Modified: stable/9/sys/dev/usb/controller/uss820dci_atmelarm.c ============================================================================== --- stable/9/sys/dev/usb/controller/uss820dci_atmelarm.c Mon Nov 7 09:19:04 2016 (r308402) +++ stable/9/sys/dev/usb/controller/uss820dci_atmelarm.c Mon Nov 7 09:23:07 2016 (r308403) @@ -169,14 +169,8 @@ static int uss820_atmelarm_detach(device_t dev) { struct uss820dci_softc *sc = device_get_softc(dev); - device_t bdev; int err; - if (sc->sc_bus.bdev) { - bdev = sc->sc_bus.bdev; - device_detach(bdev); - device_delete_child(dev, bdev); - } /* during module unload there are lots of children leftover */ device_delete_children(dev); Modified: stable/9/sys/dev/usb/controller/xhci_pci.c ============================================================================== --- stable/9/sys/dev/usb/controller/xhci_pci.c Mon Nov 7 09:19:04 2016 (r308402) +++ stable/9/sys/dev/usb/controller/xhci_pci.c Mon Nov 7 09:23:07 2016 (r308403) @@ -311,13 +311,7 @@ static int xhci_pci_detach(device_t self) { struct xhci_softc *sc = device_get_softc(self); - device_t bdev; - if (sc->sc_bus.bdev != NULL) { - bdev = sc->sc_bus.bdev; - device_detach(bdev); - device_delete_child(self, bdev); - } /* during module unload there are lots of children leftover */ device_delete_children(self); Modified: stable/9/sys/dev/usb/usb_device.c ============================================================================== --- stable/9/sys/dev/usb/usb_device.c Mon Nov 7 09:19:04 2016 (r308402) +++ stable/9/sys/dev/usb/usb_device.c Mon Nov 7 09:23:07 2016 (r308403) @@ -1073,10 +1073,8 @@ usb_detach_device_sub(struct usb_device device_printf(dev, "Resume failed\n"); } } - if (device_detach(dev)) { - goto error; - } } + /* detach and delete child */ if (device_delete_child(udev->parent_dev, dev)) { goto error; } Modified: stable/9/sys/kern/subr_bus.c ============================================================================== --- stable/9/sys/kern/subr_bus.c Mon Nov 7 09:19:04 2016 (r308402) +++ stable/9/sys/kern/subr_bus.c Mon Nov 7 09:23:07 2016 (r308403) @@ -1864,15 +1864,17 @@ device_delete_child(device_t dev, device PDEBUG(("%s from %s", DEVICENAME(child), DEVICENAME(dev))); - /* remove children first */ + /* detach parent before deleting children, if any */ + if ((error = device_detach(child)) != 0) + return (error); + + /* remove children second */ while ((grandchild = TAILQ_FIRST(&child->children)) != NULL) { error = device_delete_child(child, grandchild); if (error) return (error); } - if ((error = device_detach(child)) != 0) - return (error); if (child->devclass) devclass_delete_device(child->devclass, child); if (child->parent) Modified: stable/9/sys/mips/atheros/ar71xx_ehci.c ============================================================================== --- stable/9/sys/mips/atheros/ar71xx_ehci.c Mon Nov 7 09:19:04 2016 (r308402) +++ stable/9/sys/mips/atheros/ar71xx_ehci.c Mon Nov 7 09:23:07 2016 (r308403) @@ -194,14 +194,8 @@ ar71xx_ehci_detach(device_t self) { struct ar71xx_ehci_softc *isc = device_get_softc(self); ehci_softc_t *sc = &isc->base; - device_t bdev; int err; - if (sc->sc_bus.bdev) { - bdev = sc->sc_bus.bdev; - device_detach(bdev); - device_delete_child(self, bdev); - } /* during module unload there are lots of children leftover */ device_delete_children(self); Modified: stable/9/sys/mips/atheros/ar71xx_ohci.c ============================================================================== --- stable/9/sys/mips/atheros/ar71xx_ohci.c Mon Nov 7 09:19:04 2016 (r308402) +++ stable/9/sys/mips/atheros/ar71xx_ohci.c Mon Nov 7 09:23:07 2016 (r308403) @@ -143,13 +143,7 @@ static int ar71xx_ohci_detach(device_t dev) { struct ar71xx_ohci_softc *sc = device_get_softc(dev); - device_t bdev; - if (sc->sc_ohci.sc_bus.bdev) { - bdev = sc->sc_ohci.sc_bus.bdev; - device_detach(bdev); - device_delete_child(dev, bdev); - } /* during module unload there are lots of children leftover */ device_delete_children(dev); Modified: stable/9/sys/mips/cavium/usb/octusb_octeon.c ============================================================================== --- stable/9/sys/mips/cavium/usb/octusb_octeon.c Mon Nov 7 09:19:04 2016 (r308402) +++ stable/9/sys/mips/cavium/usb/octusb_octeon.c Mon Nov 7 09:23:07 2016 (r308403) @@ -151,14 +151,8 @@ static int octusb_octeon_detach(device_t dev) { struct octusb_octeon_softc *sc = device_get_softc(dev); - device_t bdev; int err; - if (sc->sc_dci.sc_bus.bdev) { - bdev = sc->sc_dci.sc_bus.bdev; - device_detach(bdev); - device_delete_child(dev, bdev); - } /* during module unload there are lots of children leftover */ device_delete_children(dev); Modified: stable/9/sys/mips/rmi/xls_ehci.c ============================================================================== --- stable/9/sys/mips/rmi/xls_ehci.c Mon Nov 7 09:19:04 2016 (r308402) +++ stable/9/sys/mips/rmi/xls_ehci.c Mon Nov 7 09:23:07 2016 (r308403) @@ -164,14 +164,8 @@ static int ehci_xls_detach(device_t self) { ehci_softc_t *sc = device_get_softc(self); - device_t bdev; int err; - if (sc->sc_bus.bdev) { - bdev = sc->sc_bus.bdev; - device_detach(bdev); - device_delete_child(self, bdev); - } /* during module unload there are lots of children leftover */ device_delete_children(self); Modified: stable/9/sys/mips/rt305x/rt305x_dotg.c ============================================================================== --- stable/9/sys/mips/rt305x/rt305x_dotg.c Mon Nov 7 09:19:04 2016 (r308402) +++ stable/9/sys/mips/rt305x/rt305x_dotg.c Mon Nov 7 09:23:07 2016 (r308403) @@ -167,14 +167,8 @@ static int dotg_obio_detach(device_t dev) { struct dotg_obio_softc *sc = device_get_softc(dev); - device_t bdev; int err; - if (sc->sc_dci.sc_bus.bdev) { - bdev = sc->sc_dci.sc_bus.bdev; - device_detach(bdev); - device_delete_child(dev, bdev); - } /* during module unload there are lots of children leftover */ device_delete_children(dev);