From owner-svn-src-stable@freebsd.org Mon Nov 7 09:27:08 2016 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1E833C34CCF; Mon, 7 Nov 2016 09:27:08 +0000 (UTC) (envelope-from hselasky@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E9720A01; Mon, 7 Nov 2016 09:27:07 +0000 (UTC) (envelope-from hselasky@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uA79R7W1051399; Mon, 7 Nov 2016 09:27:07 GMT (envelope-from hselasky@FreeBSD.org) Received: (from hselasky@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uA79R5GG051383; Mon, 7 Nov 2016 09:27:05 GMT (envelope-from hselasky@FreeBSD.org) Message-Id: <201611070927.uA79R5GG051383@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: hselasky set sender to hselasky@FreeBSD.org using -f From: Hans Petter Selasky Date: Mon, 7 Nov 2016 09:27:05 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org Subject: svn commit: r308404 - in stable/8/sys: dev/puc dev/usb dev/usb/controller kern mips/atheros mips/cavium/usb mips/rmi X-SVN-Group: stable-8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Nov 2016 09:27:08 -0000 Author: hselasky Date: Mon Nov 7 09:27:05 2016 New Revision: 308404 URL: https://svnweb.freebsd.org/changeset/base/308404 Log: MFC r307518: Fix device delete child function. When detaching device trees parent devices must be detached prior to detaching its children. This is because parent devices can have pointers to the child devices in their softcs which are not invalidated by device_delete_child(). This can cause use after free issues and panic(). Device drivers implementing trees, must ensure its detach function detaches or deletes all its children before returning. While at it remove now redundant device_detach() calls before device_delete_child() and device_delete_children(), mostly in the USB controller drivers. Tested by: Jan Henrik Sylvester Reviewed by: jhb Differential Revision: https://reviews.freebsd.org/D8070 Modified: stable/8/sys/dev/puc/puc.c stable/8/sys/dev/usb/controller/at91dci_atmelarm.c stable/8/sys/dev/usb/controller/atmegadci_atmelarm.c stable/8/sys/dev/usb/controller/ehci_ixp4xx.c stable/8/sys/dev/usb/controller/ehci_pci.c stable/8/sys/dev/usb/controller/musb_otg_atmelarm.c stable/8/sys/dev/usb/controller/ohci_pci.c stable/8/sys/dev/usb/controller/uhci_pci.c stable/8/sys/dev/usb/controller/uss820dci_atmelarm.c stable/8/sys/dev/usb/controller/xhci_pci.c stable/8/sys/dev/usb/usb_device.c stable/8/sys/kern/subr_bus.c stable/8/sys/mips/atheros/ar71xx_ehci.c stable/8/sys/mips/atheros/ar71xx_ohci.c stable/8/sys/mips/cavium/usb/octusb_octeon.c stable/8/sys/mips/rmi/xls_ehci.c Directory Properties: stable/8/sys/ (props changed) stable/8/sys/arm/ (props changed) stable/8/sys/boot/ (props changed) stable/8/sys/dev/ (props changed) stable/8/sys/dev/puc/ (props changed) stable/8/sys/dev/usb/ (props changed) stable/8/sys/kern/ (props changed) stable/8/sys/mips/ (props changed) Modified: stable/8/sys/dev/puc/puc.c ============================================================================== --- stable/8/sys/dev/puc/puc.c Mon Nov 7 09:23:07 2016 (r308403) +++ stable/8/sys/dev/puc/puc.c Mon Nov 7 09:27:05 2016 (r308404) @@ -412,8 +412,7 @@ puc_bfe_detach(device_t dev) port = &sc->sc_port[idx]; if (port->p_dev == NULL) continue; - if (device_detach(port->p_dev) == 0) { - device_delete_child(dev, port->p_dev); + if (device_delete_child(dev, port->p_dev) == 0) { if (port->p_rres != NULL) rman_release_resource(port->p_rres); if (port->p_ires != NULL) Modified: stable/8/sys/dev/usb/controller/at91dci_atmelarm.c ============================================================================== --- stable/8/sys/dev/usb/controller/at91dci_atmelarm.c Mon Nov 7 09:23:07 2016 (r308403) +++ stable/8/sys/dev/usb/controller/at91dci_atmelarm.c Mon Nov 7 09:27:05 2016 (r308404) @@ -261,14 +261,8 @@ static int at91_udp_detach(device_t dev) { struct at91_udp_softc *sc = device_get_softc(dev); - device_t bdev; int err; - if (sc->sc_dci.sc_bus.bdev) { - bdev = sc->sc_dci.sc_bus.bdev; - device_detach(bdev); - device_delete_child(dev, bdev); - } /* during module unload there are lots of children leftover */ device_delete_all_children(dev); Modified: stable/8/sys/dev/usb/controller/atmegadci_atmelarm.c ============================================================================== --- stable/8/sys/dev/usb/controller/atmegadci_atmelarm.c Mon Nov 7 09:23:07 2016 (r308403) +++ stable/8/sys/dev/usb/controller/atmegadci_atmelarm.c Mon Nov 7 09:27:05 2016 (r308404) @@ -154,14 +154,8 @@ static int atmegadci_detach(device_t dev) { struct atmegadci_super_softc *sc = device_get_softc(dev); - device_t bdev; int err; - if (sc->sc_otg.sc_bus.bdev) { - bdev = sc->sc_otg.sc_bus.bdev; - device_detach(bdev); - device_delete_child(dev, bdev); - } /* during module unload there are lots of children leftover */ device_delete_all_children(dev); Modified: stable/8/sys/dev/usb/controller/ehci_ixp4xx.c ============================================================================== --- stable/8/sys/dev/usb/controller/ehci_ixp4xx.c Mon Nov 7 09:23:07 2016 (r308403) +++ stable/8/sys/dev/usb/controller/ehci_ixp4xx.c Mon Nov 7 09:27:05 2016 (r308404) @@ -206,14 +206,8 @@ ehci_ixp_detach(device_t self) { struct ixp_ehci_softc *isc = device_get_softc(self); ehci_softc_t *sc = &isc->base; - device_t bdev; int err; - if (sc->sc_bus.bdev) { - bdev = sc->sc_bus.bdev; - device_detach(bdev); - device_delete_child(self, bdev); - } /* during module unload there are lots of children leftover */ device_delete_all_children(self); Modified: stable/8/sys/dev/usb/controller/ehci_pci.c ============================================================================== --- stable/8/sys/dev/usb/controller/ehci_pci.c Mon Nov 7 09:23:07 2016 (r308403) +++ stable/8/sys/dev/usb/controller/ehci_pci.c Mon Nov 7 09:27:05 2016 (r308404) @@ -458,13 +458,7 @@ static int ehci_pci_detach(device_t self) { ehci_softc_t *sc = device_get_softc(self); - device_t bdev; - if (sc->sc_bus.bdev) { - bdev = sc->sc_bus.bdev; - device_detach(bdev); - device_delete_child(self, bdev); - } /* during module unload there are lots of children leftover */ device_delete_all_children(self); Modified: stable/8/sys/dev/usb/controller/musb_otg_atmelarm.c ============================================================================== --- stable/8/sys/dev/usb/controller/musb_otg_atmelarm.c Mon Nov 7 09:23:07 2016 (r308403) +++ stable/8/sys/dev/usb/controller/musb_otg_atmelarm.c Mon Nov 7 09:27:05 2016 (r308404) @@ -179,14 +179,8 @@ static int musbotg_detach(device_t dev) { struct musbotg_super_softc *sc = device_get_softc(dev); - device_t bdev; int err; - if (sc->sc_otg.sc_bus.bdev) { - bdev = sc->sc_otg.sc_bus.bdev; - device_detach(bdev); - device_delete_child(dev, bdev); - } /* during module unload there are lots of children leftover */ device_delete_all_children(dev); Modified: stable/8/sys/dev/usb/controller/ohci_pci.c ============================================================================== --- stable/8/sys/dev/usb/controller/ohci_pci.c Mon Nov 7 09:23:07 2016 (r308403) +++ stable/8/sys/dev/usb/controller/ohci_pci.c Mon Nov 7 09:27:05 2016 (r308404) @@ -329,13 +329,7 @@ static int ohci_pci_detach(device_t self) { ohci_softc_t *sc = device_get_softc(self); - device_t bdev; - if (sc->sc_bus.bdev) { - bdev = sc->sc_bus.bdev; - device_detach(bdev); - device_delete_child(self, bdev); - } /* during module unload there are lots of children leftover */ device_delete_all_children(self); Modified: stable/8/sys/dev/usb/controller/uhci_pci.c ============================================================================== --- stable/8/sys/dev/usb/controller/uhci_pci.c Mon Nov 7 09:23:07 2016 (r308403) +++ stable/8/sys/dev/usb/controller/uhci_pci.c Mon Nov 7 09:27:05 2016 (r308404) @@ -379,13 +379,7 @@ int uhci_pci_detach(device_t self) { uhci_softc_t *sc = device_get_softc(self); - device_t bdev; - if (sc->sc_bus.bdev) { - bdev = sc->sc_bus.bdev; - device_detach(bdev); - device_delete_child(self, bdev); - } /* during module unload there are lots of children leftover */ device_delete_all_children(self); Modified: stable/8/sys/dev/usb/controller/uss820dci_atmelarm.c ============================================================================== --- stable/8/sys/dev/usb/controller/uss820dci_atmelarm.c Mon Nov 7 09:23:07 2016 (r308403) +++ stable/8/sys/dev/usb/controller/uss820dci_atmelarm.c Mon Nov 7 09:27:05 2016 (r308404) @@ -168,14 +168,8 @@ static int uss820_atmelarm_detach(device_t dev) { struct uss820dci_softc *sc = device_get_softc(dev); - device_t bdev; int err; - if (sc->sc_bus.bdev) { - bdev = sc->sc_bus.bdev; - device_detach(bdev); - device_delete_child(dev, bdev); - } /* during module unload there are lots of children leftover */ device_delete_all_children(dev); Modified: stable/8/sys/dev/usb/controller/xhci_pci.c ============================================================================== --- stable/8/sys/dev/usb/controller/xhci_pci.c Mon Nov 7 09:23:07 2016 (r308403) +++ stable/8/sys/dev/usb/controller/xhci_pci.c Mon Nov 7 09:27:05 2016 (r308404) @@ -294,13 +294,7 @@ static int xhci_pci_detach(device_t self) { struct xhci_softc *sc = device_get_softc(self); - device_t bdev; - if (sc->sc_bus.bdev != NULL) { - bdev = sc->sc_bus.bdev; - device_detach(bdev); - device_delete_child(self, bdev); - } /* during module unload there are lots of children leftover */ device_delete_all_children(self); Modified: stable/8/sys/dev/usb/usb_device.c ============================================================================== --- stable/8/sys/dev/usb/usb_device.c Mon Nov 7 09:23:07 2016 (r308403) +++ stable/8/sys/dev/usb/usb_device.c Mon Nov 7 09:27:05 2016 (r308404) @@ -1074,10 +1074,8 @@ usb_detach_device_sub(struct usb_device device_printf(dev, "Resume failed\n"); } } - if (device_detach(dev)) { - goto error; - } } + /* detach and delete child */ if (device_delete_child(udev->parent_dev, dev)) { goto error; } Modified: stable/8/sys/kern/subr_bus.c ============================================================================== --- stable/8/sys/kern/subr_bus.c Mon Nov 7 09:23:07 2016 (r308403) +++ stable/8/sys/kern/subr_bus.c Mon Nov 7 09:27:05 2016 (r308404) @@ -1896,15 +1896,17 @@ device_delete_child(device_t dev, device PDEBUG(("%s from %s", DEVICENAME(child), DEVICENAME(dev))); - /* remove children first */ + /* detach parent before deleting children, if any */ + if ((error = device_detach(child)) != 0) + return (error); + + /* remove children second */ while ((grandchild = TAILQ_FIRST(&child->children)) != NULL) { error = device_delete_child(child, grandchild); if (error) return (error); } - if ((error = device_detach(child)) != 0) - return (error); if (child->devclass) devclass_delete_device(child->devclass, child); TAILQ_REMOVE(&dev->children, child, link); Modified: stable/8/sys/mips/atheros/ar71xx_ehci.c ============================================================================== --- stable/8/sys/mips/atheros/ar71xx_ehci.c Mon Nov 7 09:23:07 2016 (r308403) +++ stable/8/sys/mips/atheros/ar71xx_ehci.c Mon Nov 7 09:27:05 2016 (r308404) @@ -172,14 +172,8 @@ ar71xx_ehci_detach(device_t self) { struct ar71xx_ehci_softc *isc = device_get_softc(self); ehci_softc_t *sc = &isc->base; - device_t bdev; int err; - if (sc->sc_bus.bdev) { - bdev = sc->sc_bus.bdev; - device_detach(bdev); - device_delete_child(self, bdev); - } /* during module unload there are lots of children leftover */ device_delete_all_children(self); Modified: stable/8/sys/mips/atheros/ar71xx_ohci.c ============================================================================== --- stable/8/sys/mips/atheros/ar71xx_ohci.c Mon Nov 7 09:23:07 2016 (r308403) +++ stable/8/sys/mips/atheros/ar71xx_ohci.c Mon Nov 7 09:27:05 2016 (r308404) @@ -144,13 +144,7 @@ static int ar71xx_ohci_detach(device_t dev) { struct ar71xx_ohci_softc *sc = device_get_softc(dev); - device_t bdev; - if (sc->sc_ohci.sc_bus.bdev) { - bdev = sc->sc_ohci.sc_bus.bdev; - device_detach(bdev); - device_delete_child(dev, bdev); - } /* during module unload there are lots of children leftover */ device_delete_all_children(dev); Modified: stable/8/sys/mips/cavium/usb/octusb_octeon.c ============================================================================== --- stable/8/sys/mips/cavium/usb/octusb_octeon.c Mon Nov 7 09:23:07 2016 (r308403) +++ stable/8/sys/mips/cavium/usb/octusb_octeon.c Mon Nov 7 09:27:05 2016 (r308404) @@ -150,14 +150,8 @@ static int octusb_octeon_detach(device_t dev) { struct octusb_octeon_softc *sc = device_get_softc(dev); - device_t bdev; int err; - if (sc->sc_dci.sc_bus.bdev) { - bdev = sc->sc_dci.sc_bus.bdev; - device_detach(bdev); - device_delete_child(dev, bdev); - } /* during module unload there are lots of children leftover */ device_delete_all_children(dev); Modified: stable/8/sys/mips/rmi/xls_ehci.c ============================================================================== --- stable/8/sys/mips/rmi/xls_ehci.c Mon Nov 7 09:23:07 2016 (r308403) +++ stable/8/sys/mips/rmi/xls_ehci.c Mon Nov 7 09:27:05 2016 (r308404) @@ -170,14 +170,8 @@ static int ehci_xls_detach(device_t self) { ehci_softc_t *sc = device_get_softc(self); - device_t bdev; int err; - if (sc->sc_bus.bdev) { - bdev = sc->sc_bus.bdev; - device_detach(bdev); - device_delete_child(self, bdev); - } /* during module unload there are lots of children leftover */ device_delete_all_children(self);