Date: Mon, 9 May 2005 18:49:14 +0200 From: Hans Petter Selasky <hselasky@c2i.net> To: FreeBSD-gnats-submit@FreeBSD.org Subject: usb/80829: possible panic when loading USB-modules Message-ID: <200505091849.15420.hselasky@c2i.net> Resent-Message-ID: <200505091650.j49Go8Hl049269@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 80829
>Category: usb
>Synopsis: possible panic when loading USB-modules
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: freebsd-usb
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon May 09 16:50:07 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: HPS
>Release: FreeBSD 6.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD 6.0-CURRENT FreeBSD 6.0-CURRENT #45: Mon Mar 21 15:40:17 CET
2005 root@:/usr/obj/usr/src/sys/custom i386
>Description:
There is a special mechanism where probe/attach can clear an entry in the
array pointed to by "uaa->ifaces". The existing USB-driver allocates the
"uaa" in memory, but the "uaa->ifaces" is still on the stack ! This is going
to cause a panic for some devices when loaded as a module.
usbd_status
usbd_probe_and_attach(device_ptr_t parent, usbd_device_handle dev,
int port, int addr)
...
usbd_interface_handle ifaces[256]; /* 256 is the absolute max */
...
uaa.ifaces = ifaces;
>How-To-Repeat:
>Fix:
Allocate "ifaces" structure in memory, and make sure it gets freed, or revert
everything back to stack, which is way simpler!
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200505091849.15420.hselasky>