Date: Fri, 21 Jan 2000 10:34:20 -0500 (EST) From: Louis Mamakos <louie@TransSys.COM> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/16256: USB stack panic on null pointer dereference Message-ID: <200001211534.KAA13767@whizzo.transsys.com>
next in thread | raw e-mail | index | archive | help
>Number: 16256
>Category: kern
>Synopsis: USB stack panic on null pointer dereference
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Jan 21 07:40:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: Louis Mamakos
>Release: FreeBSD 4.0-CURRENT i386
>Organization:
>Environment:
4.0-current, using ugen device driver
>Description:
See PR kern/16168 for details. Essentially, if a set configuration
ioctl() is perform on /dev/ugenX.0, while any other endpoints are open
(e.g., /dev/ugenX.2), subsequent I/O on the other endpoints will likely
cause a null pointer dereference.
>How-To-Repeat:
as above
>Fix:
This is just a work-around. As discussed in the previous PR,
the "right" answer depends on what the semantics of the driver need to be.
Possibly device reconfiguration requests shouldn't be allowed if other
endpoints are open?
The work-around simply removes #ifdef DIAGNOSTIC around some existing
tests to bail out early.
Index: ugen.c
===================================================================
RCS file: /usr/local/FreeBSD/cvs/src/sys/dev/usb/ugen.c,v
retrieving revision 1.33
diff -u -r1.33 ugen.c
--- ugen.c 2000/01/20 22:05:30 1.33
+++ ugen.c 2000/01/21 15:28:15
@@ -435,16 +435,15 @@
if (endpt == USB_CONTROL_ENDPOINT)
return (ENODEV);
-#ifdef DIAGNOSTIC
if (sce->edesc == NULL) {
printf("ugenread: no edesc\n");
return (EIO);
}
+
if (sce->pipeh == NULL) {
printf("ugenread: no pipe\n");
return (EIO);
}
-#endif
switch (sce->edesc->bmAttributes & UE_XFERTYPE) {
case UE_INTERRUPT:
@@ -559,7 +558,6 @@
if (endpt == USB_CONTROL_ENDPOINT)
return (ENODEV);
-#ifdef DIAGNOSTIC
if (sce->edesc == NULL) {
printf("ugenwrite: no edesc\n");
return (EIO);
@@ -568,7 +566,6 @@
printf("ugenwrite: no pipe\n");
return (EIO);
}
-#endif
switch (sce->edesc->bmAttributes & UE_XFERTYPE) {
case UE_BULK:
@@ -897,12 +894,12 @@
sce = &sc->sc_endpoints[endpt][IN];
if (sce == NULL)
return (EINVAL);
-#ifdef DIAGNOSTIC
+
if (sce->pipeh == NULL) {
printf("ugenioctl: USB_SET_SHORT_XFER, no pipe\n");
return (EIO);
}
-#endif
+
if (*(int *)addr)
sce->state |= UGEN_SHORT_OK;
else
@@ -912,12 +909,12 @@
sce = &sc->sc_endpoints[endpt][IN];
if (sce == NULL)
return (EINVAL);
-#ifdef DIAGNOSTIC
+
if (sce->pipeh == NULL) {
printf("ugenioctl: USB_SET_TIMEOUT, no pipe\n");
return (EIO);
}
-#endif
+
sce->timeout = *(int *)addr;
return (0);
default:
@@ -1177,7 +1174,7 @@
sce = &sc->sc_endpoints[UGENENDPOINT(dev)][IN];
if (sce == NULL)
return (EINVAL);
-#ifdef DIAGNOSTIC
+
if (!sce->edesc) {
printf("ugenwrite: no edesc\n");
return (EIO);
@@ -1186,7 +1183,7 @@
printf("ugenpoll: no pipe\n");
return (EIO);
}
-#endif
+
s = splusb();
switch (sce->edesc->bmAttributes & UE_XFERTYPE) {
case UE_INTERRUPT:
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001211534.KAA13767>