From owner-freebsd-bugs Fri Jan 21 7:40: 9 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 47C36154EC for ; Fri, 21 Jan 2000 07:40:03 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id HAA41432; Fri, 21 Jan 2000 07:40:03 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10]) by hub.freebsd.org (Postfix) with ESMTP id F303A15527 for ; Fri, 21 Jan 2000 07:34:25 -0800 (PST) (envelope-from louie@whizzo.transsys.com) Received: (from louie@localhost) by whizzo.transsys.com (8.9.3/8.9.1) id KAA13767; Fri, 21 Jan 2000 10:34:20 -0500 (EST) (envelope-from louie) Message-Id: <200001211534.KAA13767@whizzo.transsys.com> Date: Fri, 21 Jan 2000 10:34:20 -0500 (EST) From: Louis Mamakos Reply-To: louie@TransSys.COM To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/16256: USB stack panic on null pointer dereference Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 16256 >Category: kern >Synopsis: USB stack panic on null pointer dereference >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jan 21 07:40:01 PST 2000 >Closed-Date: >Last-Modified: >Originator: Louis Mamakos >Release: FreeBSD 4.0-CURRENT i386 >Organization: >Environment: 4.0-current, using ugen device driver >Description: See PR kern/16168 for details. Essentially, if a set configuration ioctl() is perform on /dev/ugenX.0, while any other endpoints are open (e.g., /dev/ugenX.2), subsequent I/O on the other endpoints will likely cause a null pointer dereference. >How-To-Repeat: as above >Fix: This is just a work-around. As discussed in the previous PR, the "right" answer depends on what the semantics of the driver need to be. Possibly device reconfiguration requests shouldn't be allowed if other endpoints are open? The work-around simply removes #ifdef DIAGNOSTIC around some existing tests to bail out early. Index: ugen.c =================================================================== RCS file: /usr/local/FreeBSD/cvs/src/sys/dev/usb/ugen.c,v retrieving revision 1.33 diff -u -r1.33 ugen.c --- ugen.c 2000/01/20 22:05:30 1.33 +++ ugen.c 2000/01/21 15:28:15 @@ -435,16 +435,15 @@ if (endpt == USB_CONTROL_ENDPOINT) return (ENODEV); -#ifdef DIAGNOSTIC if (sce->edesc == NULL) { printf("ugenread: no edesc\n"); return (EIO); } + if (sce->pipeh == NULL) { printf("ugenread: no pipe\n"); return (EIO); } -#endif switch (sce->edesc->bmAttributes & UE_XFERTYPE) { case UE_INTERRUPT: @@ -559,7 +558,6 @@ if (endpt == USB_CONTROL_ENDPOINT) return (ENODEV); -#ifdef DIAGNOSTIC if (sce->edesc == NULL) { printf("ugenwrite: no edesc\n"); return (EIO); @@ -568,7 +566,6 @@ printf("ugenwrite: no pipe\n"); return (EIO); } -#endif switch (sce->edesc->bmAttributes & UE_XFERTYPE) { case UE_BULK: @@ -897,12 +894,12 @@ sce = &sc->sc_endpoints[endpt][IN]; if (sce == NULL) return (EINVAL); -#ifdef DIAGNOSTIC + if (sce->pipeh == NULL) { printf("ugenioctl: USB_SET_SHORT_XFER, no pipe\n"); return (EIO); } -#endif + if (*(int *)addr) sce->state |= UGEN_SHORT_OK; else @@ -912,12 +909,12 @@ sce = &sc->sc_endpoints[endpt][IN]; if (sce == NULL) return (EINVAL); -#ifdef DIAGNOSTIC + if (sce->pipeh == NULL) { printf("ugenioctl: USB_SET_TIMEOUT, no pipe\n"); return (EIO); } -#endif + sce->timeout = *(int *)addr; return (0); default: @@ -1177,7 +1174,7 @@ sce = &sc->sc_endpoints[UGENENDPOINT(dev)][IN]; if (sce == NULL) return (EINVAL); -#ifdef DIAGNOSTIC + if (!sce->edesc) { printf("ugenwrite: no edesc\n"); return (EIO); @@ -1186,7 +1183,7 @@ printf("ugenpoll: no pipe\n"); return (EIO); } -#endif + s = splusb(); switch (sce->edesc->bmAttributes & UE_XFERTYPE) { case UE_INTERRUPT: >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message