From nobody@FreeBSD.org  Sat Aug 18 05:41:48 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 1071937B412
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 18 Aug 2001 05:41:30 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.4/8.11.4) id f7ICfTK59548;
	Sat, 18 Aug 2001 05:41:29 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200108181241.f7ICfTK59548@freefall.freebsd.org>
Date: Sat, 18 Aug 2001 05:41:29 -0700 (PDT)
From: Bodo Rueskamp <br@clabsms.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: USB usbd_probe_and_attach() is broken and may crash the system
X-Send-Pr-Version: www-1.0

>Number:         29847
>Category:       kern
>Synopsis:       [usb] usbd_probe_and_attach() is broken and may crash the system
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Aug 18 05:50:00 PDT 2001
>Closed-Date:    Thu Sep 02 01:32:32 GMT 2004
>Last-Modified:  Thu Sep 02 01:32:32 GMT 2004
>Originator:     Bodo Rueskamp
>Release:        4.3-RELEASE, 4-STABLE and 5-CURRENT
>Organization:
Communications Laboratories GmbH
>Environment:
>Description:
"usbd_probe_and_attach()" in "/sys/dev/usb/usb_subr.c" uses the
automatic variable "uaa"to store information for probe and attach
functions.

If an USB module with an active device is unloaded and reloaded,
the automatic variable "uaa" doesn't contain valid information
and the USB_MATCH function of the loaded driver (and others)
may crash the system.

>How-To-Repeat:
(1) boot a kernel without USB
(2) start "usbd" (this will load 'usbd.ko')
(3) load "ums.ko"
(4) attach a USB mouse
(5) unload "ums.ko"
(6) reload "ums.ko"
(you may use any other driver with a matching USB device in steps 3-6)

Now the USB_MATCH routine of "ums" (and "uhub") is called with a
pointer to an "uaa" which is invalid.

This causes a crash on my system, because "uaa->driver" is the
NULL pointer. This may vary on other systems.

>Fix:
Use "malloc()" to allocate "uaa" in "usbd_probe_and_attach()"
in file "/sys/dev/usb/usb_subr.c" and insert a "free()"
into the appropriate function after the device is removed
(unplugged) from the system.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->n_hibma 
Responsible-Changed-By: kris 
Responsible-Changed-When: Sun Aug 19 01:57:26 PDT 2001 
Responsible-Changed-Why:  
Nick is Mr USB 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=29847 

From: Nick Hibma <n_hibma@webweaving.org>
To: freebsd-gnats-submit@FreeBSD.org, br@clabsms.de
Cc:  
Subject: Re: kern/29847: USB usbd_probe_and_attach() is broken and may crash the 
 system
Date: Tue, 21 Aug 2001 23:37:04 +0100

 This indeed is a problem. The problem exposes another problem: Devices
 which have been attached
 while no matching driver is available are not probed properly. So, for
 example 2 functions on the first interface with a second interface after
 that one, will not be attached properly if the driver is loaded after
 the device has been physically attached.
 
 The probe routine is flawed in that it only works properly if the
 appropriate driver was loaded when the device was attached. USB devices
 uses several rounds of probes to decide which driver is the best to use.
 
 The solution is to put the probe_and_attach routine as a bus_probe and
 bus_attach DEVMETHOD in uhub, but that requires quite a bit of work.
 
 No ETA.

From: "KAREN THODE" <thode12@msn.com>
To: <freebsd-gnats-submit@FreeBSD.org>, <br@clabsms.de>
Cc:  
Subject: Re: kern/29847: USB usbd_probe_and_attach() is broken and may crash the system
Date: Tue, 24 Dec 2002 13:42:01 -0600

 ------=_NextPart_001_0001_01C2AB52.3CE8C170
 Content-Type: text/plain; charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable
 
 Two things here:
 First, the same problem could occur if usbd_probe_and_attach() was called=
  twice.  The fix for this is to change uaa form auto to static.
 Secondly, since auto variables are stored on the stack and malloc() deals=
  with the heap, my patch will have to be applied (to put uaa where malloc=
 () can get to it) before the original fix.
 
 Lucas
 
 ------=_NextPart_001_0001_01C2AB52.3CE8C170
 Content-Type: text/html; charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable
 
 <HTML><BODY STYLE=3D"font:10pt verdana; border:none;"><DIV>Two things her=
 e:</DIV> <DIV>First, the same problem could occur if usbd_probe_and_attac=
 h() was called twice.&nbsp; The fix for this is to change uaa form auto t=
 o static.</DIV> <DIV>Secondly, since auto variables are stored on the sta=
 ck and malloc() deals with the heap, my patch will have to be applied (to=
  put uaa where malloc() can get to it) before the original fix.</DIV> <DI=
 V>&nbsp;</DIV> <DIV>Lucas<BR><BR></DIV></BODY></HTML>
 
 ------=_NextPart_001_0001_01C2AB52.3CE8C170--
State-Changed-From-To: open->feedback 
State-Changed-By: linimon 
State-Changed-When: Fri Aug 27 22:23:26 GMT 2004 
State-Changed-Why:  
Is this still a problem with modern versions of FreeBSD? 


Responsible-Changed-From-To: n_hibma->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Fri Aug 27 22:23:26 GMT 2004 
Responsible-Changed-Why:  
With permission of assignee, reset assignment. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=29847 
State-Changed-From-To: feedback->closed 
State-Changed-By: linimon 
State-Changed-When: Thu Sep 2 01:32:14 GMT 2004 
State-Changed-Why:  
Submitter's email address bounces. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=29847 
>Unformatted:
