NetBSD Problem Report #37934
From gcw@primenet.com.au Fri Feb 1 04:04:36 2008
Return-Path: <gcw@primenet.com.au>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by narn.NetBSD.org (Postfix) with ESMTP id 13E9063B853
for <gnats-bugs@gnats.NetBSD.org>; Fri, 1 Feb 2008 04:04:36 +0000 (UTC)
Message-Id: <20080201040430.761.qmail@g.primenet.com.au>
Date: 1 Feb 2008 15:04:30 +1100
From: gcw@primenet.com.au
Reply-To: gcw@primenet.com.au
To: gnats-bugs@gnats.NetBSD.org
Subject: Interrupt type ugen devices crash kernel on access close
X-Send-Pr-Version: 3.95
>Number: 37934
>Category: kern
>Synopsis: Extra clfree() crashes kernel in ugenclose() for interrupt ugen devices
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Feb 01 04:05:00 +0000 2008
>Closed-Date: Fri Sep 30 08:45:20 +0000 2016
>Last-Modified: Fri Sep 30 08:45:20 +0000 2016
>Originator: Geoff C. Wing
>Release: NetBSD 4.99.52
>Organization:
>Environment:
System: NetBSD g.primenet.com.au 4.99.52 NetBSD 4.99.52 (G) #0: Fri Feb 1 14:46:50 EST 2008 gcw@g.primenet.com.au:/usr/netbsd/src/sys/arch/i386/compile/G i386
Architecture: i386
Machine: i386
>Description:
Only interrupt transfer type USB generic device attachments
call clalloc(), however on close it correctly calls clfree()
in sys/dev/usb/ugen.c:536 then incorrectly calls it again
at line 556. This probably also affects isochronous type
transfers since they do not clalloc().
>How-To-Repeat:
Plug in something which uses this - I ran apcupsd with an APC UPS -
then stop the program. See computer crash.
>Fix:
Index: sys/dev/usb/ugen.c
===================================================================
RCS file: /cvsroot/src/sys/dev/usb/ugen.c,v
retrieving revision 1.96
diff -u -r1.96 ugen.c
--- sys/dev/usb/ugen.c 24 Dec 2007 14:41:19 -0000 1.96
+++ sys/dev/usb/ugen.c 1 Feb 2008 03:45:28 -0000
@@ -553,7 +553,6 @@
if (sce->ibuf != NULL) {
free(sce->ibuf, M_USBDEV);
sce->ibuf = NULL;
- clfree(&sce->q);
}
}
sc->sc_is_open[endpt] = 0;
>Release-Note:
>Audit-Trail:
From: "Jonathan A. Kollasch" <jakllsch@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/37934 CVS commit: src/sys/dev/usb
Date: Thu, 1 Dec 2011 22:42:41 +0000
Module Name: src
Committed By: jakllsch
Date: Thu Dec 1 22:42:41 UTC 2011
Modified Files:
src/sys/dev/usb: ugen.c
Log Message:
Don't double clfree() when closing an interrupt endpoint.
From Geoff C. Wing in PR#37934.
To generate a diff of this commit:
cvs rdiff -u -r1.113 -r1.114 src/sys/dev/usb/ugen.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->feedback
State-Changed-By: jakllsch@NetBSD.org
State-Changed-When: Thu, 01 Dec 2011 23:39:51 +0000
State-Changed-Why:
fix committed
State-Changed-From-To: feedback->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Fri, 30 Sep 2016 08:45:20 +0000
State-Changed-Why:
fix committed in 2011
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home