Bug 29847

Summary: [usb] usbd_probe_and_attach() is broken and may crash the system
Product: Base System Reporter: Bodo Rueskamp <br>
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.3-RELEASE   
Hardware: Any   
OS: Any   

Description Bodo Rueskamp 2001-08-18 13:50:00 UTC 
"usbd_probe_and_attach()" in "/sys/dev/usb/usb_subr.c" uses the
automatic variable "uaa"to store information for probe and attach
functions.

If an USB module with an active device is unloaded and reloaded,
the automatic variable "uaa" doesn't contain valid information
and the USB_MATCH function of the loaded driver (and others)
may crash the system.

Fix: 

Use "malloc()" to allocate "uaa" in "usbd_probe_and_attach()"
in file "/sys/dev/usb/usb_subr.c" and insert a "free()"
into the appropriate function after the device is removed
(unplugged) from the system.
How-To-Repeat: (1) boot a kernel without USB
(2) start "usbd" (this will load 'usbd.ko')
(3) load "ums.ko"
(4) attach a USB mouse
(5) unload "ums.ko"
(6) reload "ums.ko"
(you may use any other driver with a matching USB device in steps 3-6)

Now the USB_MATCH routine of "ums" (and "uhub") is called with a
pointer to an "uaa" which is invalid.

This causes a crash on my system, because "uaa->driver" is the
NULL pointer. This may vary on other systems.
Comment 1 Kris Kennaway freebsd_committer freebsd_triage 2001-08-19 09:57:26 UTC 
Responsible Changed
From-To: freebsd-bugs->n_hibma

Nick is Mr USB
Comment 2 n_hibma 2001-08-21 23:37:04 UTC 
This indeed is a problem. The problem exposes another problem: Devices
which have been attached
while no matching driver is available are not probed properly. So, for
example 2 functions on the first interface with a second interface after
that one, will not be attached properly if the driver is loaded after
the device has been physically attached.

The probe routine is flawed in that it only works properly if the
appropriate driver was loaded when the device was attached. USB devices
uses several rounds of probes to decide which driver is the best to use.

The solution is to put the probe_and_attach routine as a bus_probe and
bus_attach DEVMETHOD in uhub, but that requires quite a bit of work.

No ETA.
Comment 3 KAREN THODE 2002-12-24 19:42:01 UTC 
Two things here:
First, the same problem could occur if usbd_probe_and_attach() was called twice.  The fix for this is to change uaa form auto to static.
Secondly, since auto variables are stored on the stack and malloc() deals with the heap, my patch will have to be applied (to put uaa where malloc() can get to it) before the original fix.

Lucas
Comment 4 Mark Linimon freebsd_committer freebsd_triage 2004-08-27 23:23:26 UTC 
State Changed
From-To: open->feedback

Is this still a problem with modern versions of FreeBSD?
Comment 5 Mark Linimon freebsd_committer freebsd_triage 2004-08-27 23:23:26 UTC 
Responsible Changed
From-To: n_hibma->freebsd-bugs

With permission of assignee, reset assignment.
Comment 6 Mark Linimon freebsd_committer freebsd_triage 2004-09-02 02:32:14 UTC 
State Changed
From-To: feedback->closed

Submitter's email address bounces.