Sun May 31 18:20:24 2020 UTC ()
also set ifc->ui_endpoints to NULL in usbd_free_iface_data() when the value
is freed, to make it impossible to re-enter this by mistake

very likely has no effect for the syzbot problem, but good to do nevetheless

Reported-by: syzbot+c555801d6bc0d768f402@syzkaller.appspotmail.com


(jdolecek)
diff -r1.245 -r1.246 src/sys/dev/usb/usb_subr.c
cvs diff -r1.245 -r1.246 src/sys/dev/usb/usb_subr.c (expand / switch to unified diff)

--- src/sys/dev/usb/usb_subr.c 2020/05/31 17:52:58 1.245
+++ src/sys/dev/usb/usb_subr.c 2020/05/31 18:20:23 1.246
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: usb_subr.c,v 1.245 2020/05/31 17:52:58 maxv Exp $ */ 1/* $NetBSD: usb_subr.c,v 1.246 2020/05/31 18:20:23 jdolecek Exp $ */
2/* $FreeBSD: src/sys/dev/usb/usb_subr.c,v 1.18 1999/11/17 22:33:47 n_hibma Exp $ */ 2/* $FreeBSD: src/sys/dev/usb/usb_subr.c,v 1.18 1999/11/17 22:33:47 n_hibma Exp $ */
3 3
4/* 4/*
5 * Copyright (c) 1998, 2004 The NetBSD Foundation, Inc. 5 * Copyright (c) 1998, 2004 The NetBSD Foundation, Inc.
6 * All rights reserved. 6 * All rights reserved.
7 * 7 *
8 * This code is derived from software contributed to The NetBSD Foundation 8 * This code is derived from software contributed to The NetBSD Foundation
9 * by Lennart Augustsson (lennart@augustsson.net) at 9 * by Lennart Augustsson (lennart@augustsson.net) at
10 * Carlstedt Research & Technology. 10 * Carlstedt Research & Technology.
11 * 11 *
12 * Redistribution and use in source and binary forms, with or without 12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions 13 * modification, are permitted provided that the following conditions
14 * are met: 14 * are met:
@@ -22,27 +22,27 @@ @@ -22,27 +22,27 @@
22 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 22 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
23 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 23 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
24 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 24 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
25 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 25 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
26 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 26 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
27 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 27 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
28 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 28 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
29 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31 * POSSIBILITY OF SUCH DAMAGE. 31 * POSSIBILITY OF SUCH DAMAGE.
32 */ 32 */
33 33
34#include <sys/cdefs.h> 34#include <sys/cdefs.h>
35__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.245 2020/05/31 17:52:58 maxv Exp $"); 35__KERNEL_RCSID(0, "$NetBSD: usb_subr.c,v 1.246 2020/05/31 18:20:23 jdolecek Exp $");
36 36
37#ifdef _KERNEL_OPT 37#ifdef _KERNEL_OPT
38#include "opt_compat_netbsd.h" 38#include "opt_compat_netbsd.h"
39#include "opt_usb.h" 39#include "opt_usb.h"
40#include "opt_usbverbose.h" 40#include "opt_usbverbose.h"
41#endif 41#endif
42 42
43#include <sys/param.h> 43#include <sys/param.h>
44#include <sys/systm.h> 44#include <sys/systm.h>
45#include <sys/kernel.h> 45#include <sys/kernel.h>
46#include <sys/kmem.h> 46#include <sys/kmem.h>
47#include <sys/device.h> 47#include <sys/device.h>
48#include <sys/select.h> 48#include <sys/select.h>
@@ -497,26 +497,27 @@ usbd_fill_iface_data(struct usbd_device  @@ -497,26 +497,27 @@ usbd_fill_iface_data(struct usbd_device
497 ifc->ui_endpoints = NULL; 497 ifc->ui_endpoints = NULL;
498 } 498 }
499 return USBD_INVAL; 499 return USBD_INVAL;
500} 500}
501 501
502void 502void
503usbd_free_iface_data(struct usbd_device *dev, int ifcno) 503usbd_free_iface_data(struct usbd_device *dev, int ifcno)
504{ 504{
505 struct usbd_interface *ifc = &dev->ud_ifaces[ifcno]; 505 struct usbd_interface *ifc = &dev->ud_ifaces[ifcno];
506 if (ifc->ui_endpoints) { 506 if (ifc->ui_endpoints) {
507 int nendpt = ifc->ui_idesc->bNumEndpoints; 507 int nendpt = ifc->ui_idesc->bNumEndpoints;
508 size_t sz = nendpt * sizeof(struct usbd_endpoint); 508 size_t sz = nendpt * sizeof(struct usbd_endpoint);
509 kmem_free(ifc->ui_endpoints, sz); 509 kmem_free(ifc->ui_endpoints, sz);
 510 ifc->ui_endpoints = NULL;
510 } 511 }
511} 512}
512 513
513usbd_status 514usbd_status
514usbd_set_config_no(struct usbd_device *dev, int no, int msg) 515usbd_set_config_no(struct usbd_device *dev, int no, int msg)
515{ 516{
516 USBHIST_FUNC(); USBHIST_CALLARGS(usbdebug, "%jd", no, 0, 0, 0); 517 USBHIST_FUNC(); USBHIST_CALLARGS(usbdebug, "%jd", no, 0, 0, 0);
517 usb_config_descriptor_t cd; 518 usb_config_descriptor_t cd;
518 usbd_status err; 519 usbd_status err;
519 int index; 520 int index;
520 521
521 if (no == USB_UNCONFIG_NO) 522 if (no == USB_UNCONFIG_NO)
522 return usbd_set_config_index(dev, USB_UNCONFIG_INDEX, msg); 523 return usbd_set_config_index(dev, USB_UNCONFIG_INDEX, msg);