Sat Jun 27 07:29:11 2020 UTC ()
Fix NULL deref on attach failure. Found via vHCI fuzzing.

Reported-by: syzbot+9fdcdc21799e5d6d75ee@syzkaller.appspotmail.com


(maxv)
diff -r1.106 -r1.107 src/sys/dev/usb/ulpt.c
cvs diff -r1.106 -r1.107 src/sys/dev/usb/ulpt.c (expand / switch to unified diff)

--- src/sys/dev/usb/ulpt.c 2020/03/14 02:35:33 1.106
+++ src/sys/dev/usb/ulpt.c 2020/06/27 07:29:11 1.107
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: ulpt.c,v 1.106 2020/03/14 02:35:33 christos Exp $ */ 1/* $NetBSD: ulpt.c,v 1.107 2020/06/27 07:29:11 maxv Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 1998, 2003 The NetBSD Foundation, Inc. 4 * Copyright (c) 1998, 2003 The NetBSD Foundation, Inc.
5 * All rights reserved. 5 * All rights reserved.
6 * 6 *
7 * This code is derived from software contributed to The NetBSD Foundation 7 * This code is derived from software contributed to The NetBSD Foundation
8 * by Lennart Augustsson (lennart@augustsson.net) at 8 * by Lennart Augustsson (lennart@augustsson.net) at
9 * Carlstedt Research & Technology. 9 * Carlstedt Research & Technology.
10 * 10 *
11 * Redistribution and use in source and binary forms, with or without 11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions 12 * modification, are permitted provided that the following conditions
13 * are met: 13 * are met:
14 * 1. Redistributions of source code must retain the above copyright 14 * 1. Redistributions of source code must retain the above copyright
@@ -25,27 +25,27 @@ @@ -25,27 +25,27 @@
25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE. 30 * POSSIBILITY OF SUCH DAMAGE.
31 */ 31 */
32 32
33/* 33/*
34 * Printer Class spec: http://www.usb.org/developers/data/devclass/usbprint109.PDF 34 * Printer Class spec: http://www.usb.org/developers/data/devclass/usbprint109.PDF
35 */ 35 */
36 36
37#include <sys/cdefs.h> 37#include <sys/cdefs.h>
38__KERNEL_RCSID(0, "$NetBSD: ulpt.c,v 1.106 2020/03/14 02:35:33 christos Exp $"); 38__KERNEL_RCSID(0, "$NetBSD: ulpt.c,v 1.107 2020/06/27 07:29:11 maxv Exp $");
39 39
40#ifdef _KERNEL_OPT 40#ifdef _KERNEL_OPT
41#include "opt_usb.h" 41#include "opt_usb.h"
42#endif 42#endif
43 43
44#include <sys/param.h> 44#include <sys/param.h>
45#include <sys/systm.h> 45#include <sys/systm.h>
46#include <sys/proc.h> 46#include <sys/proc.h>
47#include <sys/kernel.h> 47#include <sys/kernel.h>
48#include <sys/fcntl.h> 48#include <sys/fcntl.h>
49#include <sys/device.h> 49#include <sys/device.h>
50#include <sys/ioctl.h> 50#include <sys/ioctl.h>
51#include <sys/uio.h> 51#include <sys/uio.h>
@@ -364,27 +364,29 @@ ulpt_detach(device_t self, int flags) @@ -364,27 +364,29 @@ ulpt_detach(device_t self, int flags)
364 /* Wait for processes to go away. */ 364 /* Wait for processes to go away. */
365 usb_detach_waitold(sc->sc_dev); 365 usb_detach_waitold(sc->sc_dev);
366 } 366 }
367 splx(s); 367 splx(s);
368 368
369 /* locate the major number */ 369 /* locate the major number */
370 maj = cdevsw_lookup_major(&ulpt_cdevsw); 370 maj = cdevsw_lookup_major(&ulpt_cdevsw);
371 371
372 /* Nuke the vnodes for any open instances (calls close). */ 372 /* Nuke the vnodes for any open instances (calls close). */
373 mn = device_unit(self); 373 mn = device_unit(self);
374 vdevgone(maj, mn, mn, VCHR); 374 vdevgone(maj, mn, mn, VCHR);
375 vdevgone(maj, mn | ULPT_NOPRIME , mn | ULPT_NOPRIME, VCHR); 375 vdevgone(maj, mn | ULPT_NOPRIME , mn | ULPT_NOPRIME, VCHR);
376 376
377 usbd_add_drv_event(USB_EVENT_DRIVER_DETACH, sc->sc_udev, sc->sc_dev); 377 if (sc->sc_udev != NULL)
 378 usbd_add_drv_event(USB_EVENT_DRIVER_DETACH, sc->sc_udev,
 379 sc->sc_dev);
378 380
379 return 0; 381 return 0;
380} 382}
381 383
382static int 384static int
383ulpt_status(struct ulpt_softc *sc) 385ulpt_status(struct ulpt_softc *sc)
384{ 386{
385 usb_device_request_t req; 387 usb_device_request_t req;
386 usbd_status err; 388 usbd_status err;
387 u_char status; 389 u_char status;
388 390
389 req.bmRequestType = UT_READ_CLASS_INTERFACE; 391 req.bmRequestType = UT_READ_CLASS_INTERFACE;
390 req.bRequest = UR_GET_PORT_STATUS; 392 req.bRequest = UR_GET_PORT_STATUS;