kern/37934: Interrupt type ugen devices crash kernel on access close

[gcw%primenet.com.au@localhost]

>Number:         37934
>Category:       kern
>Synopsis:       Extra clfree() crashes kernel in ugenclose() for interrupt 
>ugen devices
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Feb 01 04:05:00 +0000 2008
>Originator:     Geoff C. Wing
>Release:        NetBSD 4.99.52
>Organization:
>Environment:
System: NetBSD g.primenet.com.au 4.99.52 NetBSD 4.99.52 (G) #0: Fri Feb 1 
14:46:50 EST 2008 
gcw%g.primenet.com.au@localhost:/usr/netbsd/src/sys/arch/i386/compile/G i386
Architecture: i386
Machine: i386
>Description:
        Only interrupt transfer type USB generic device attachments
        call clalloc(), however on close it correctly calls clfree()
        in sys/dev/usb/ugen.c:536 then incorrectly calls it again
        at line 556.  This probably also affects isochronous type
        transfers since they do not clalloc().
>How-To-Repeat:
        Plug in something which uses this - I ran apcupsd with an APC UPS -
        then stop the program.  See computer crash.
>Fix:

Index: sys/dev/usb/ugen.c
===================================================================
RCS file: /cvsroot/src/sys/dev/usb/ugen.c,v
retrieving revision 1.96
diff -u -r1.96 ugen.c
--- sys/dev/usb/ugen.c  24 Dec 2007 14:41:19 -0000      1.96
+++ sys/dev/usb/ugen.c  1 Feb 2008 03:45:28 -0000
@@ -553,7 +553,6 @@
                if (sce->ibuf != NULL) {
                        free(sce->ibuf, M_USBDEV);
                        sce->ibuf = NULL;
-                       clfree(&sce->q);
                }
        }
        sc->sc_is_open[endpt] = 0;