[src/trunk]: src/sys/dev/usb fix detach() to avoid use-after-free problems:

[drochner <drochner%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/a0f74d4a5cc1
branches:  trunk
changeset: 765030:a0f74d4a5cc1
user:      drochner <drochner%NetBSD.org@localhost>
date:      Mon May 16 10:53:19 2011 +0000

description:
fix detach() to avoid use-after-free problems:
-stop transfers before freeing data structures
 (and comment out a useless delay)
-free devinfo later
Hot-unplugging an USB cam while in use doesn't crash my box anymore now.

diffstat:

 sys/dev/usb/uvideo.c |  11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

diffs (51 lines):

diff -r fc959bbadbc0 -r a0f74d4a5cc1 sys/dev/usb/uvideo.c
--- a/sys/dev/usb/uvideo.c      Mon May 16 10:45:56 2011 +0000
+++ b/sys/dev/usb/uvideo.c      Mon May 16 10:53:19 2011 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: uvideo.c,v 1.33 2010/12/24 20:54:28 jmcneill Exp $     */
+/*     $NetBSD: uvideo.c,v 1.34 2011/05/16 10:53:19 drochner Exp $     */
 
 /*
  * Copyright (c) 2008 Patrick Mahoney
@@ -42,7 +42,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uvideo.c,v 1.33 2010/12/24 20:54:28 jmcneill Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uvideo.c,v 1.34 2011/05/16 10:53:19 drochner Exp $");
 
 #ifdef _MODULE
 #include <sys/module.h>
@@ -671,20 +671,21 @@
 
        pmf_device_deregister(self);
 
-       usbd_devinfo_free(sc->sc_devname);
-
        /* TODO: close the device if it is currently opened?  Or will
         * close be called automatically? */
 
        while (!SLIST_EMPTY(&sc->sc_stream_list)) {
                vs = SLIST_FIRST(&sc->sc_stream_list);
                SLIST_REMOVE_HEAD(&sc->sc_stream_list, entries);
+               uvideo_stream_stop_xfer(vs);
                uvideo_stream_free(vs);
        }
 
+#if 0
        /* Wait for outstanding request to complete.  TODO: what is
         * appropriate here? */
        usbd_delay_ms(sc->sc_udev, 1000);
+#endif
 
        DPRINTFN(15, ("uvideo: detaching from %s\n",
                device_xname(sc->sc_dev)));
@@ -695,6 +696,8 @@
        usbd_add_drv_event(USB_EVENT_DRIVER_DETACH, sc->sc_udev,
            sc->sc_dev);
 
+       usbd_devinfo_free(sc->sc_devname);
+
        return rv;
 }