# HG changeset patch
# User Taylor R Campbell <riastradh@NetBSD.org>
# Date 1597558592 0
#      Sun Aug 16 06:16:32 2020 +0000
# Branch trunk
# Node ID bfeda99baa101a929b3fdc5fe5bd52ba56ba9b05
# Parent  793a0c76ac0f0f525b4434a16589fbaba3bd3b58
# EXP-Topic riastradh-ugenif
Fix sloppy mistakes in previous.

1. Give the offset of the rbnode, not some other random members to
   overwrite with garbage.

2. Don't try to unlock a mutex at NULL.

3. Make sure all paths out after ugenif_acquire go via
   ugenif_release.

diff -r 793a0c76ac0f -r bfeda99baa10 sys/dev/usb/ugen.c
--- a/sys/dev/usb/ugen.c	Sun Aug 16 03:48:08 2020 +0000
+++ b/sys/dev/usb/ugen.c	Sun Aug 16 06:16:32 2020 +0000
@@ -175,7 +175,7 @@ compare_ugen_key(void *cookie, const voi
 static const rb_tree_ops_t ugenif_tree_ops = {
 	.rbto_compare_nodes = compare_ugen,
 	.rbto_compare_key = compare_ugen_key,
-	.rbto_node_offset = offsetof(struct ugen_softc, sc_unit),
+	.rbto_node_offset = offsetof(struct ugen_softc, sc_node),
 };
 
 static void
@@ -215,17 +215,18 @@ ugenif_acquire(unsigned unit)
 
 	mutex_enter(&ugenif.lock);
 	sc = rb_tree_find_node(&ugenif.tree, &unit);
-	if (sc) {
-		mutex_enter(&sc->sc_lock);
-		if (sc->sc_dying) {
-			sc = NULL;
-		} else {
-			KASSERT(sc->sc_refcnt < INT_MAX);
-			sc->sc_refcnt++;
-		}
+	if (sc == NULL)
+		goto out;
+	mutex_enter(&sc->sc_lock);
+	if (sc->sc_dying) {
 		mutex_exit(&sc->sc_lock);
+		sc = NULL;
+		goto out;
 	}
-	mutex_exit(&ugenif.lock);
+	KASSERT(sc->sc_refcnt < INT_MAX);
+	sc->sc_refcnt++;
+	mutex_exit(&sc->sc_lock);
+out:	mutex_exit(&ugenif.lock);
 
 	return sc;
 }
@@ -608,8 +609,10 @@ ugenopen(dev_t dev, int flag, int mode, 
 				goto out;
 			}
 			isize = UGETW(edesc->wMaxPacketSize);
-			if (isize == 0)	/* shouldn't happen */
-				return EINVAL;
+			if (isize == 0) {	/* shouldn't happen */
+				error = EINVAL;
+				goto out;
+			}
 			sce->ibuf = kmem_alloc(isize * UGEN_NISOFRAMES,
 				KM_SLEEP);
 			sce->cur = sce->fill = sce->ibuf;