From 907aa905189abde933efd20815498b236833c68e Mon Sep 17 00:00:00 2001
From: Alexander Kabaev <kan@FreeBSD.org>
Date: Mon, 5 Nov 2007 19:51:12 +0000
Subject: [PATCH] Do not pass an address to local stack variable to
 usbd_set_report_async. Allocate space in keyboard state structure instead to
 prevent random byte from possibly overwritten stack location frombeing shoved
 into USB device when transfer actually takes place.

This fixes at least one instance of LEDs not working with USB keyboards.
---
 sys/dev/usb/ukbd.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/sys/dev/usb/ukbd.c b/sys/dev/usb/ukbd.c
index 4496e86b0772..6d2943d9a318 100644
--- a/sys/dev/usb/ukbd.c
+++ b/sys/dev/usb/ukbd.c
@@ -370,6 +370,7 @@ typedef struct ukbd_state {
 	u_int		ks_composed_char; /* composed char code (> 0) */
 #ifdef UKBD_EMULATE_ATSCANCODE
 	u_int		ks_buffered_char[2];
+	u_int8_t	ks_leds;	/* store for async led requests */
 #endif
 } ukbd_state_t;
 
@@ -1469,11 +1470,11 @@ bLength=%d bDescriptorType=%d bEndpointAddress=%d-%s bmAttributes=%d wMaxPacketS
 static void
 set_leds(ukbd_state_t *state, int leds)
 {
-	u_int8_t res = leds;
 
 	DPRINTF(("ukbd:set_leds: state=%p leds=%d\n", state, leds));
-
-	usbd_set_report_async(state->ks_iface, UHID_OUTPUT_REPORT, 0, &res, 1);
+	state->ks_leds = leds;
+	usbd_set_report_async(state->ks_iface, UHID_OUTPUT_REPORT, 0,
+	    &state->ks_leds, 1);
 }
 
 static int