NetBSD Problem Report #33352

From www@netbsd.org  Mon Apr 24 18:02:01 2006
Return-Path: <www@netbsd.org>
Received: by narn.netbsd.org (Postfix, from userid 31301)
	id A0A3563B8A5; Mon, 24 Apr 2006 18:02:01 +0000 (UTC)
Message-Id: <20060424180201.A0A3563B8A5@narn.netbsd.org>
Date: Mon, 24 Apr 2006 18:02:01 +0000 (UTC)
From: cg2v@andrew.cmu.edu
Reply-To: cg2v@andrew.cmu.edu
To: gnats-bugs@netbsd.org
Subject: poll on control endpoint of ugen device crashes
X-Send-Pr-Version: www-1.0

>Number:         33352
>Category:       kern
>Synopsis:       poll on control endpoint of ugen device crashes
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Apr 24 18:05:00 +0000 2006
>Closed-Date:    Sat Jun 30 21:55:28 +0000 2012
>Last-Modified:  Sat Jun 30 21:55:28 +0000 2012
>Originator:     Chaskiel Grundman
>Release:        3.0
>Organization:
>Environment:
NetBSD sanmartin.squill.dementia.org 3.0 NetBSD 3.0 (GENERIC) #0: Sun Dec 18 21:51:37 UTC 2005  builds@works.netbsd.org:/home/builds/ab/netbsd-3-0-RELEASE/amd64/200512182024Z-obj/home/builds/ab/netbsd-3-0-RELEASE/src/sys/arch/amd64/compile/GENERIC amd64

>Description:
The openct smart card resource manager (http://www.opensc-project.org/openct/) uses ugen to communicate with usb smartcard devices on *BSD. When configured to detect device disconnects, it poll(2)'s the device with POLLHUP (this apparently works on linux). 

On NetBSD 3.0, this causes a crash in ugenpoll. a DIAGNOSTIC kernel printf's the following error: ugenpoll: no edesc

>How-To-Repeat:
1) acquire a cryptoflex egate token
2) install openct
3) launch a hotplug-enabled ifdhandler (ifdhandler -FD egate /dev/ugen0.00)
4) boom.

I presume that this could be replicated with any usb device that used ugen, but it would involve writing code.
>Fix:
I have not tested it yet, but the following patch (modeled after ugenread/ugenwrite) should prevent the crash

Index: ugen.c
===================================================================
RCS file: /cvsroot/src/sys/dev/usb/ugen.c,v
retrieving revision 1.71
diff -u -r1.71 ugen.c
--- ugen.c      2 Mar 2005 11:37:27 -0000       1.71
+++ ugen.c      24 Apr 2006 17:55:51 -0000
@@ -1331,6 +1331,7 @@
 int
 ugenpoll(dev_t dev, int events, usb_proc_ptr p)
 {
+       int endpt = UGENENDPOINT(dev);
        struct ugen_softc *sc;
        struct ugen_endpoint *sce;
        int revents = 0;
@@ -1341,6 +1342,9 @@
        if (sc->sc_dying)
                return (EIO);

+       if (endpt == USB_CONTROL_ENDPOINT)
+               return (ENODEV);
+
        /* XXX always IN */
        sce = &sc->sc_endpoints[UGENENDPOINT(dev)][IN];
        if (sce == NULL)

>Release-Note:

>Audit-Trail:
From: "Jonathan A. Kollasch" <jakllsch@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/33352 CVS commit: src/sys/dev/usb
Date: Fri, 25 Nov 2011 02:59:55 +0000

 Module Name:	src
 Committed By:	jakllsch
 Date:		Fri Nov 25 02:59:55 UTC 2011

 Modified Files:
 	src/sys/dev/usb: ugen.c

 Log Message:
 Prevent poll and kqueue on the control endpoint.
 Addresses PR#33352.

 (The control endpoint doesn't support pipes, so this would be of dubious
 usefulness even if it didn't expose bugs.)


 To generate a diff of this commit:
 cvs rdiff -u -r1.112 -r1.113 src/sys/dev/usb/ugen.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->feedback
State-Changed-By: jakllsch@NetBSD.org
State-Changed-When: Thu, 01 Dec 2011 22:26:26 +0000
State-Changed-Why:
may be fixed as of recent commit


From: Chaskiel Grundman <cg2v@andrew.cmu.edu>
To: "gnats-bugs@NetBSD.org" <gnats-bugs@NetBSD.org>
Cc: 
Subject: RE: kern/33352 (poll on control endpoint of ugen device crashes)
Date: Wed, 28 Dec 2011 18:24:33 +0000

 I don't do much with the smartcard software anymore (or netbsd for that mat=
 ter). I did attempt to set up a 5.1 testbed to see if I could replicate the=
  original problem, but the smartcard software has moved on,and now uses lib=
 usb on netbsd which does not seem to tickle this. (The pre-libusb code seem=
 s to not work right anymore).=0A=
 =0A=
 I attempted to write a simple test program (open /dev/ugen0.00 and poll it)=
 , but it doesn't crash on 5.1. It looks like some refactoring in ugen.c 1.8=
 4 masked the issue (->edesc is not dereferenced if ->pipeh is null).=0A=

State-Changed-From-To: feedback->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sat, 30 Jun 2012 21:55:28 +0000
State-Changed-Why:
Feedback received in December. Submitter cannot test effectively.
As a fix has been committed, and the problem also got masked by other
changes, let's close the PR.


>Unformatted:

Home	PR Database Search