NetBSD Problem Report #41048
From njoly@lanfeust.sis.pasteur.fr Fri Mar 20 14:35:44 2009
Return-Path: <njoly@lanfeust.sis.pasteur.fr>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 3D44463B8EC
for <gnats-bugs@gnats.NetBSD.org>; Fri, 20 Mar 2009 14:35:44 +0000 (UTC)
Message-Id: <20090320143541.39B4BDC9B9@lanfeust.sis.pasteur.fr>
Date: Fri, 20 Mar 2009 15:35:41 +0100 (CET)
From: njoly@pasteur.fr
Reply-To: njoly@pasteur.fr
To: gnats-bugs@gnats.NetBSD.org
Subject: ugen(4) crash with USB_SET_CONFIG ioctl
X-Send-Pr-Version: 3.95
>Number: 41048
>Category: kern
>Synopsis: ugen(4) crash with USB_SET_CONFIG ioctl
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Mar 20 14:40:00 +0000 2009
>Closed-Date: Mon Mar 23 10:59:22 +0000 2009
>Last-Modified: Tue Mar 24 21:00:05 +0000 2009
>Originator: Nicolas Joly
>Release: NetBSD 5.99.8
>Organization:
Institut Pasteur
>Environment:
System: NetBSD lanfeust.sis.pasteur.fr 5.99.8 NetBSD 5.99.8 (LANFEUST_DEVEL) #4: Fri Mar 20 13:31:35 CET 2009 njoly@lanfeust.sis.pasteur.fr:/local/src/NetBSD/obj.amd64/sys/arch/amd64/compile/LANFEUST_DEVEL amd64
Architecture: x86_64
Machine: amd64
>Description:
I just got a reproductible kernel panic while trying to set the device to
configuration number 0 twice on a ugen(4) device.
I was able to reproduce it on 2 different amd64 machines, with both a webcam
and a USB mouse. Both of them have a single configuration available (numbered
1). NB: it does crash when trying to set configuration number 2, which do
not exist.
njoly@lanfeust [~]> dmesg | grep -e ugen -e uhub1 -e usb1 -e ohci1
ohci1 at pci1 dev 0 function 1: Advanced Micro Devices AMD8111 USB Host Controller (rev. 0x0b)
ohci1: interrupting at ioapic0 pin 19
ohci1: OHCI version 1.0, legacy support
usb1 at ohci1: USB revision 1.0
uhub1 at usb1: Advanced Micro OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 3 ports with 3 removable, self powered
ugen0 at uhub1 port 1
ugen0: Logitech USB-PS/2 Optical Mouse, rev 2.00/20.00, addr 2
root@lanfeust [NetBSD/usb]# cat ugen.c
#include <dev/usb/usb.h>
#include <sys/ioctl.h>
#include <err.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
int main() {
int fd, res, cnf;
fd = open("/dev/ugen0.00", O_RDWR);
if (fd == -1)
err(1, "open failed");
cnf = 0;
res = ioctl(fd, USB_SET_CONFIG, &cnf);
if (res == -1)
err(1, "ioctl USB_SET_CONFIG failed");
res = close(fd);
if (res == -1)
err(1, "close failed");
return 0; }
root@lanfeust [NetBSD/usb]# make ugen
cc -O2 -o ugen ugen.c
root@lanfeust [NetBSD/usb]# ./ugen
ugen: ioctl USB_SET_CONFIG failed: Input/output error
root@lanfeust [NetBSD/usb]# ./ugen
[...PANIC...]
kernel: page fault trap, code=0
Stopped in pid 720.1 (ugen) at netbsd:ugen_set_config+0x3e: movzbl 0x5(%rax
),%eax
db{0}> bt
ugen_set_config() at netbsd:ugen_set_config+0x3e
ugenioctl() at netbsd:ugenioctl+0x135
cdev_ioctl() at netbsd:cdev_ioctl+0x91
VOP_IOCTL() at netbsd:VOP_IOCTL+0x6e
vn_ioctl() at netbsd:vn_ioctl+0x6d
sys_ioctl() at netbsd:sys_ioctl+0x134
syscall() at netbsd:syscall+0xb6
>How-To-Repeat:
Run the testcase twice ...
>Fix:
please.
>Release-Note:
>Audit-Trail:
From: Matthias Drochner <drochner@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/41048 CVS commit: src/sys/dev/usb
Date: Fri, 20 Mar 2009 20:47:43 +0000
Module Name: src
Committed By: drochner
Date: Fri Mar 20 20:47:43 UTC 2009
Modified Files:
src/sys/dev/usb: ugen.c
Log Message:
Putting a device into the unconfigured state by an ioctl seems legitimate,
so check for a non-NULL configuration descriptor before dereferencing.
Should fix a crash reported by Nicolas Joly per PR kern/41048.
(It still doesn't look good that the ioctl which unconfigures the device
returns EIO -- either it is legitimate or it isn't -- but since this
is a pullup candidate I don't dare to change user visible behaviour.)
To generate a diff of this commit:
cvs rdiff -u -r1.101 -r1.102 src/sys/dev/usb/ugen.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Matthias Drochner <M.Drochner@fz-juelich.de>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@NetBSD.org, gnats-admin@NetBSD.org,
netbsd-bugs@NetBSD.org
Subject: Re: kern/41048: ugen(4) crash with USB_SET_CONFIG ioctl
Date: Fri, 20 Mar 2009 21:51:37 +0100
njoly@pasteur.fr said:
> kernel panic while trying to set the device to configuration number 0
Configuration number 0 happens to be the non-configuration...
I'm assuming that while it doesn't make much sense it is still
legal to do this through ugen, so I've added a check which
just prevents the crash.
> NB: it does crash when trying to set configuration number 2, which do
> not exist.
You mean it does _not_ crash???
best regards
Matthias
-------------------------------------------------------------------
-------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
Dr. Sebastian M. Schmidt
-------------------------------------------------------------------
-------------------------------------------------------------------
From: Nicolas Joly <njoly@pasteur.fr>
To: Matthias Drochner <M.Drochner@fz-juelich.de>
Cc: gnats-bugs@NetBSD.org, kern-bug-people@NetBSD.org,
gnats-admin@NetBSD.org, netbsd-bugs@NetBSD.org
Subject: Re: kern/41048: ugen(4) crash with USB_SET_CONFIG ioctl
Date: Fri, 20 Mar 2009 22:00:15 +0100
On Fri, Mar 20, 2009 at 09:51:37PM +0100, Matthias Drochner wrote:
>
> njoly@pasteur.fr said:
> > kernel panic while trying to set the device to configuration number 0
>
> Configuration number 0 happens to be the non-configuration...
> I'm assuming that while it doesn't make much sense it is still
> legal to do this through ugen, so I've added a check which
> just prevents the crash.
Thanks.
> > NB: it does crash when trying to set configuration number 2, which do
> > not exist.
>
> You mean it does _not_ crash???
Yes, sorry. No problem when doing the same test with config 2.
--
Nicolas Joly
Biological Software and Databanks.
Institut Pasteur, Paris.
State-Changed-From-To: open->feedback
State-Changed-By: drochner@NetBSD.org
State-Changed-When: Sat, 21 Mar 2009 12:41:47 +0000
State-Changed-Why:
committed a fix
From: Nicolas Joly <njoly@pasteur.fr>
To: Matthias Drochner <M.Drochner@fz-juelich.de>
Cc: gnats-bugs@NetBSD.org, kern-bug-people@NetBSD.org,
gnats-admin@NetBSD.org, netbsd-bugs@NetBSD.org
Subject: Re: kern/41048: ugen(4) crash with USB_SET_CONFIG ioctl
Date: Sat, 21 Mar 2009 19:06:02 +0100
On Fri, Mar 20, 2009 at 09:51:37PM +0100, Matthias Drochner wrote:
>
> njoly@pasteur.fr said:
> > kernel panic while trying to set the device to configuration number 0
>
> Configuration number 0 happens to be the non-configuration...
> I'm assuming that while it doesn't make much sense it is still
> legal to do this through ugen, so I've added a check which
> just prevents the crash.
I just tested it again, and the problem is gone.
Thanks.
--
Nicolas Joly
Biological Software and Databanks.
Institut Pasteur, Paris.
State-Changed-From-To: feedback->closed
State-Changed-By: drochner@NetBSD.org
State-Changed-When: Mon, 23 Mar 2009 10:59:22 +0000
State-Changed-Why:
submitter confirmed, pullup requested
From: Soren Jacobsen <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/41048 CVS commit: [netbsd-5] src/sys/dev/usb
Date: Tue, 24 Mar 2009 20:59:29 +0000
Module Name: src
Committed By: snj
Date: Tue Mar 24 20:59:29 UTC 2009
Modified Files:
src/sys/dev/usb [netbsd-5]: ugen.c
Log Message:
Pull up following revision(s) (requested by drochner in ticket #603):
sys/dev/usb/ugen.c: revision 1.102
Putting a device into the unconfigured state by an ioctl seems legitimate,
so check for a non-NULL configuration descriptor before dereferencing.
Should fix a crash reported by Nicolas Joly per PR kern/41048.
(It still doesn't look good that the ioctl which unconfigures the device
returns EIO -- either it is legitimate or it isn't -- but since this
is a pullup candidate I don't dare to change user visible behaviour.)
To generate a diff of this commit:
cvs rdiff -u -r1.99 -r1.99.8.1 src/sys/dev/usb/ugen.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home