NetBSD Problem Report #48308
From dtyson@darkstar.anduin.org.uk Sun Oct 13 16:20:48 2013
Return-Path: <dtyson@darkstar.anduin.org.uk>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 6B6A3725A6
for <gnats-bugs@gnats.NetBSD.org>; Sun, 13 Oct 2013 16:20:48 +0000 (UTC)
Message-Id: <20131013144853.971E225DCA@darkstar.anduin.org.uk>
Date: Sun, 13 Oct 2013 15:48:53 +0100 (BST)
From: dtyson@anduin.org.uk
Reply-To: dtyson@anduin.org.uk
To: gnats-bugs@NetBSD.org
Subject: User can crash machine using a USB webcam
X-Send-Pr-Version: 3.95
>Number: 48308
>Category: kern
>Synopsis: non-privileged user can crash machine using a USB webcam
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: skrll
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Oct 13 16:25:00 +0000 2013
>Closed-Date: Mon Apr 25 19:35:31 +0000 2016
>Last-Modified: Mon Apr 25 19:35:31 +0000 2016
>Originator: Dave Tyson
>Release: NetBSD 6.99.23
>Organization:
Anduin
>Environment:
System: NetBSD darkstar.anduin.org.uk 6.99.23 NetBSD 6.99.23 (MR) #0: Sun Sep 29 13:58:49 BST 2013 root@darkstar.anduin.org.uk:/usr/obj/sys/arch/i386/compile/MR i386
Architecture: i386
Machine: i386
>Description:
Plug in a USB webcam supported by the UVC interface. Bring up mplayer to display video.
Find the system crashes shortly after due to an assert.
panic: kernel diagnostic assertion "(!cpu_intr_p() && !cpu_softintr_p())" failed: file "/usr/src/sys/kern/subr_kmem.c", line 366 kmem(9) should not be used from the interrupt context
fatal breakpoint trap in supervisor mode
trap type 1 code 0 eip c027fb04 cs 8 eflags 200246 cr2 ba5fe440 ilevel 4 esp db469aac
curlwp 0xc3b4ca80 pid 0 lid 3 lowest kstack 0xdb467000
root(darkstar)crash$ crash -M netbsd.10.core
Crash version 6.99.23, image version 6.99.23.
System panicked: kernel diagnostic assertion "(!cpu_intr_p() && !cpu_softintr_p())" failed: file "/usr/src/sys/kern/subr_kmem.c", line 366 kmem(9) should not be used from the interrupt context
Backtrace from time of crash is available.
crash> bt
_KERNEL_OPT_NARCNET(c0c9c2c8,104,c060ffc8,8,0,c027fb04,4,104,db469aac,c0818e97) at 0
_end(104,0,c0c9c2c8,db469ac8,2c,1,1000,db469abc,c09c57df,c0c9c2c8) at db469ac8
vpanic(c0c9c2c8,db469ac8,db469ae0,c080fda9,c0c9c2c8,c0c05eb8,c0c9c2a0,c0c9c188,16e,c0e62c60) at vpanic+0x12c
kern_assert(c0c9c2c8,c0c05eb8,c0c9c2a0,c0c9c188,16e,c0e62c60,1000,db469b1c,c08fa182,2c) at kern_assert+0x23
kmem_zalloc(2c,1,6,c413d7b0,c08d30a6,c413d7e4,ffffffff,c446c800,c0ed9100,1000) at kmem_zalloc+0x43
usb_block_allocmem(db469bc4,0,0,1f9f,5c,0,c4277e58,18,db469b60,c08fa572) at usb_block_allocmem+0xe2
usb_allocmem_flags(c4137020,fa0,1000,db469bc4,0,db469bd8,c02cd4af,c4137020,fa0,1000) at usb_allocmem_flags+0x66
usb_allocmem(c4137020,fa0,1000,db469bc4,5000,c4277e58,c4137020,dd12f0a0,c41376f0,8a000) at usb_allocmem+0x2e
ehci_device_isoc_start(c4277e58,c3b49d00,10,db469bf4,c05b1cae,db469c1c,c4277ea0,c8,c8,c42a1d58) at ehci_device_isoc_star
t+0x1b9
usbd_transfer(c4277e58,c4ba1bfc,c42a1d58,c429f000,c8,5,c0909fe4,c42a1d58,c8,c42a1d50) at usbd_transfer+0x93
uvideo_stream_recv_isoc_start1(c4277e58,0,0,db469c5c,0,c42a1d00,dd4c5400,960,c4277e58,c4ba1bfc) at uvideo_stream_recv_is
oc_start1+0x6a
uvideo_stream_recv_isoc_complete(c4277e58,c42a1d58,0,c0,dd12f000,db469ca8,c08fa78f,0,0,0) at uvideo_stream_recv_isoc_com
plete+0x9e
usb_transfer_complete(c4277e58,4,20,a,c4277ec4,c8,190,1,dd12f000,c4ba000c) at usb_transfer_complete+0x2b8
ehci_idone(c4277ec4,4,20,a,0,0,c4137004,c4137000,c42774c8,dc8d0f00) at ehci_idone+0x150
ehci_softintr(c4137020,db46532c,db469d80,c05afa93,c4137020,0,c0100307,0,0,0) at ehci_softintr+0x194
usb_soft_intr(c4137020,0,c0100307,0,0,0,0,0,0,c3b4ca80) at usb_soft_intr+0x22
softint_dispatch(c3b4cd20,4,a8300798,49190b6,3a9b9c7a,1aa60ee3,db469d90,db469d28,c3b4ca80,0) at softint_dispatch+0xba
crash: kvm_read(0x38, 4): invalid translation (invalid PTE)
>How-To-Repeat:
Plug in a USB webcam (in my case one made by Medion). Note that it attaches and the uvideo device is
present:
uvideo0 at uhub4 port 7 configuration 1 interface 0: vendor 0x04f2 USB2.0 2MP UVC Camera, rev 2.00/1.00, addr 3
video0 at uvideo0: vendor 0x04f2 USB2.0 2MP UVC Camera, rev 2.00/1.00, addr 3
Bring up mplayer:
mplayer tv:// -tv driver=v4l2:device=/dev/video0 -fps 30
Find system crashes :-)
This same webcam works fine under NetBSD 6.1 I386 so I suspect its released to changes in the USB area.
>Fix:
no known but probably in the guts of usb rather than the video code
>Release-Note:
>Audit-Trail:
From: Mihai Chelaru <mihai.chelaru@ngnetworks.ro>
To: gnats-bugs@NetBSD.org
Cc: dtyson@anduin.org.uk
Subject: Re: kern/48308: User can crash machine using a USB webcam
Date: Mon, 04 Nov 2013 21:42:39 +0200
This is a multi-part message in MIME format.
--------------090805000104090603000906
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Hi,
Probably it works in 6.1 because release kernels are not compiled with
options DIAGNOSTIC, so they don't trigger that assert. I use the
attached patch for some time without any problems. It should fix your
issue too.
--
Mihai
--------------090805000104090603000906
Content-Type: text/plain; charset=us-ascii;
name="usb_mem.c.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="usb_mem.c.diff"
Index: sys/dev/usb/usb_mem.c
===================================================================
RCS file: /cvsroot/src/sys/dev/usb/usb_mem.c,v
retrieving revision 1.63
diff -u -p -r1.63 usb_mem.c
--- sys/dev/usb/usb_mem.c 15 Sep 2013 15:47:27 -0000 1.63
+++ sys/dev/usb/usb_mem.c 4 Nov 2013 19:23:44 -0000
@@ -44,6 +44,7 @@ __KERNEL_RCSID(0, "$NetBSD: usb_mem.c,v
#include <sys/systm.h>
#include <sys/kernel.h>
#include <sys/kmem.h>
+#include <sys/pool.h>
#include <sys/queue.h>
#include <sys/device.h> /* for usbdivar.h */
#include <sys/bus.h>
@@ -81,6 +82,8 @@ struct usb_frag_dma {
LIST_ENTRY(usb_frag_dma) next;
};
+pool_cache_t dma_block_pool, dma_sseg_pool;
+
Static usbd_status usb_block_allocmem(bus_dma_tag_t, size_t, size_t,
usb_dma_block_t **, bool);
Static void usb_block_freemem(usb_dma_block_t *);
@@ -108,6 +111,21 @@ usb_mem_init(void)
{
mutex_init(&usb_blk_lock, MUTEX_DEFAULT, IPL_NONE);
+
+ dma_block_pool = pool_cache_init(sizeof(usb_dma_block_t), 0, 0, 0,
+ "udmablock", NULL, IPL_VM, NULL, NULL, NULL);
+ if (dma_block_pool == NULL)
+ panic("dma_block_pool");
+ pool_cache_sethiwat(dma_block_pool, 50);
+ pool_cache_setlowat(dma_block_pool, 20);
+
+ dma_sseg_pool = pool_cache_init(sizeof(bus_dma_segment_t), 0, 0, 0,
+ "udmasseg", NULL, IPL_VM, NULL, NULL, NULL);
+ if (dma_sseg_pool == NULL)
+ panic("dma_sseg_pool");
+ pool_cache_sethiwat(dma_sseg_pool, 50);
+ pool_cache_setlowat(dma_sseg_pool, 20);
+
return 0;
}
@@ -151,17 +169,11 @@ usb_block_allocmem(bus_dma_tag_t tag, si
}
}
-#ifdef DIAGNOSTIC
- if (cpu_intr_p()) {
- printf("usb_block_allocmem: in interrupt context, failed\n");
- return (USBD_NOMEM);
- }
-#endif
-
DPRINTFN(6, ("usb_block_allocmem: no free\n"));
- b = kmem_zalloc(sizeof *b, KM_SLEEP);
+ b = pool_cache_get(dma_block_pool, PR_WAITOK);
if (b == NULL)
return (USBD_NOMEM);
+ memset(b, 0, sizeof *b);
b->tag = tag;
b->size = size;
@@ -173,11 +185,15 @@ usb_block_allocmem(bus_dma_tag_t tag, si
else
b->nsegs = (size + (PAGE_SIZE-1)) / PAGE_SIZE;
- b->segs = kmem_alloc(b->nsegs * sizeof(*b->segs), KM_SLEEP);
+ if (b->nsegs == 1)
+ b->segs = pool_cache_get(dma_sseg_pool, PR_WAITOK);
+ else
+ b->segs = kmem_intr_alloc(b->nsegs *sizeof(*b->segs), KM_SLEEP);
if (b->segs == NULL) {
- kmem_free(b, sizeof *b);
+ pool_cache_put(dma_block_pool, b);
return USBD_NOMEM;
}
+ memset(b->segs, 0, b->nsegs * sizeof(*b->segs));
b->nsegs_alloc = b->nsegs;
error = bus_dmamem_alloc(tag, b->size, align, 0,
@@ -215,8 +231,11 @@ usb_block_allocmem(bus_dma_tag_t tag, si
free1:
bus_dmamem_free(tag, b->segs, b->nsegs);
free0:
- kmem_free(b->segs, b->nsegs_alloc * sizeof(*b->segs));
- kmem_free(b, sizeof *b);
+ if (__predict_true(b->nsegs_alloc == 1))
+ pool_cache_put(dma_sseg_pool, b->segs);
+ else
+ kmem_intr_free(b->segs, b->nsegs_alloc * sizeof(*b->segs));
+ pool_cache_put(dma_block_pool, b);
return (USBD_NOMEM);
}
@@ -234,8 +253,11 @@ usb_block_real_freemem(usb_dma_block_t *
bus_dmamap_destroy(b->tag, b->map);
bus_dmamem_unmap(b->tag, b->kaddr, b->size);
bus_dmamem_free(b->tag, b->segs, b->nsegs);
- kmem_free(b->segs, b->nsegs_alloc * sizeof(*b->segs));
- kmem_free(b, sizeof *b);
+ if (__predict_true(b->nsegs_alloc == 1))
+ pool_cache_put(dma_sseg_pool, b->segs);
+ else
+ kmem_intr_free(b->segs, b->nsegs_alloc * sizeof(*b->segs));
+ pool_cache_put(dma_block_pool, b);
}
#endif
@@ -322,7 +344,7 @@ usb_allocmem_flags(usbd_bus_handle bus,
if (f == NULL) {
DPRINTFN(1, ("usb_allocmem: adding fragments\n"));
err = usb_block_allocmem(tag, USB_MEM_BLOCK, USB_MEM_SMALL, &b,
- false);
+ 0);
if (err) {
mutex_exit(&usb_blk_lock);
return (err);
@@ -438,21 +460,22 @@ usb_reserve_allocm(struct usb_dma_reserv
if (rs->vaddr == 0 || size > USB_MEM_RESERVE)
return USBD_NOMEM;
- dma->block = kmem_zalloc(sizeof *dma->block, KM_SLEEP);
+ dma->block = pool_cache_get(dma_block_pool, PR_WAITOK);
if (dma->block == NULL) {
aprint_error_dev(rs->dv, "%s: failed allocating dma block",
__func__);
goto out0;
}
+ memset(dma->block, 0, sizeof(*dma->block));
- dma->block->nsegs = 1;
- dma->block->segs = kmem_alloc(dma->block->nsegs *
- sizeof(*dma->block->segs), KM_SLEEP);
+ dma->block->nsegs = dma->block->nsegs_alloc = 1;
+ dma->block->segs = pool_cache_get(dma_sseg_pool, PR_WAITOK);
if (dma->block->segs == NULL) {
aprint_error_dev(rs->dv, "%s: failed allocating 1 dma segment",
__func__);
goto out1;
}
+ memset(dma->block->segs, 0, sizeof(*dma->block->segs)); /* nsegs = 1 */
error = extent_alloc(rs->extent, size, PAGE_SIZE, 0,
EX_NOWAIT, &start);
@@ -475,10 +498,9 @@ usb_reserve_allocm(struct usb_dma_reserv
return USBD_NORMAL_COMPLETION;
out2:
- kmem_free(dma->block->segs, dma->block->nsegs *
- sizeof(*dma->block->segs));
+ pool_cache_put(dma_sseg_pool, dma->block->segs);
out1:
- kmem_free(dma->block, sizeof *dma->block);
+ pool_cache_put(dma_block_pool, dma->block);
out0:
return USBD_NOMEM;
}
@@ -489,9 +511,12 @@ usb_reserve_freem(struct usb_dma_reserve
extent_free(rs->extent,
(u_long)(rs->paddr + dma->offs), dma->block->size, 0);
- kmem_free(dma->block->segs, dma->block->nsegs *
- sizeof(*dma->block->segs));
- kmem_free(dma->block, sizeof *dma->block);
+ if (__predict_true(dma->block->nsegs_alloc == 1))
+ pool_cache_put(dma_sseg_pool, dma->block->segs);
+ else
+ kmem_intr_free(dma->block->segs, dma->block->nsegs *
+ sizeof(*dma->block->segs));
+ pool_cache_put(dma_block_pool, dma->block);
}
int
--------------090805000104090603000906--
From: Dave Tyson <dtyson@anduin.org.uk>
To: gnats-bugs@NetBSD.org
Cc: Mihai Chelaru <mihai.chelaru@ngnetworks.ro>,
kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: Re: kern/48308: User can crash machine using a USB webcam
Date: Tue, 05 Nov 2013 16:38:21 +0000
On 11/04/13 19:40, Mihai Chelaru wrote:
> The following reply was made to PR kern/48308; it has been noted by GNATS.
>
> From: Mihai Chelaru <mihai.chelaru@ngnetworks.ro>
> To: gnats-bugs@NetBSD.org
> Cc: dtyson@anduin.org.uk
> Subject: Re: kern/48308: User can crash machine using a USB webcam
> Date: Mon, 04 Nov 2013 21:42:39 +0200
>
> This is a multi-part message in MIME format.
> --------------090805000104090603000906
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Content-Transfer-Encoding: 7bit
>
> Hi,
>
> Probably it works in 6.1 because release kernels are not compiled with
> options DIAGNOSTIC, so they don't trigger that assert. I use the
> attached patch for some time without any problems. It should fix your
> issue too.
>
> --
> Mihai
>
<patch snipped to save bandwidth>
Hi Mihai,
thanks for looking at this PR. I realised after I had posted it that
having options DIAGNOSTIC in GENERIC triggered the assert and removing
this enabled the webcam to work OK. However it needs to be fixed before
NetBSD-7 is branched:-)
I have applied your patch (it went on cleanly against the latest
usb_mem.c 1.63), however the kernel still panics under GENERIC in a
different place:
panic: kernel diagnostic assertion "(!cpu_intr_p() && !cpu_softintr_p())
|| (pc-
>pc_pool.pr_ipl != IPL_NONE || cold || panicstr != NULL)" failed: file
"/usr/src
/sys/kern/subr_pool.c", line 2209 pool 'pvpl' is IPL_NONE, but called
from inter
rupt context
fatal breakpoint trap in supervisor mode
trap type 1 code 0 eip c027fd44 cs 8 eflags 200246 cr2 bba90fd0 ilevel 4
esp db4
e59dc
curlwp 0xc3b49a80 pid 0 lid 3 lowest kstack 0xdb4e3000
dumping to dev 0,1 offset 8
dump
crash> bt
_KERNEL_OPT_NARCNET(c0e054fc,100,c060c458,8,0,c0e05528,8,c0a4e11c,db4e5750,c029e
04f) at 0
_KERNEL_OPT_NARCNET(100,0,db4e57f8,c029e757,c0e04100,0,c0978ed2,db4e5770,c0978ed
2,c0e04100) at 0
db_sifting_cmd(c0e04100,0,c0978ed2,db4e5770,c0978ed2,c0e04100,c1033000,6f40,7020
,d4e57a0) at db_sifting_cmd
db_command(db4e580c,0,0,0,db4e57fc,db4e5830,db4e5824,0,c029eab1,0) at
db_command
+0xe3
db_command_loop(c027fd44,0,3,c0e5f23d,1,db4e5978,4,db4e58d4,c02a1469,1)
at db_co
mmand_loop+0xbe
db_trap(1,0,0,0,db4e5870,c0910010,30,10,c0810010,db4e59f8) at db_trap+0xe0
kdb_trap(1,0,db4e5978,3,db4e3000,200246,bba90fd0,4,db4e59dc,c0c7ef43) at
kdb_tra
p+0x107
trap() at trap+0x269
--- trap (number 1) ---
breakpoint(c0cb5c21,c0ed9940,c0c9de88,db4e59f8,c0ecd100,0,0,db4e59ec,c09c6ddf,c0
c9de88) at breakpoint+0x4
vpanic(c0c9de88,db4e59f8,db4e5a1c,c0814a0c,c0c9de88,c0c06d08,c0c9de20,c0c9df30,8
a1,c0c7ef40) at vpanic+0x11c
kern_assert(c0c9de88,c0c06d08,c0c9de20,c0c9df30,8a1,c0c7ef40,c091fb94,13,c0ecd04
0,8748763) at kern_assert+0x23
pool_cache_get_paddr(c0ecd100,2,0,dd48d000,1000,0,0,0,401727,c41aee34)
at pool_c
ache_get_paddr+0xfa
pmap_enter_ma(c0ecd040,dd48d000,8748000,8748000,3,13,0,db4e5ae4,c0233e9b,c0ecd04
0) at pmap_enter_ma+0xe8
pmap_enter_default(c0ecd040,dd48d000,8748000,3,13,c41aee34,0,1,13,c0e63ca0)
at p
map_enter_default+0x39
_bus_dmamem_map.clone.5(c41ad924,5,1,1000,c41ad924,5,c41ad92c,1,c4468800,1000)
a
t _bus_dmamem_map.clone.5+0xb9
usb_block_allocmem(db4e5bc8,0,0,1f9f,5c,0,c4276594,18,db4e5b64,c08f7a0b)
at usb_
block_allocmem+0x265
usb_allocmem_flags(c4134020,fa0,1000,db4e5bc8,0,db4e5bdc,c02cd6ef,c4134020,fa0,1
000) at usb_allocmem_flags+0x66
usb_allocmem(c4134020,fa0,1000,db4e5bc8,5000,c4276594,c4134020,dcdef0a0,c41346f0
,8a000) at usb_allocmem+0x2e
ehci_device_isoc_start(c4276594,db4e5c0c,c055473e,e0,1,c42765dc,c8,c8,c42a4d58,d
b4e5c38) at ehci_device_isoc_start+0x1b9
usbd_transfer(c4276594,c49ab104,c42a4d58,c58ce900,c8,5,c09071d4,c42a4d58,c8,c42a
4d50) at usbd_transfer+0x93
uvideo_stream_recv_isoc_start1(c4276594,0,0,db4e5c5c,0,c42a4d00,de205400,960,c42
76594,c49ab104) at uvideo_stream_recv_isoc_start1+0x6a
uvideo_stream_recv_isoc_complete(c4276594,c42a4d58,0,c0,dcdef000,db4e5ca8,c08f7c
28,0,0,0) at uvideo_stream_recv_isoc_complete+0x9e
usb_transfer_complete(c4276594,4,20,a,c4276600,c8,190,1,dcdef000,c49a000c)
at us
b_transfer_complete+0x2ae
ehci_idone(c4276600,4,20,a,0,0,c4134004,c4134000,c42764c8,dc8d0f00) at
ehci_idon
e+0x150
ehci_softintr(c4134020,db45e32c,db4e5d80,c05abe13,c4134020,c3b49d20,c41a8ee8,c01
012a4,db4e0010,30) at ehci_softintr+0x194
usb_soft_intr(c4134020,c3b49d20,c41a8ee8,c01012a4,db4e0010,30,c3b40010,c3b40010,
0,c3b49a80) at usb_soft_intr+0x22
softint_dispatch(c3b49d20,4,16250501,41985600,cb305138,150187c0,db4e5d90,db4e5be
c,db4e5c50,0) at softint_dispatch+0xba
crash: kvm_read(0x38, 4): invalid translation (invalid PTE)
crash>
Sorry to be the bearer of bad news :-(
Cheers,
Dave
--
============================================
Phone: 07805784357
Open Source O/S: www.netbsd.org
Caving: http://www.wirralcavinggroup.org.uk
============================================
From: Nick Hudson <skrll@netbsd.org>
To: Dave Tyson <dtyson@anduin.org.uk>
Cc: gnats-bugs@NetBSD.org, Mihai Chelaru <mihai.chelaru@ngnetworks.ro>,
kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: Re: kern/48308: User can crash machine using a USB webcam
Date: Wed, 06 Nov 2013 08:30:28 +0000
On 11/05/13 16:38, Dave Tyson wrote:
> On 11/04/13 19:40, Mihai Chelaru wrote:
>> The following reply was made to PR kern/48308; it has been noted by GNATS.
>>
>> [more snipping]
>> Probably it works in 6.1 because release kernels are not compiled with
>> options DIAGNOSTIC, so they don't trigger that assert. I use the
>> attached patch for some time without any problems. It should fix your
>> issue too.
>>
>> --
>> Mihai
>>
> <patch snipped to save bandwidth>
>
>
>
> Hi Mihai,
> thanks for looking at this PR. I realised after I had posted it that
> having options DIAGNOSTIC in GENERIC triggered the assert and removing
> this enabled the webcam to work OK. However it needs to be fixed before
> NetBSD-7 is branched:-)
>
> I have applied your patch (it went on cleanly against the latest
> usb_mem.c 1.63), however the kernel still panics under GENERIC in a
> different place:
>
> panic: kernel diagnostic assertion "(!cpu_intr_p() && !cpu_softintr_p())
> || (pc->pc_pool.pr_ipl != IPL_NONE || cold || panicstr != NULL)" failed: file
> "/usr/src/sys/kern/subr_pool.c", line 2209 pool 'pvpl' is IPL_NONE, but called from interrupt context
USB memory management needs a revamp
Nick
Responsible-Changed-From-To: kern-bug-people->skrll
Responsible-Changed-By: skrll@NetBSD.org
Responsible-Changed-When: Sun, 08 Mar 2015 13:25:02 +0000
Responsible-Changed-Why:
Take
State-Changed-From-To: open->feedback
State-Changed-By: skrll@NetBSD.org
State-Changed-When: Sat, 23 Apr 2016 13:03:16 +0000
State-Changed-Why:
nick-nhusb has been merged (7.99.28) and addresses this PR. OK to close?
From: Dave Tyson <dtyson@anduin.org.uk>
To: gnats-bugs@netbsd.org
Cc: skrll@netbsd.org, netbsd-bugs@netbsd.org, gnats-admin@netbsd.org
Subject: Re: kern/48308 (non-privileged user can crash machine using a USB webcam)
Date: Mon, 25 Apr 2016 14:32:27 +0100
This is a multi-part message in MIME format.
--nextPart3354363.pU9mQxUzOc
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
On Saturday 23 Apr 2016 13:03:16 skrll@NetBSD.org wrote:
> Synopsis: non-privileged user can crash machine using a USB webcam
>
> State-Changed-From-To: open->feedback
> State-Changed-By: skrll@NetBSD.org
> State-Changed-When: Sat, 23 Apr 2016 13:03:16 +0000
> State-Changed-Why:
> nick-nhusb has been merged (7.99.28) and addresses this PR. OK to
close?
Yes, close this PR as it fixes the original problem and the camera works
fine. Tested under the latest amd64 kernel 7.99.28 built today.
There is still an issue that unplugging the camera when its in use crashes
the system, but I will file a separate PR for that.
Dave
--
=========================================
Phone: 07805784357
Open Source O/S: www.netbsd.org
Caving: http://www.wirralcavinggroup.org.uk
=========================================
--nextPart3354363.pU9mQxUzOc
Content-Transfer-Encoding: 7Bit
Content-Type: text/html; charset="us-ascii"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd">
<html><head><meta name="qrichtext" content="1" /><style type="text/css">
p, li { white-space: pre-wrap; }
</style></head><body style=" font-family:'Monospace'; font-size:9pt; font-weight:400; font-style:normal;">
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">On Saturday 23 Apr 2016 13:03:16 skrll@NetBSD.org wrote:</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">> Synopsis: non-privileged user can crash machine using a USB webcam</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">> </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">> State-Changed-From-To: open->feedback</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">> State-Changed-By: skrll@NetBSD.org</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">> State-Changed-When: Sat, 23 Apr 2016 13:03:16 +0000</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">> State-Changed-Why:</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">> nick-nhusb has been merged (7.99.28) and addresses this PR. OK to close?</p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; "> </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Yes, close this PR as it fixes the original problem and the camera works fine. Tested under the latest amd64 kernel 7.99.28 built today.</p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; "> </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">There is still an issue that unplugging the camera when its in use crashes the system, but I will file a separate PR for that.</p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; "> </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Dave </p>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; "> </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">-- </p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">=========================================</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Phone: 07805784357</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Open Source O/S: www.netbsd.org</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">Caving: http://www.wirralcavinggroup.org.uk</p>
<p style=" margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;">=========================================</p></body></html>
--nextPart3354363.pU9mQxUzOc--
State-Changed-From-To: feedback->closed
State-Changed-By: skrll@NetBSD.org
State-Changed-When: Mon, 25 Apr 2016 19:35:31 +0000
State-Changed-Why:
Submitter confirmed
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.