Re: kern/48308: User can crash machine using a USB webcam

To: gnats-bugs%NetBSD.org@localhost
Subject: Re: kern/48308: User can crash machine using a USB webcam
From: Dave Tyson <dtyson%anduin.org.uk@localhost>
Date: Tue, 05 Nov 2013 16:38:21 +0000

On 11/04/13 19:40, Mihai Chelaru wrote:
> The following reply was made to PR kern/48308; it has been noted by GNATS.
>
> From: Mihai Chelaru <mihai.chelaru%ngnetworks.ro@localhost>
> To: gnats-bugs%NetBSD.org@localhost
> Cc: dtyson%anduin.org.uk@localhost
> Subject: Re: kern/48308: User can crash machine using a USB webcam
> Date: Mon, 04 Nov 2013 21:42:39 +0200
>
>  This is a multi-part message in MIME format.
>  --------------090805000104090603000906
>  Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>  Content-Transfer-Encoding: 7bit
>  
>  Hi,
>  
>  Probably it works in 6.1 because release kernels are not compiled with 
>  options DIAGNOSTIC, so they don't trigger that assert. I use the 
>  attached patch for some time without any problems. It should fix your 
>  issue too.
>  
>  -- 
>  Mihai
>  
<patch snipped to save bandwidth>



Hi Mihai,
thanks for looking at this PR. I realised after I had posted it that
having options DIAGNOSTIC in GENERIC triggered the assert and removing
this enabled the webcam to work OK. However it needs to be fixed before
NetBSD-7 is branched:-)

I have applied your patch (it went on cleanly against the latest
usb_mem.c 1.63), however the kernel still panics under GENERIC in a
different place:

panic: kernel diagnostic assertion "(!cpu_intr_p() && !cpu_softintr_p())
|| (pc-
>pc_pool.pr_ipl != IPL_NONE || cold || panicstr != NULL)" failed: file
"/usr/src
/sys/kern/subr_pool.c", line 2209 pool 'pvpl' is IPL_NONE, but called
from inter
rupt context

fatal breakpoint trap in supervisor mode
trap type 1 code 0 eip c027fd44 cs 8 eflags 200246 cr2 bba90fd0 ilevel 4
esp db4
e59dc
curlwp 0xc3b49a80 pid 0 lid 3 lowest kstack 0xdb4e3000

dumping to dev 0,1 offset 8
dump
crash> bt
_KERNEL_OPT_NARCNET(c0e054fc,100,c060c458,8,0,c0e05528,8,c0a4e11c,db4e5750,c029e
04f) at 0
_KERNEL_OPT_NARCNET(100,0,db4e57f8,c029e757,c0e04100,0,c0978ed2,db4e5770,c0978ed
2,c0e04100) at 0
db_sifting_cmd(c0e04100,0,c0978ed2,db4e5770,c0978ed2,c0e04100,c1033000,6f40,7020
,d4e57a0) at db_sifting_cmd
db_command(db4e580c,0,0,0,db4e57fc,db4e5830,db4e5824,0,c029eab1,0) at
db_command
+0xe3
db_command_loop(c027fd44,0,3,c0e5f23d,1,db4e5978,4,db4e58d4,c02a1469,1)
at db_co
mmand_loop+0xbe
db_trap(1,0,0,0,db4e5870,c0910010,30,10,c0810010,db4e59f8) at db_trap+0xe0
kdb_trap(1,0,db4e5978,3,db4e3000,200246,bba90fd0,4,db4e59dc,c0c7ef43) at
kdb_tra
p+0x107
trap() at trap+0x269
--- trap (number 1) ---
breakpoint(c0cb5c21,c0ed9940,c0c9de88,db4e59f8,c0ecd100,0,0,db4e59ec,c09c6ddf,c0
c9de88) at breakpoint+0x4
vpanic(c0c9de88,db4e59f8,db4e5a1c,c0814a0c,c0c9de88,c0c06d08,c0c9de20,c0c9df30,8
a1,c0c7ef40) at vpanic+0x11c
kern_assert(c0c9de88,c0c06d08,c0c9de20,c0c9df30,8a1,c0c7ef40,c091fb94,13,c0ecd04
0,8748763) at kern_assert+0x23
pool_cache_get_paddr(c0ecd100,2,0,dd48d000,1000,0,0,0,401727,c41aee34)
at pool_c
ache_get_paddr+0xfa
pmap_enter_ma(c0ecd040,dd48d000,8748000,8748000,3,13,0,db4e5ae4,c0233e9b,c0ecd04
0) at pmap_enter_ma+0xe8
pmap_enter_default(c0ecd040,dd48d000,8748000,3,13,c41aee34,0,1,13,c0e63ca0)
at p
map_enter_default+0x39
_bus_dmamem_map.clone.5(c41ad924,5,1,1000,c41ad924,5,c41ad92c,1,c4468800,1000)
a
t _bus_dmamem_map.clone.5+0xb9
usb_block_allocmem(db4e5bc8,0,0,1f9f,5c,0,c4276594,18,db4e5b64,c08f7a0b)
at usb_
block_allocmem+0x265
usb_allocmem_flags(c4134020,fa0,1000,db4e5bc8,0,db4e5bdc,c02cd6ef,c4134020,fa0,1
000) at usb_allocmem_flags+0x66
usb_allocmem(c4134020,fa0,1000,db4e5bc8,5000,c4276594,c4134020,dcdef0a0,c41346f0
,8a000) at usb_allocmem+0x2e
ehci_device_isoc_start(c4276594,db4e5c0c,c055473e,e0,1,c42765dc,c8,c8,c42a4d58,d
b4e5c38) at ehci_device_isoc_start+0x1b9
usbd_transfer(c4276594,c49ab104,c42a4d58,c58ce900,c8,5,c09071d4,c42a4d58,c8,c42a
4d50) at usbd_transfer+0x93
uvideo_stream_recv_isoc_start1(c4276594,0,0,db4e5c5c,0,c42a4d00,de205400,960,c42
76594,c49ab104) at uvideo_stream_recv_isoc_start1+0x6a
uvideo_stream_recv_isoc_complete(c4276594,c42a4d58,0,c0,dcdef000,db4e5ca8,c08f7c
28,0,0,0) at uvideo_stream_recv_isoc_complete+0x9e
usb_transfer_complete(c4276594,4,20,a,c4276600,c8,190,1,dcdef000,c49a000c)
at us
b_transfer_complete+0x2ae
ehci_idone(c4276600,4,20,a,0,0,c4134004,c4134000,c42764c8,dc8d0f00) at
ehci_idon
e+0x150
ehci_softintr(c4134020,db45e32c,db4e5d80,c05abe13,c4134020,c3b49d20,c41a8ee8,c01
012a4,db4e0010,30) at ehci_softintr+0x194
usb_soft_intr(c4134020,c3b49d20,c41a8ee8,c01012a4,db4e0010,30,c3b40010,c3b40010,
0,c3b49a80) at usb_soft_intr+0x22
softint_dispatch(c3b49d20,4,16250501,41985600,cb305138,150187c0,db4e5d90,db4e5be
c,db4e5c50,0) at softint_dispatch+0xba
crash: kvm_read(0x38, 4): invalid translation (invalid PTE)
crash>

Sorry to be the bearer of bad news :-(

Cheers,
Dave


-- 
============================================
Phone: 07805784357
Open Source O/S: www.netbsd.org
Caving: http://www.wirralcavinggroup.org.uk
============================================

Follow-Ups:
- Re: kern/48308: User can crash machine using a USB webcam
  - From: Nick Hudson

References:
- Re: kern/48308: User can crash machine using a USB webcam
  - From: Mihai Chelaru

Prev by Date: Re: kern/36944 (Unable to get core dump, kernel hangs after DDB "sync")
Next by Date: Re: kern/48308: User can crash machine using a USB webcam
Previous by Thread: Re: kern/48308: User can crash machine using a USB webcam
Next by Thread: Re: kern/48308: User can crash machine using a USB webcam
Indexes:

Home | Main Index | Thread Index | Old Index