Re: kern/48954: USB diagconstic message: actlen (-15996) > len (4)

[Alexander Nasonov <alnsn%yandex.ru@localhost>]

The following reply was made to PR kern/48954; it has been noted by GNATS.

From: Alexander Nasonov <alnsn%yandex.ru@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: kern-bug-people%netbsd.org@localhost, gnats-admin%netbsd.org@localhost,
        netbsd-bugs%netbsd.org@localhost, alnsn%NetBSD.org@localhost
Subject: Re: kern/48954: USB diagconstic message: actlen (-15996) > len (4)
Date: Fri, 27 Jun 2014 15:08:28 +0100

 matthew green wrote:
 >  i've not see anything that suggested corrupted memory, though it
 >  does seem possible.  i have seen it lock up twice, unable to talk
 >  to the network at all, requiring being unplugged and reinserted
 >  to work again.
 
 Repluging my card almost surely leads to a crash. Location of a crash
 is quite predictable but it depends on compilation flags and a verbosity
 of debugging messages.
 
 I picked one crash between usbd_setup_xfer and usbd_transfer
 calls:
 
 ffffffff8044b34c:       48 8b bb f8 32 00 00    mov    0x32f8(%rbx),%rdi
 ffffffff8044b353:       48 c7 44 24 08 4d 75    movq 
$0xffffffff8044754d,0x8(%rsp)
 ffffffff8044b35a:       44 80
 ffffffff8044b35c:       c7 04 24 00 00 00 00    movl   $0x0,(%rsp)
 ffffffff8044b363:       41 b9 05 00 00 00       mov    $0x5,%r9d
 ffffffff8044b369:       41 b8 00 40 00 00       mov    $0x4000,%r8d
 ffffffff8044b36f:       4c 89 e2                mov    %r12,%rdx
 ffffffff8044b372:       e8 e7 17 41 00          callq  ffffffff8085cb5e 
<usbd_setup_xfer>
 ffffffff8044b377:       48 8b bb f8 32 00 00    mov    0x32f8(%rbx),%rdi
 
                                                        ^^^^^^^^^^^^
                                                        IT CRASHES HERE
 
 ffffffff8044b37e:       e8 78 11 41 00          callq  ffffffff8085c4fb 
<usbd_transfer>
 
 Note that it's reading the same memory location 0x32f8(%rbx) twice but
 the second read crashes the kernel.
 
 Alex