Re: USB-related panic in 8.2_STABLE

[Taylor R Campbell <campbell+netbsd-tech-kern%mumble.net@localhost>]

> Date: Thu, 27 Apr 2023 13:10:19 +0200
> From: Timo Buhrmester <timo%math.uni-bonn.de@localhost>
> 
> | uvm_fault(0xfffffe82574c2458, 0x0, 1) -> e
> | fatal page fault in supervisor mode
> | trap type 6 code 0 rip 0xffffffff802f627e cs 0x8 rflags 0x10246 cr2 0x2 ilevel 6 (NB: could be ilevel 0 as well) rsp 0xffff80013f482c10
> | curlwp 0xfffffe83002b2000 pid 8393.1 lowest kstack 0xffff80013f4802c0
> | kernel: page fault trap, code=0
> | Stopped in pid 8393.1 (nutdrv_qx_usb) at       netbsd:ugen_get_cdesc+0xb1:
> | movzwl 2(%rax),%edx
> | db{2}> bt
> | ugen_get_cdesc() at netbsd:ugen_get_cdesc+0xb1
> | ugenioctl() at netbsd:ugenioctl+0x9a4

This is a null pointer dereference somewhere in ugen_get_cdesc, via
some ioctl.  I'm not sure exactly where in ugen_get_cdesc this was, or
what ioctl it was, but there's a good chance this was fixed in ugen.c
rev. 1.148.  Perhaps that should be pulled up to netbsd-8.

If you have netbsd.gdb handy for this kernel, you could confirm by
asking it about:

list *(ugen_get_cdesc+0xb1)
list *(ugenioctl+0x9a4)


commit db5abd10e31668e7ad07666b52d59dc2aee554d2
Author: bouyer <bouyer%NetBSD.org@localhost>
Date:   Wed Dec 11 11:54:23 2019 +0000

    reading usbdi.c it looks like usbd_get_config_descriptor() can actually
    return NULL, so check for this.
    I got NULL pointer dereference here with a device showing:
    [   303.732632] ugen0: autoconfiguration error: setting configuration index 0 failed

diff --git a/sys/dev/usb/ugen.c b/sys/dev/usb/ugen.c
index 19f349e96f52..2f34b6def874 100644
--- a/sys/dev/usb/ugen.c
+++ b/sys/dev/usb/ugen.c
[...]
@@ -1406,6 +1406,8 @@ ugen_get_cdesc(struct ugen_softc *sc, int index, int *lenp)       
        
        if (index == USB_CURRENT_CONFIG_INDEX) {
                tdesc = usbd_get_config_descriptor(sc->sc_udev);
+               if (tdesc == NULL)
+                       return NULL;