Subject: kern/33935: wip/openct can crash NetBSD-current from userspace
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <ggm@apnic.net>
List: netbsd-bugs
Date: 07/07/2006 05:40:00
>Number: 33935
>Category: kern
>Synopsis: (user process) ifdhandler -> ugenpoll causes page fault to ddb> prompt
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Jul 07 05:40:00 +0000 2006
>Originator: George Michaelson
>Release: NetBSD 3.99.21
>Organization:
George Michaelson | APNIC
Email: ggm@apnic.net | PO Box 2131 Milton
Phone: +61 7 3858 3150 | QLD 4064 Australia
Fax: +61 7 3858 3199 | http://www.apnic.net
>Environment:
System: NetBSD garlique.algebras.org 3.99.21 NetBSD 3.99.21 (GGM_ACPI) #3: Fri Jul 7 10:28:00 EST 2006 ggm@garlique.algebras.org:/data/Build/obj/usr/src/sys/arch/i386/compile/GGM_ACPI i386
Architecture: i386
Machine: i386
>Description:
I'm trying to get a rainbow iKey 2032 USB security token to work
in NetBSD current, using the wip/openct package, which uses the
pcsc library to do ugen device driving.
when I run the openct-control init process, it detects the key
from its USB id, and then calls its ifdhandler process to try
and open /dev/ugen0 or /dev/ugen1 The device has been recognized
as USB <whatever> host 2, so I do wonder if this is just about
it opening a ugen 'controller' rather than an attached device eg
/dev/ugen1.02 but be that as it may, the ifdhandler process then
causes a page fault, and I'm dropped to ddb> prompt.
ddb> showed me:
uvm_fault (0xcc29c7e4,0,1) -> 0xe
kernel: supervisor trap page fault, code=0
stopped in pid 177.1 (ifdhandler) at
netbsd:ugenpoll+0x69 movzbl 0x3 (%eax), %eax
*one* time, I was able to get the device to recognize and
list its crypto goodness. all other times, this has happened.
>How-To-Repeat:
buy, steal or borrow a rainbow iKey 2032. plug it into a USB
port, run wip/openct and start the openct-control init process
as root.
>Fix:
nfi. I am *hoping* this is something about usb/ugen in the kernel
which can be closed off: I really don't think even root processes
should pagefault from userspace...
>Unformatted: