kern/41048: ugen(4) crash with USB_SET_CONFIG ioctl

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/41048: ugen(4) crash with USB_SET_CONFIG ioctl
From: njoly%pasteur.fr@localhost
Date: Fri, 20 Mar 2009 14:40:00 +0000 (UTC)

>Number:         41048
>Category:       kern
>Synopsis:       ugen(4) crash with USB_SET_CONFIG ioctl
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Mar 20 14:40:00 +0000 2009
>Originator:     Nicolas Joly
>Release:        NetBSD 5.99.8
>Organization:
Institut Pasteur
>Environment:
System: NetBSD lanfeust.sis.pasteur.fr 5.99.8 NetBSD 5.99.8 (LANFEUST_DEVEL) 
#4: Fri Mar 20 13:31:35 CET 2009 
njoly%lanfeust.sis.pasteur.fr@localhost:/local/src/NetBSD/obj.amd64/sys/arch/amd64/compile/LANFEUST_DEVEL
 amd64
Architecture: x86_64
Machine: amd64
>Description:
I just got a reproductible kernel panic while trying to set the device to
configuration number 0 twice on a ugen(4) device.

I was able to reproduce it on 2 different amd64 machines, with both a webcam
and a USB mouse. Both of them have a single configuration available (numbered
1). NB: it does crash when trying to set configuration number 2, which do
not exist.

njoly@lanfeust [~]> dmesg | grep -e ugen -e uhub1 -e usb1 -e ohci1
ohci1 at pci1 dev 0 function 1: Advanced Micro Devices AMD8111 USB Host 
Controller (rev. 0x0b)
ohci1: interrupting at ioapic0 pin 19
ohci1: OHCI version 1.0, legacy support
usb1 at ohci1: USB revision 1.0
uhub1 at usb1: Advanced Micro OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 3 ports with 3 removable, self powered
ugen0 at uhub1 port 1
ugen0: Logitech USB-PS/2 Optical Mouse, rev 2.00/20.00, addr 2

root@lanfeust [NetBSD/usb]# cat ugen.c

#include <dev/usb/usb.h>
#include <sys/ioctl.h>

#include <err.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>

int main() {
  int fd, res, cnf;

  fd = open("/dev/ugen0.00", O_RDWR);
  if (fd == -1)
    err(1, "open failed");

  cnf = 0;
  res = ioctl(fd, USB_SET_CONFIG, &cnf);
  if (res == -1)
    err(1, "ioctl USB_SET_CONFIG failed");

  res = close(fd);
  if (res == -1)
    err(1, "close failed");

  return 0; }
root@lanfeust [NetBSD/usb]# make ugen
cc -O2   -o ugen ugen.c
root@lanfeust [NetBSD/usb]# ./ugen
ugen: ioctl USB_SET_CONFIG failed: Input/output error
root@lanfeust [NetBSD/usb]# ./ugen
[...PANIC...]

kernel: page fault trap, code=0
Stopped in pid 720.1 (ugen) at  netbsd:ugen_set_config+0x3e:    movzbl  0x5(%rax
),%eax
db{0}> bt
ugen_set_config() at netbsd:ugen_set_config+0x3e
ugenioctl() at netbsd:ugenioctl+0x135
cdev_ioctl() at netbsd:cdev_ioctl+0x91
VOP_IOCTL() at netbsd:VOP_IOCTL+0x6e
vn_ioctl() at netbsd:vn_ioctl+0x6d
sys_ioctl() at netbsd:sys_ioctl+0x134
syscall() at netbsd:syscall+0xb6

>How-To-Repeat:
Run the testcase twice ...
>Fix:
please.

Follow-Ups:
- Re: kern/41048: ugen(4) crash with USB_SET_CONFIG ioctl
  - From: Matthias Drochner

Prev by Date: Re: kern/41005: kernel failed to select correct outgoing address for Multicast packets
Next by Date: Re: kern/41005: kernel failed to select correct outgoing address for Multicast packets
Previous by Thread: PR/41012 CVS commit: src/sys/conf
Next by Thread: Re: kern/41048: ugen(4) crash with USB_SET_CONFIG ioctl
Indexes:

Home | Main Index | Thread Index | Old Index