Re: kern/50810: Kernel page fault trap in ugenclose()

[Andreas Gustafsson <gson%gson.org@localhost>]

The following reply was made to PR kern/50810; it has been noted by GNATS.

From: Andreas Gustafsson <gson%gson.org@localhost>
To: skrll%NetBSD.org@localhost
Cc: gnats-bugs%NetBSD.org@localhost
Subject: Re: kern/50810: Kernel page fault trap in ugenclose()
Date: Sat, 20 Feb 2016 13:11:39 +0200

 Nick Hudson wrote:
 >  The ioctl (USB_SET_ALTINTERFACE) is blatting edesc and making it fail
 >  
 >  Not sure why it's doing this before closing the endpoints.
 >  
 >  Maybe the ioctl should fail here?
 
 I'm having some trouble following your comment.
 
 - What do you mean by "blatting"?  The dictionary
   I consulted was not helpful.
 
 - In "why it's doing this", what does "it" refer to?
 
 - At what point should the ioctl fail, and why would it make
   a difference?
 
 I see there is a comment in ugen_set_interface() saying /* XXX should
 only do this after setting new altno has succeeded */, which seems to
 point at a possible cause of the bug: If setting the new altno fails,
 sce->edesc will be NULL, but sce->pipeh has not been cleared, so if it
 was not NULL to begin, with we have the exact combination of
 conditions (sce->pipeh != NULL && sce->edesc == NULL) that triggers
 the crash in ugenclose().
 
 Also, there are several places checking for sce == NULL, for example:
 
    sce = &sc->sc_endpoints[UGENENDPOINT(dev)][IN];
    if (sce == NULL)
 
 None of these make any sense - sce is a pointer into the middle of a
 the ugen_softc struct, so it can *never* be NULL by definition.
 Should they all say "sce->sc == NULL"?  What is the canonical way
 of distinguishing a valid endpoint from an invalid one?
 -- 
 Andreas Gustafsson, gson%gson.org@localhost