From owner-freebsd-current@FreeBSD.ORG  Sun Jan 14 20:45:49 2007
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
X-Original-To: current@freebsd.org
Delivered-To: freebsd-current@FreeBSD.ORG
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 3E9B216A407
	for <current@freebsd.org>; Sun, 14 Jan 2007 20:45:49 +0000 (UTC)
	(envelope-from kip.macy@gmail.com)
Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.190])
	by mx1.freebsd.org (Postfix) with ESMTP id CEC5C13C44C
	for <current@freebsd.org>; Sun, 14 Jan 2007 20:45:46 +0000 (UTC)
	(envelope-from kip.macy@gmail.com)
Received: by nf-out-0910.google.com with SMTP id k27so1849198nfc
	for <current@freebsd.org>; Sun, 14 Jan 2007 12:45:45 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
	h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=bezcD2KinKSCHgx2XwD6xnYNeRitDRuVYgmFdIgvv/lObx6NAr8fNMhC3jw+E650Fh3K90eNZ+saW5CEcfNLoq0W96uTrcMTdlTtlJt42yvFXHpO+9+alYmNrz67t+HC5/iBcmzDmV886vrP3QhrJJ23f+MkeHY1RWiBkYdGyAg=
Received: by 10.82.162.14 with SMTP id k14mr468625bue.1168807545282;
	Sun, 14 Jan 2007 12:45:45 -0800 (PST)
Received: by 10.82.191.16 with HTTP; Sun, 14 Jan 2007 12:45:45 -0800 (PST)
Message-ID: <b1fa29170701141245lc046c61pb47636c3393b4e2f@mail.gmail.com>
Date: Sun, 14 Jan 2007 12:45:45 -0800
From: "Kip Macy" <kip.macy@gmail.com>
To: "Sergey Zaharchenko" <doublef-ctm@yandex.ru>, current@freebsd.org
In-Reply-To: <20070114082638.GA1820@shark.localdomain>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <20070114082638.GA1820@shark.localdomain>
Cc: 
Subject: Re: 0xdeadcode in dev2udev and ohci strangeness
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Jan 2007 20:45:49 -0000

Oxdeadcode indicates use after free - which I've seen at least one
other instance of in the USB stack.

  -Kip


On 1/14/07, Sergey Zaharchenko <doublef-ctm@yandex.ru> wrote:
> Hello list,
>
> Today while fooling around with some USB devices (recent GENERIC kernel
> compiled with options USB_DEBUG; single-user mode; a Transcend USB
> Flash, an Acorp card reader (umass) and a Prolific COM port (uplcom),
> all plugged in/out randomly) and sysctls (hw.usb.debug=1,
> hw.usb.(ohci|uhci|ehci|umass|uplcom).debug=1), I triggered the following
> page fault (retyped from a camera shot) by a lowly `sysctl -a|grep usb':
>
> Fatal trap 12: page fault while in kernel mode
> cpuid = 0; apic i = 00
> fault virtual address   = 0xdeadc19e
> fault code              = supervisor read, page not present
> instruction pointer     = 0x20:0xc0676f25
> stack pointer           = 0x28:0xdd345aac
> frame pointer           = 0x28:0xdd345aac
> code segment            = base 0x0, limit 0xfffff, type 0x1b
>                         = DPL 0, pres 1, def32 1, gran 1
> processor eflags        = interrupt enabled, resume, IOPL = 0
> current process         = 76 (sysctl)
> [thread pid 76 tid 100042 ]
> Stopped at      dev2udev+0x11:  movl 0xc0(%eax),%eax
> db> bt
> Tracing pid 76 tid 100042 td 0xc36bb000
> dev2udev(c3790d00,88,0,0,0,...) at dev2udev+0x11
> sysctl_kern_ttys(c09ebf80,0,0,dd345b98,c09ebf80,...) at
> sysctl_kern_ttys+0xab
> sysctl_root(0,dd345c18,2,dd345b98) at sysctl_root+0x12f
> userland_sysctl(c36bb000,dd345c18,2,0,bfbfdbbc,0,0,0,dd345c14,c0a3c408,0,c093c5c8,522)
> at userland_sysctl+0xf4
> __sysctl(c36bb000,dd345d00) at __sysctl+0x77
> syscall(dd345d38) at syscall+0x256
> Xint0x80_syscall() at Xint0x80_syscall+0x20
> --- syscall (-1077943200), eip = 0x2, esp = 0x296, ebp = 0xbfbfdbbc ---
>
> sys/fs/devfs/devfs_vnops.c:
>
> dev_t
> dev2udev(struct cdev *x)
> {
>         if (x == NULL)
>                 return (NODEV);
>         return (x->si_priv->cdp_inode); <-- dev2udev+0x11 is here
> }
>
> Looks like si_priv for a non-NULL x is 0xdeadcode somewhere...
>
> I've also stumbled across a reproducible strange situation: after
> plugging in and out the Prolific several times and leaving it out, the
> kernel prints (with ohci.debug=1) this every second or so:
>
> ohci_rhsc: sc=0xc369f000 xfer=0xc354c800 hstatus=0x00000000
> ohci_rhsc: change=0x04
>
> Is this normal? Should I ask on freebsd-usb@?
>
> --
> DoubleF
> No virus detected in this message. Ehrm, wait a minute...
> /kernel: pid 56921 (antivirus), uid 32000: exited on signal 9
> Oh yes, no virus:)
>
>