FreeBSD Mail Archives

Date:      Mon,  6 Jul 2009 00:01:28 +0400 (MSD)
From:      Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        ariff@FreeBSD.org, thompsa@FreeBSD.org
Subject:   kern/136361: [patch] fix regression (kernel panic) in uaudio.c
Message-ID:  <20090705200128.E2CE117076@amnesiac.at.no.dns>
Resent-Message-ID: <200907052040.n65Ke1PS083072@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help


>Number:         136361
>Category:       kern
>Synopsis:       [patch] fix regression (kernel panic) in uaudio.c
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jul 05 20:40:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 8.0-CURRENT amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 8.0-CURRENT amd64

>Description:

r194677 introduced a regression into uaudio.c: USB transfers for
recording will result in a kernel panics due to the read of non-present
memory page.

This is perfectly reproducible with at least my Creative X-Fi USB card,
but should trigger the panic almost with any USB sound card.

The following path lines are responsible for the bug:
-----
+			pc = usbd_xfer_get_frame(xfer, n);
+			len = usbd_xfer_get_framelen(xfer, n);
[...]
-				usbd_copy_out(xfer->frbuffers, offset1, ch->cur, m);
+				usbd_copy_out(pc, offset1, ch->cur, m);
-----
One can easily see that before the patch, offset1 was counted from
xfer->frbuffers on each iteration and after the patch it is counted
from xfer->frbuffers[n] (this is what usbd_xfer_get_frame does).

>How-To-Repeat:

Plug the USB sound card and try to record something, for example,
-----
dd if=/dev/dspX of=snd.dump bs=64k count=1
-----

>Fix:

The following patch reverts the logics to the old one, but uses new
xfer structure accessors.  Variables were slightly renamed to better
reflect the things that are done.
--- fix-buffer-overflow-record-callback.diff begins here ---
begin 644 fix-buffer-overflow-record-callback.diff
M1G)O;2`T,6,U-#!C.&4U-F0R,#(T838Q9F(Y,S!F93@Q.#0S,6,Y,#<P-61C
M($UO;B!397`@,3<@,#`Z,#`Z,#`@,C`P,0I&<F]M.B!%>6=E;F4@4GEA8FEN
M:VEN(#QR96$M9F)S9$!C;V1E;&%B<RYR=3X*1&%T93H@1G)I+"`S($IU;"`R
M,#`Y(#(S.C`P.C4U("LP-#`P"E-U8FIE8W0Z(%M0051#2"`Q+S)=('5A=61I
M;SH@9FEX(&)U9F9E<B!O=F5R9FQO=PH*5V4@=7-E(&9R8G5F9F5R6S!=(&%S
M('1H92!B87-E('!O:6YT97(L('-T87)T(&]F('1H92!N=&@@9G)A;64@:7,*
M9VEV96X@8GD@=&AE(&]F9G-E="!O9B`H;B`J(&)Y=&5S7W!E<E]F<F%M92DN
M("!4:&ES(')E9W)E<W-I;VX@=V%S"FEN=')O9'5C960@:6X@<C$Y-#8W-RP*
M("!H='1P.B\O<W9N+F9R965B<V0N;W)G+W9I97=V8R]B87-E+VAE860O<WES
M+V1E=B]S;W5N9"]U<V(O=6%U9&EO+F,_<C$],3DT,C(X)G(R/3$Y-#8W-PH*
M4VEG;F5D+6]F9BUB>3H@17EG96YE(%)Y86)I;FMI;B`\<F5A+69B<V1`8V]D
M96QA8G,N<G4^"BTM+0H@<WES+V1E=B]S;W5N9"]U<V(O=6%U9&EO+F,@?"`@
M(#$W("LK*RLK*RLM+2TM+2TM+2TM"B`Q(&9I;&5S(&-H86YG960L(#<@:6YS
M97)T:6]N<R@K*2P@,3`@9&5L971I;VYS*"TI"@ID:69F("TM9VET(&$O<WES
M+V1E=B]S;W5N9"]U<V(O=6%U9&EO+F,@8B]S>7,O9&5V+W-O=6YD+W5S8B]U
M875D:6\N8PII;F1E>"`V-6$V.&4V+BXR-3`T,C)E(#$P,#8T-`HM+2T@82]S
M>7,O9&5V+W-O=6YD+W5S8B]U875D:6\N8PHK*RL@8B]S>7,O9&5V+W-O=6YD
M+W5S8B]U875D:6\N8PI`0"`M,3(Q-"PX("LQ,C$T+#<@0$`@=6%U9&EO7V-H
M86Y?<F5C;W)D7V-A;&QB86-K*'-T<G5C="!U<V)?>&9E<B`J>&9E<BP@=7-B
M7V5R<F]R7W0@97)R;W(I"B`)=6EN=#,R7W0@;3L*(`EU:6YT,S)?="!T;W1A
M;#L*(`EU:6YT,S)?="!B;&]C:V-O=6YT.PHM"75I;G0S,E]T(&]F9G-E=#`[
M"BT)=6EN=#,R7W0@;V9F<V5T,3L**PEU:6YT,S)?="!O9F9S970L(&9R;V9F
M<V5T.PH@"6EN="!L96X["B`):6YT(&%C=&QE;BP@;F9R86UE<SL*(`I`0"`M
M,3(U,2PQ,B`K,3(U,"PQ,B!`0"!T<E]T<F%N<V9E<G)E9#H*(`D)"4104DE.
M5$9.*#8L(")T<F%N<V9E<G)E9"`E9"!B>71E<UQN(BP@86-T;&5N*3L*(`D)
M?0H@"BT)"6]F9G-E=#`@/2`P.PHK"0EP8R`]('5S8F1?>&9E<E]G971?9G)A
M;64H>&9E<BP@,"D["B`*+0D)9F]R("AN(#T@,#L@;B`A/2!N9G)A;65S.R!N
M*RLI('L**PD)9F]R("AF<F]F9G-E="`](&X@/2`P.R!N("$](&YF<F%M97,[
M"BL)"2`@("!N*RLL(&9R;V9F<V5T("L](&-H+3YB>71E<U]P97)?9G)A;64I
M('L*(`HM"0D);V9F<V5T,2`](&]F9G-E=#`["BT)"0EP8R`]('5S8F1?>&9E
M<E]G971?9G)A;64H>&9E<BP@;BD["BL)"0EO9F9S970@/2!F<F]F9G-E=#L*
M(`D)"6QE;B`]('5S8F1?>&9E<E]F<F%M95]L96XH>&9E<BP@;BD["B`*(`D)
M"7=H:6QE("AL96X@/B`P*2!["D!`("TQ,C8V+#$X("LQ,C8U+#$V($!`('1R
M7W1R86YS9F5R<F5D.@H@"0D)"6EF("AM(#X@;&5N*2!["B`)"0D)"6T@/2!L
M96X["B`)"0D)?0HM"0D)"75S8F1?8V]P>5]O=70H<&,L(&]F9G-E=#$L(&-H
M+3YC=7(L(&TI.PHK"0D)"75S8F1?8V]P>5]O=70H<&,L(&]F9G-E="P@8V@M
M/F-U<BP@;2D["B`*(`D)"0EL96X@+3T@;3L*+0D)"0EO9F9S970Q("L](&T[
M"BL)"0D);V9F<V5T("L](&T["B`)"0D)8V@M/F-U<B`K/2!M.PH@"B`)"0D)
M:68@*&-H+3YC=7(@/CT@8V@M/F5N9"D@>PH@"0D)"0EC:"T^8W5R(#T@8V@M
M/G-T87)T.PH@"0D)"7T*(`D)"7T*+0HM"0D);V9F<V5T,"`K/2!C:"T^8GET
M97-?<&5R7V9R86UE.PH@"0E]"B`*(`D)8VAN7VEN='(H8V@M/G!C;5]C:"D[
."BTM(`HQ+C8N,RXQ"@H`
`
end
--- fix-buffer-overflow-record-callback.diff ends here ---

I have another patch that isn't directly related to the panic, but
just cleans up the code duplication at the beginning of both play
and record callbacks.  Not an emergency, but a Good Thing (tm).
--- unduplicate-size-calculations.diff begins here ---
begin 644 unduplicate-size-calculations.diff
M1G)O;2`T-#9A9#`P93-B-#(W8F5C83%C9C4S.#<P,F0X-6$T8S$P83@P-6-F
M($UO;B!397`@,3<@,#`Z,#`Z,#`@,C`P,0I&<F]M.B!%>6=E;F4@4GEA8FEN
M:VEN(#QR96$M9F)S9$!C;V1E;&%B<RYR=3X*1&%T93H@4W5N+"`U($IU;"`R
M,#`Y(#(S.C,P.C4W("LP-#`P"E-U8FIE8W0Z(%M0051#2%T@=6%U9&EO.B!R
M96UO=F4@9'5P;&EC871E9"!S:7IE(&-A;&-U;&%T:6]N<R!A;F0@<VQI9VAT
M;'D@;W!T:6UI>F4@=&AE;0H*=&]T86PO8FQO8VMS:7IE(&-A;&-U;&%T:6]N
M<R!F;W(@<F5C;W)D(&%N9"!P;&%Y(&-A;&QB86-K<R!A<F4@:G5S="!T:&4*
M<V%M92P@<V\@22!H860@;6]V960@=&AE('1O('1H92!S:6YG;&4@:6YL:6YE
M(&9U;F-T:6]N+B`@22!H860@86QS;PIS;&EG:'1L>2!O<'1I;6EZ960@=&AE
M(&%L:6=N(')O=71I;F4@=&\@=7-E('1H92!F86-T('1H870@=&AE(&-U<G)E
M;G0*;6EN:6UA;"!N=6UB97(@;V8@9G)A;65S(&ES(&$@<&]W97(@;V8@='=O
M+@H*4VEG;F5D+6]F9BUB>3H@17EG96YE(%)Y86)I;FMI;B`\<F5A+69B<V1`
M8V]D96QA8G,N<G4^"BTM+0H@<WES+V1E=B]S;W5N9"]U<V(O=6%U9&EO+F,@
M?"`@(#<Y("LK*RLK*RLK*RLK*RLK*RLK*RLK*RTM+2TM+2TM+2TM+2TM+2TM
M+2TM+2T*(#$@9FEL97,@8VAA;F=E9"P@,SD@:6YS97)T:6]N<R@K*2P@-#`@
M9&5L971I;VYS*"TI"@ID:69F("TM9VET(&$O<WES+V1E=B]S;W5N9"]U<V(O
M=6%U9&EO+F,@8B]S>7,O9&5V+W-O=6YD+W5S8B]U875D:6\N8PII;F1E>"`R
M-3`T,C)E+BXW8CDU-C(V(#$P,#8T-`HM+2T@82]S>7,O9&5V+W-O=6YD+W5S
M8B]U875D:6\N8PHK*RL@8B]S>7,O9&5V+W-O=6YD+W5S8B]U875D:6\N8PI`
M0"`M,3`Y+#8@*S$P.2PQ,"!`0"!365-#5$Q?24Y4*%]H=U]U<V)?=6%U9&EO
M+"!/241?05543RP@9&5F875L=%]C:&%N;F5L<RP@0U1,1DQ!1U]25RP*("-D
M969I;F4)54%51$E/7TY#2$%.0E5&4R`@("`@("`@,@DO*B!N=6UB97(@;V8@
M;W5T<W1A;F1I;F<@<F5Q=65S="`J+PH@(V1E9FEN90E5055$24]?4D5#55)3
M15],24U)5"`@(#(T"2\J(')O=6YD<R`J+PH@"BLC9&5F:6YE($U)3D9204U%
M4U]!3$E'3BAS:7IE*2!D;R!["0D)"0E<"BL)*'-I>F4I("8]('XH54%51$E/
M7TU)3D9204U%4R`M(#$I.PD)"0E<"BM]('=H:6QE("@P*0HK"B`C9&5F:6YE
M"4U!2T5?5T]21"AH+&PI("@H*&@I(#P\(#@I('P@*&PI*0H@(V1E9FEN90E"
M251?5$535"AB;2QB;F\I("@H*&)M*5LH8FYO*2`O(#A=(#X^("@W("T@*"AB
M;F\I("4@."DI*2`F(#$I"B`C9&5F:6YE"55!541)3U]-05A?0TA!3BAX*2`H
M>"D*0$`@+3$Q,3,L-B`K,3$Q-RPS-R!`0"!D;VYE.@H@"7T*('T*(`HK+RH*
M*R`J(%-E=',@=7`@=&AE('1O=&%L('-I>F4@86YD(&)L;V-K(&-O=6YT(&9O
M<B!T:&4@875D:6\@=')A;G-F97(L"BL@*B!B;W1H(&9O<B!P;&%Y(&%N9"!R
M96-O<F0@8V%L;&)A8VMS+@HK("H**R`J($-U<G)E;G0@8V]D92!A8W1I=F5L
M>2!U<VEN9R!T:&4@9F%C="!T:&%T(%5!541)3U]-24Y&4D%-15,**R`J(&ES
M('1H92!P;W=E<B!O9B!T=V\N"BL@*B\**PHK<W1A=&EC(&EN;&EN92!V;VED
M"BMU875D:6]?<V5T=7!?8FQO8VMC;W5N="AS=')U8W0@=6%U9&EO7V-H86X@
M*F-H+"!U<V)?9G)C;W5N=%]T(&UA>%]F<F%M97,L"BL@("`@=6EN=#,R7W0@
M*G1O=&%L+"!U:6YT,S)?="`J8FQO8VMC;W5N="D**WL**PDO*B!A;&QO=R!D
M>6YA;6EC('-I>FEN9R!O9B!P;&%Y+W)E8V]R9"!B=69F97(@*B\**PDJ=&]T
M86P@/2!C:"T^:6YT<E]S:7IE.PHK"2IB;&]C:V-O=6YT(#T@*G1O=&%L("\@
M8V@M/F)Y=&5S7W!E<E]F<F%M93L**PHK"2\J(&%L:6=N('5N:71S("HO"BL)
M34E.1E)!34537T%,24=.*"IB;&]C:V-O=6YT*3L**PHK"2\J(')A;F=E(&-H
M96-K("T@;6EN("HO"BL):68@*"IB;&]C:V-O=6YT(#T](#`I('L**PD)*F)L
M;V-K8V]U;G0@/2!5055$24]?34E.1E)!3453.PHK"7T**PDO*B!R86YG92!C
M:&5C:R`M(&UA>"`J+PHK"6EF("@J8FQO8VMC;W5N="`^(&UA>%]F<F%M97,I
M('L**PD)*F)L;V-K8V]U;G0@/2!M87A?9G)A;65S.PHK"7T**PDO*B!C;VUP
M=71E('1H92!T;W1A;"!L96YG=&@@*B\**PDJ=&]T86P@/2`J8FQO8VMC;W5N
M="`J(&-H+3YB>71E<U]P97)?9G)A;64["BM]"BL*('-T871I8R!V;VED"B!U
M875D:6]?8VAA;E]P;&%Y7V-A;&QB86-K*'-T<G5C="!U<V)?>&9E<B`J>&9E
M<BP@=7-B7V5R<F]R7W0@97)R;W(I"B!["D!`("TQ,3(U+#(V("LQ,38P+#@@
M0$`@=6%U9&EO7V-H86Y?<&QA>5]C86QL8F%C:RAS=')U8W0@=7-B7WAF97(@
M*GAF97(L('5S8E]E<G)O<E]T(&5R<F]R*0H@"6EN="!A8W1L96XL('-U;6QE
M;CL*(`H@"75S8F1?>&9E<E]S=&%T=7,H>&9E<BP@)F%C=&QE;BP@)G-U;6QE
M;BP@3E5,3"P@3E5,3"D["BT*+0DO*B!A;&QO=R!D>6YA;6EC('-I>FEN9R!O
M9B!P;&%Y(&)U9F9E<B`J+PHM"71O=&%L(#T@8V@M/FEN=')?<VEZ93L*+0HM
M"2\J(&%L;&]W(&1Y;F%M:6,@<VEZ:6YG(&]F('!L87D@8G5F9F5R("HO"BT)
M8FQO8VMC;W5N="`]('1O=&%L("\@8V@M/F)Y=&5S7W!E<E]F<F%M93L*+0HM
M"2\J(&%L:6=N('5N:71S("HO"BT)8FQO8VMC;W5N="`M/2`H8FQO8VMC;W5N
M="`E(%5!541)3U]-24Y&4D%-15,I.PHM"BT)+RH@<F%N9V4@8VAE8VL@+2!M
M:6X@*B\*+0EI9B`H8FQO8VMC;W5N="`]/2`P*2!["BT)"6)L;V-K8V]U;G0@
M/2!5055$24]?34E.1E)!3453.PHM"7T*+0DO*B!R86YG92!C:&5C:R`M(&UA
M>"`J+PHM"6EF("AB;&]C:V-O=6YT(#X@=7-B9%]X9F5R7VUA>%]F<F%M97,H
M>&9E<BDI('L*+0D)8FQO8VMC;W5N="`]('5S8F1?>&9E<E]M87A?9G)A;65S
M*'AF97(I.PHM"7T*+0DO*B!C;VUP=71E('1H92!T;W1A;"!L96YG=&@@*B\*
M+0ET;W1A;"`](&)L;V-K8V]U;G0@*B!C:"T^8GET97-?<&5R7V9R86UE.PHK
M"75A=61I;U]S971U<%]B;&]C:V-O=6YT*&-H+"!U<V)D7WAF97)?;6%X7V9R
M86UE<RAX9F5R*2P**PD@("`@)G1O=&%L+"`F8FQO8VMC;W5N="D["B`*(`ES
M=VET8V@@*%530E]'151?4U1!5$4H>&9E<BDI('L*(`EC87-E(%530E]35%]4
M4D%.4T9%4E)%1#H*0$`@+3$R,3DL,C8@*S$R,S8L."!`0"!U875D:6]?8VAA
M;E]R96-O<F1?8V%L;&)A8VLH<W1R=6-T('5S8E]X9F5R("IX9F5R+"!U<V)?
M97)R;W)?="!E<G)O<BD*(`EI;G0@86-T;&5N+"!N9G)A;65S.PH@"B`)=7-B
M9%]X9F5R7W-T871U<RAX9F5R+"`F86-T;&5N+"!.54Q,+"!.54Q,+"`F;F9R
M86UE<RD["BT*+0DO*B!A;&QO=R!D>6YA;6EC('-I>FEN9R!O9B!P;&%Y(&)U
M9F9E<B`J+PHM"71O=&%L(#T@8V@M/FEN=')?<VEZ93L*+0HM"2\J(&%L;&]W
M(&1Y;F%M:6,@<VEZ:6YG(&]F('!L87D@8G5F9F5R("HO"BT)8FQO8VMC;W5N
M="`]('1O=&%L("\@8V@M/F)Y=&5S7W!E<E]F<F%M93L*+0HM"2\J(&%L:6=N
M('5N:71S("HO"BT)8FQO8VMC;W5N="`M/2`H8FQO8VMC;W5N="`E(%5!541)
M3U]-24Y&4D%-15,I.PHM"BT)+RH@<F%N9V4@8VAE8VL@+2!M:6X@*B\*+0EI
M9B`H8FQO8VMC;W5N="`]/2`P*2!["BT)"6)L;V-K8V]U;G0@/2!5055$24]?
M34E.1E)!3453.PHM"7T*+0DO*B!R86YG92!C:&5C:R`M(&UA>"`J+PHM"6EF
M("AB;&]C:V-O=6YT(#X@=7-B9%]X9F5R7VUA>%]F<F%M97,H>&9E<BDI('L*
M+0D)8FQO8VMC;W5N="`]('5S8F1?>&9E<E]M87A?9G)A;65S*'AF97(I.PHM
M"7T*+0DO*B!C;VUP=71E('1H92!T;W1A;"!L96YG=&@@*B\*+0ET;W1A;"`]
M(&)L;V-K8V]U;G0@*B!C:"T^8GET97-?<&5R7V9R86UE.PHK"75A=61I;U]S
M971U<%]B;&]C:V-O=6YT*&-H+"!U<V)D7WAF97)?;6%X7V9R86UE<RAX9F5R
M*2P**PD@("`@)G1O=&%L+"`F8FQO8VMC;W5N="D["B`*(`ES=VET8V@@*%53
M0E]'151?4U1!5$4H>&9E<BDI('L*(`EC87-E(%530E]35%]44D%.4T9%4E)%
01#H*+2T@"C$N-BXS+C$*"@``
`
end
--- unduplicate-size-calculations.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090705200128.E2CE117076>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation