Re: 0xdeadcode in dev2udev and ohci strangeness

From: Kip Macy <kip.macy_at_gmail.com>
Date: Sun, 14 Jan 2007 12:45:45 -0800
Oxdeadcode indicates use after free - which I've seen at least one
other instance of in the USB stack.

  -Kip


On 1/14/07, Sergey Zaharchenko <doublef-ctm_at_yandex.ru> wrote:
> Hello list,
>
> Today while fooling around with some USB devices (recent GENERIC kernel
> compiled with options USB_DEBUG; single-user mode; a Transcend USB
> Flash, an Acorp card reader (umass) and a Prolific COM port (uplcom),
> all plugged in/out randomly) and sysctls (hw.usb.debug=1,
> hw.usb.(ohci|uhci|ehci|umass|uplcom).debug=1), I triggered the following
> page fault (retyped from a camera shot) by a lowly `sysctl -a|grep usb':
>
> Fatal trap 12: page fault while in kernel mode
> cpuid = 0; apic i = 00
> fault virtual address   = 0xdeadc19e
> fault code              = supervisor read, page not present
> instruction pointer     = 0x20:0xc0676f25
> stack pointer           = 0x28:0xdd345aac
> frame pointer           = 0x28:0xdd345aac
> code segment            = base 0x0, limit 0xfffff, type 0x1b
>                         = DPL 0, pres 1, def32 1, gran 1
> processor eflags        = interrupt enabled, resume, IOPL = 0
> current process         = 76 (sysctl)
> [thread pid 76 tid 100042 ]
> Stopped at      dev2udev+0x11:  movl 0xc0(%eax),%eax
> db> bt
> Tracing pid 76 tid 100042 td 0xc36bb000
> dev2udev(c3790d00,88,0,0,0,...) at dev2udev+0x11
> sysctl_kern_ttys(c09ebf80,0,0,dd345b98,c09ebf80,...) at
> sysctl_kern_ttys+0xab
> sysctl_root(0,dd345c18,2,dd345b98) at sysctl_root+0x12f
> userland_sysctl(c36bb000,dd345c18,2,0,bfbfdbbc,0,0,0,dd345c14,c0a3c408,0,c093c5c8,522)
> at userland_sysctl+0xf4
> __sysctl(c36bb000,dd345d00) at __sysctl+0x77
> syscall(dd345d38) at syscall+0x256
> Xint0x80_syscall() at Xint0x80_syscall+0x20
> --- syscall (-1077943200), eip = 0x2, esp = 0x296, ebp = 0xbfbfdbbc ---
>
> sys/fs/devfs/devfs_vnops.c:
>
> dev_t
> dev2udev(struct cdev *x)
> {
>         if (x == NULL)
>                 return (NODEV);
>         return (x->si_priv->cdp_inode); <-- dev2udev+0x11 is here
> }
>
> Looks like si_priv for a non-NULL x is 0xdeadcode somewhere...
>
> I've also stumbled across a reproducible strange situation: after
> plugging in and out the Prolific several times and leaving it out, the
> kernel prints (with ohci.debug=1) this every second or so:
>
> ohci_rhsc: sc=0xc369f000 xfer=0xc354c800 hstatus=0x00000000
> ohci_rhsc: change=0x04
>
> Is this normal? Should I ask on freebsd-usb_at_?
>
> --
> DoubleF
> No virus detected in this message. Ehrm, wait a minute...
> /kernel: pid 56921 (antivirus), uid 32000: exited on signal 9
> Oh yes, no virus:)
>
>
Received on Sun Jan 14 2007 - 19:45:49 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:04 UTC