This device: udav0 at uhub5 port 2 "ShanTou DM9601" rev 1.10/1.01 addr 2 udav0: address 00:60:6e:00:6e:20 amphy0 at udav0 phy 0: DM9601 10/100 PHY, rev. 0
causes a kernel crash with the following messages: memcpy() at memcpy+0x16 usb_transfer_complete() at usb_transfer_complete+0x256 uhci_softintr() at uchi_softintr+0x40 softintr_dispatch() at softintr_dispatch+0x5d end trace frame:0x0,count:-5 Using printf() with total_len shows that at certain times, it is 54768, where it should be less than the maximum frame size. Experimentally, the maximum value of total_len is 1514, but in if_udavreg.h, it is 1536. Index: src/sys/dev/usb/if_udav.c =================================================================== RCS file: /cvs/src/sys/dev/usb/if_udav.c,v retrieving revision 1.51 diff -u -p -r1.51 if_udav.c --- src/sys/dev/usb/if_udav.c 25 Jan 2011 20:03:35 -0000 1.51 +++ src/sys/dev/usb/if_udav.c 14 Mar 2011 12:17:40 -0000 @@ -1139,6 +1139,7 @@ udav_rxeof(usbd_xfer_handle xfer, usbd_p } if (total_len < sizeof(struct ether_header) || + total_len > UDAV_MAX_MTU || h->pktstat & UDAV_RSR_ERR) { ifp->if_ierrors++; goto done;