Re: upd(4) page fault since 7.0

Sun, 24 Oct 2021 12:46:16 -0700 

On Sun, Oct 24, 2021 at 03:03:01PM +0200, Damien Couderc wrote:
> Hi,
> I got a page fault with upd(4) since 7.0.
> 
> The problem began with the last revision of upd.c (1.30):
> 
> ===================================================================
> RCS file: /cvs/src/sys/dev/usb/upd.c,v
> retrieving revision 1.29
> retrieving revision 1.30
> diff -u -r1.29 -r1.30
> --- src/sys/dev/usb/upd.c     2021/03/08 14:35:57     1.29
> +++ src/sys/dev/usb/upd.c     2021/08/06 17:46:45     1.30
> @@ -1,4 +1,4 @@
> -/*   $OpenBSD: upd.c,v 1.29 2021/03/08 14:35:57 jcs Exp $ */
> +/*   $OpenBSD: upd.c,v 1.30 2021/08/06 17:46:45 abieber Exp $ */
> 
>  /*
>   * Copyright (c) 2015 David Higgs <[email protected]>
> @@ -167,7 +167,7 @@
>               if (upd_lookup_usage_entry(desc, size,
>                   upd_usage_roots + i, &item)) {
>                       ret = UMATCH_VENDOR_PRODUCT;
> -                     break;
> +                     uha->claimed[item.report_ID] = 1;
>               }
> 
>       return (ret);
> 
> ===================================================================
> 
> The uha.claimed array is allocated using uha.nreports as its size while
> upd_match() is looping through the number of items of upd_usage_roots.
> 
> In my case uha.nreports is equal to zero so uha.claimed is null, hence
> setting uha->claimed[n] is failing.
> 
> As I'm not familiar with the HID code I did not yet understood the
> relation between upd_usage_roots and the claimed array but as we're
> talking about UPS attached computers I though the issue would sensible
> enough to make a quick reporting.
> 
> You'll find a dmesg with options UPD_DEBUG and UHIDEV_DEBUG set and the
> following patch applied to circumvent the page fault and provide some debug:

Could you try the following diff, looks like an unsigned wrap around.

Index: dev/usb/uhidev.h
===================================================================
RCS file: /cvs/src/sys/dev/usb/uhidev.h,v
retrieving revision 1.32
diff -u -p -r1.32 uhidev.h
--- dev/usb/uhidev.h    12 Sep 2021 06:58:08 -0000      1.32
+++ dev/usb/uhidev.h    24 Oct 2021 19:44:52 -0000
@@ -82,7 +82,7 @@ struct uhidev_attach_arg {
        struct uhidev_softc     *parent;
        uint8_t                  reportid;
 #define        UHIDEV_CLAIM_MULTIPLE_REPORTID  255
-       uint8_t                  nreports;
+       u_int                    nreports;
        uint8_t                 *claimed;
 };

Reply via email to