On Sun, Oct 24, 2021 at 03:03:01PM +0200, Damien Couderc wrote: > Hi, > I got a page fault with upd(4) since 7.0. > > The problem began with the last revision of upd.c (1.30): > > =================================================================== > RCS file: /cvs/src/sys/dev/usb/upd.c,v > retrieving revision 1.29 > retrieving revision 1.30 > diff -u -r1.29 -r1.30 > --- src/sys/dev/usb/upd.c 2021/03/08 14:35:57 1.29 > +++ src/sys/dev/usb/upd.c 2021/08/06 17:46:45 1.30 > @@ -1,4 +1,4 @@ > -/* $OpenBSD: upd.c,v 1.29 2021/03/08 14:35:57 jcs Exp $ */ > +/* $OpenBSD: upd.c,v 1.30 2021/08/06 17:46:45 abieber Exp $ */ > > /* > * Copyright (c) 2015 David Higgs <hig...@gmail.com> > @@ -167,7 +167,7 @@ > if (upd_lookup_usage_entry(desc, size, > upd_usage_roots + i, &item)) { > ret = UMATCH_VENDOR_PRODUCT; > - break; > + uha->claimed[item.report_ID] = 1; > } > > return (ret); > > =================================================================== > > The uha.claimed array is allocated using uha.nreports as its size while > upd_match() is looping through the number of items of upd_usage_roots. > > In my case uha.nreports is equal to zero so uha.claimed is null, hence > setting uha->claimed[n] is failing. > > As I'm not familiar with the HID code I did not yet understood the > relation between upd_usage_roots and the claimed array but as we're > talking about UPS attached computers I though the issue would sensible > enough to make a quick reporting. > > You'll find a dmesg with options UPD_DEBUG and UHIDEV_DEBUG set and the > following patch applied to circumvent the page fault and provide some debug:
Could you try the following diff, looks like an unsigned wrap around. Index: dev/usb/uhidev.h =================================================================== RCS file: /cvs/src/sys/dev/usb/uhidev.h,v retrieving revision 1.32 diff -u -p -r1.32 uhidev.h --- dev/usb/uhidev.h 12 Sep 2021 06:58:08 -0000 1.32 +++ dev/usb/uhidev.h 24 Oct 2021 19:44:52 -0000 @@ -82,7 +82,7 @@ struct uhidev_attach_arg { struct uhidev_softc *parent; uint8_t reportid; #define UHIDEV_CLAIM_MULTIPLE_REPORTID 255 - uint8_t nreports; + u_int nreports; uint8_t *claimed; };