Re: upd(4) page fault since 7.0

Tue, 26 Oct 2021 07:11:43 -0700 

On Tue, Oct 26, 2021 at 09:50:41AM +0200, Damien Couderc wrote:
> Le 24/10/2021 à 21:45, Anton Lindqvist a écrit :
> > On Sun, Oct 24, 2021 at 03:03:01PM +0200, Damien Couderc wrote:
> > > Hi,
> > > I got a page fault with upd(4) since 7.0.
> > > 
> > > The problem began with the last revision of upd.c (1.30):
> > > 
> > > ===================================================================
> > > RCS file: /cvs/src/sys/dev/usb/upd.c,v
> > > retrieving revision 1.29
> > > retrieving revision 1.30
> > > diff -u -r1.29 -r1.30
> > > --- src/sys/dev/usb/upd.c 2021/03/08 14:35:57     1.29
> > > +++ src/sys/dev/usb/upd.c 2021/08/06 17:46:45     1.30
> > > @@ -1,4 +1,4 @@
> > > -/*       $OpenBSD: upd.c,v 1.29 2021/03/08 14:35:57 jcs Exp $ */
> > > +/*       $OpenBSD: upd.c,v 1.30 2021/08/06 17:46:45 abieber Exp $ */
> > > 
> > >   /*
> > >    * Copyright (c) 2015 David Higgs <hig...@gmail.com>
> > > @@ -167,7 +167,7 @@
> > >                   if (upd_lookup_usage_entry(desc, size,
> > >                       upd_usage_roots + i, &item)) {
> > >                           ret = UMATCH_VENDOR_PRODUCT;
> > > -                 break;
> > > +                 uha->claimed[item.report_ID] = 1;
> > >                   }
> > > 
> > >           return (ret);
> > > 
> > > ===================================================================
> > > 
> > > The uha.claimed array is allocated using uha.nreports as its size while
> > > upd_match() is looping through the number of items of upd_usage_roots.
> > > 
> > > In my case uha.nreports is equal to zero so uha.claimed is null, hence
> > > setting uha->claimed[n] is failing.
> > > 
> > > As I'm not familiar with the HID code I did not yet understood the
> > > relation between upd_usage_roots and the claimed array but as we're
> > > talking about UPS attached computers I though the issue would sensible
> > > enough to make a quick reporting.
> > > 
> > > You'll find a dmesg with options UPD_DEBUG and UHIDEV_DEBUG set and the
> > > following patch applied to circumvent the page fault and provide some 
> > > debug:
> > Could you try the following diff, looks like an unsigned wrap around.
> > 
> > Index: dev/usb/uhidev.h
> > ===================================================================
> > RCS file: /cvs/src/sys/dev/usb/uhidev.h,v
> > retrieving revision 1.32
> > diff -u -p -r1.32 uhidev.h
> > --- dev/usb/uhidev.h        12 Sep 2021 06:58:08 -0000      1.32
> > +++ dev/usb/uhidev.h        24 Oct 2021 19:44:52 -0000
> > @@ -82,7 +82,7 @@ struct uhidev_attach_arg {
> >     struct uhidev_softc     *parent;
> >     uint8_t                  reportid;
> >   #define   UHIDEV_CLAIM_MULTIPLE_REPORTID  255
> > -   uint8_t                  nreports;
> > +   u_int                    nreports;
> >     uint8_t                 *claimed;
> >   };
> > 
> Hello Anton,
> 
> I made a quick test and nreports is now set with 256 but I still get the
> page fault.
> 
> I'll check the details ASAP.

Do you have a backtrace?

Reply via email to