Hi all,

    I am trying to debug why the grub crashed (under usbrom) after loading certain blocks into the memory.

My new found is that while usbrom is trying to load (block lba=0x0019a9e0). it crashed. the flow is

usb_new_read(0,0x0019a9e0,0x20,0xfffa2000), 0x20 is the count which should be read, and the 0xfffa2000 is the

virtual address of (0x70000).

usb_new_read call readwrite_blocks then execute_command. after executed wrap_cbw in execute_command.

it should call dev->controller->bulk, this address is a wrong address. my debug information are below:

 

BIOS Debugger

Node : 0, Core : 0

rAX= 8020425D rBX= 00000000 rCX= 00108F15 rDX= 50588214 
rSI= 00108FE8 rDI= FFF97D20 rBP= 00108F38 rSP= 00108EF0 
rIP= 00006F22       

CS Sel= 0008 DS Sel= 0010 ES Sel= 0010 FS Sel= 0000 GS Sel= 0000 SS Sel= 0010 

CF PF AF ZF SF TF IF DF OF IOPL NT RF VM AC VIF VIP ID 
0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 

0008:00006EC3   C7 45 FC 01 00 00 00    mov   [ebp-04h],00000001h  
0008:00006ECA   8B 45 14      mov   eax,[ebp+14h]  
0008:00006ECD   89 44 24 10      mov   [esp+10h],eax  
0008:00006ED1   8B 45 10      mov   eax,[ebp+10h]  
0008:00006ED4   89 44 24 0C      mov   [esp+0ch],eax  
0008:00006ED8   8B 45 0C      mov   eax,[ebp+0ch]  
0008:00006EDB   89 44 24 08      mov   [esp+08h],eax  
0008:00006EDF   8B 45 1C      mov   eax,[ebp+1ch]  
0008:00006EE2   89 44 24 04      mov   [esp+04h],eax  
0008:00006EE6   8D 45 DD      lea   eax,[ebp-23h]  
0008:00006EE9   89 04 24      mov   [esp],eax  
0008:00006EEC   E8 CF FE FF FF    call   loc_00006dc0h   /*this is wrap_cbw*/
0008:00006EF1   8B 45 08      mov   eax,[ebp+08h]  
0008:00006EF4   8B 00      mov   eax,[eax]  
0008:00006EF6   8B 90 20 02 00 00     mov   edx,[eax+00000220h]  
0008:00006EFC   8D 4D DD      lea   ecx,[ebp-23h]  
0008:00006EFF   8B 45 08      mov   eax,[ebp+08h]  
0008:00006F02   8B 80 18 03 00 00     mov   eax,[eax+00000318h]  
0008:00006F08   8B 40 0C      mov   eax,[eax+0ch]  
0008:00006F0B   C7 44 24 0C 00 00 00 00    mov   [esp+0ch],00000000h  
0008:00006F13   89 4C 24 08      mov   [esp+08h],ecx  
0008:00006F17   C7 44 24 04 1F 00 00 00    mov   [esp+04h],0000001fh  
0008:00006F1F   89 04 24      mov   [esp],eax  
0008:00006F22   FF D2      call   edx   /*here it will jump into 50588214*/
0008:00006F24   85 C0      test   eax,eax  
0008:00006F26   74 20      jz   loc_00006f48h  
0008:00006F28   8B 45 08      mov   eax,[ebp+08h]  
0008:00006F2B   8B 80 18 03 00 00     mov   eax,[eax+00000318h]  
0008:00006F31   8B 40 0C      mov   eax,[eax+0ch]  
0008:00006F34   89 04 24      mov   [esp],eax  
0008:00006F37   E8 8C CF FF FF     call   loc_00003ec8h  
0008:00006F3C   C7 45 CC 01 00 00 00    mov   [ebp-34h],00000001h  
0008:00006F43   E9 1C 01 00 00     jmp   loc_00007064h  
0008:00006F48   C7 04 24 0A 00 00 00    mov   [esp],0000000ah  
0008:00006F4F   E8 5F 9C FF FF     call   loc_00000bb3h  
0008:00006F54   81 7D 0C 80 00 00 00    cmp   [ebp+0ch],00000080h  
0008:00006F5B   75 56      jnz   loc_00006fb3h  
0008:00006F5D   8B 45 08      mov   eax,[ebp+08h]  
0008:00006F60   8B 00      mov   eax,[eax]  
0008:00006F62   8B 88 20 02 00 00     mov   ecx,[eax+00000220h]  
0008:00006F68   8B 45 08      mov   eax,[ebp+08h]  
0008:00006F6B   8B 80 18 03 00 00     mov   eax,[eax+00000318h]  
0008:00006F71   8B 50 08      mov   edx,[eax+08h]  
0008:00006F74   C7 44 24 0C 00 00 00 00    mov   [esp+0ch],00000000h  
0008:00006F7C   8B 45 18      mov   eax,[ebp+18h]  
0008:00006F7F   89 44 24 08      mov   [esp+08h],eax  
0008:00006F83   8B 45 1C      mov   eax,[ebp+1ch]  
0008:00006F86   89 44 24 04    mov   [esp+04h],eax  
0008:00006F8A   89 14 24    mov   [esp],edx  
0008:00006F8D   FF D1    call   ecx  

 

 

Kevin allow remind me that usbrom have an 1M heap which  will overwrite SeaBIOS in the 0xf0000. That may also a problem.

any suggestion is welcome.

 
--
Jason Wang
Peking University