pc/pc64: fix ps2mouse memory corruption race

there was a memory corruption bug caused by us enabling the
ps2mouseputc() handler *before* initializing packetsize.

once we enabled the handler, mouse interrupts could come
in and advance the packet buffer index (nb) beyond the
buffer boundaries.

as ps2mouseputc() only checked for ++nb == packetsize, once
nb was advanced beyond the packetsize, it would continue writing
beyond the buffer and corrupt memory with each mouse packet byte.

solution is to initialize packetsize *before* enabling the
handler, and also do a >= check in ps2mouseputc() in case the
packetsize gets changed to a smaller value at runtime.

sys/src/9/pc/devkbd.c

@@ -187,7 +187,7 @@ i8042auxcmd(int cmd)
 	iunlock(&i8042lock);
 
 	if(c != 0xFA){
-		print("i8042: %2.2ux returned to the %2.2ux command\n", c, cmd);
+		print("i8042: %2.2ux returned to the %2.2ux command (pc=%#p)\n", c, cmd, getcallerpc(&cmd));
 		return -1;
 	}
 	return 0;
@@ -303,6 +303,7 @@ i8042auxenable(void (*putc)(int, int))
 		print(err);
 	outb(Cmd, 0xA8);			/* auxiliary device enable */
 	if(outready() < 0){
+		print(err);
 		iunlock(&i8042lock);
 		return;
 	}

sys/src/9/pc/mouse.c

@@ -113,7 +113,7 @@ ps2mouseputc(int c, int shift)
 	}
 
 	msg[nb] = c;
-	if(++nb == packetsize){
+	if(++nb >= packetsize){
 		nb = 0;
 		if(msg[0] & 0x10)
 			msg[1] |= 0xFF00;
@@ -152,7 +152,6 @@ ps2mouseputc(int c, int shift)
 		dy = -msg[2];
 		mousetrack(dx, dy, buttons, TK2MS(MACHP(0)->ticks));
 	}
-	return;
 }
 
 /*
@@ -164,12 +163,12 @@ ps2mouse(void)
 	if(mousetype == MousePS2)
 		return;
 
-	i8042auxenable(ps2mouseputc);
-	i8042auxcmd(0xEA);	/* set stream mode */
-
 	mousetype = MousePS2;
 	packetsize = 3;
 	mousehwaccel = 0;
+
+	i8042auxenable(ps2mouseputc);
+	i8042auxcmd(0xEA);	/* set stream mode */
 }
 
 /*