NetBSD Problem Report #41595
From www@NetBSD.org Sun Jun 14 10:56:32 2009
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id C54B363C2DD
for <gnats-bugs@gnats.netbsd.org>; Sun, 14 Jun 2009 10:56:31 +0000 (UTC)
Message-Id: <20090614105631.3B8F463B8B4@www.NetBSD.org>
Date: Sun, 14 Jun 2009 10:56:31 +0000 (UTC)
From: linzhenhua01172@gmail.com
Reply-To: linzhenhua01172@gmail.com
To: gnats-bugs@NetBSD.org
Subject: usb xfer re-entry. When the xfer's interrupt & the xfer's abort task occur at the same time, this will cause the USB stack crash.
X-Send-Pr-Version: www-1.0
>Number: 41595
>Category: kern
>Synopsis: usb xfer re-entry. When the xfer's interrupt & the xfer's abort task occur at the same time, this will cause the USB stack crash.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: martin
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Jun 14 11:00:01 +0000 2009
>Closed-Date: Tue Sep 18 02:37:15 +0000 2018
>Last-Modified: Tue Sep 18 02:37:15 +0000 2018
>Originator: zhenhua,lin
>Release: no
>Organization:
no
>Environment:
no.
This problem found at the code review phase.
>Description:
Sorry for my poor English.
In the following situation will cause usb xfer re-entry, and cause the usb stack crash:
1) XFER timeout, causes *hci_timeout be called;
2) *hci_timeout adds the ohci_timeout_task() to the task, in order to execute this abort transaction in a process context;
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
/* Execute the abort in a process context. */
usb_init_task(&oxfer->abort_task, ohci_timeout_task, addr);
usb_add_task(oxfer->xfer.pipe->device, &oxfer->abort_task,
USB_TASKQ_HC);
<<<<<<<<<<<<<<<<<<<<<<<<<<<<
3) If this xfer comes back at this time,
Of course, the system will response to the interrupt first;
This will cause this xfer be done, and removed from the xfer;
4) Timeout abort transaction will be called after the interrupt, and call the usb_transfer_complete().
This will cause the xfer re-entry.
>How-To-Repeat:
see above, Thanks.
>Fix:
void
*hci_timeout_task(void *addr)
{
usbd_xfer_handle xfer = addr;
int s;
DPRINTF(("*hci_timeout_task: xfer=%p\n", xfer));
s = splusb();
*hci_abort_xfer(xfer, USBD_TIMEOUT);
splx(s);
}
to ==========>
void
*hci_timeout_task(void *addr)
{
usbd_xfer_handle xfer = addr;
int s;
DPRINTF(("*hci_timeout_task: xfer=%p\n", xfer));
if (xfer->done != 1)
{
s = splusb();
*hci_abort_xfer(xfer, USBD_TIMEOUT);
splx(s);
}
}
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: xsrc-manager->martin
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Sun, 14 Jun 2009 12:57:33 +0000
Responsible-Changed-Why:
I'll handle it
State-Changed-From-To: open->analyzed
State-Changed-By: martin@NetBSD.org
State-Changed-When: Sun, 14 Jun 2009 12:57:33 +0000
State-Changed-Why:
We know what to do..
State-Changed-From-To: analyzed->closed
State-Changed-By: mrg@NetBSD.org
State-Changed-When: Tue, 18 Sep 2018 02:37:15 +0000
State-Changed-Why:
this is almost certainly fixed by the usb abort fixes present on all
supported branches, and was reported against a very old release.
apparently, we knew this problem back in 2009...
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.