NetBSD Problem Report #41595

From www@NetBSD.org  Sun Jun 14 10:56:32 2009
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id C54B363C2DD
	for <gnats-bugs@gnats.netbsd.org>; Sun, 14 Jun 2009 10:56:31 +0000 (UTC)
Message-Id: <20090614105631.3B8F463B8B4@www.NetBSD.org>
Date: Sun, 14 Jun 2009 10:56:31 +0000 (UTC)
From: linzhenhua01172@gmail.com
Reply-To: linzhenhua01172@gmail.com
To: gnats-bugs@NetBSD.org
Subject: usb xfer re-entry. When the xfer's interrupt & the xfer's abort task occur at the same time, this will cause the USB stack crash.
X-Send-Pr-Version: www-1.0

>Number:         41595
>Category:       kern
>Synopsis:       usb xfer re-entry. When the xfer's interrupt & the xfer's abort task occur at the same time, this will cause the USB stack crash.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    martin
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jun 14 11:00:01 +0000 2009
>Closed-Date:    Tue Sep 18 02:37:15 +0000 2018
>Last-Modified:  Tue Sep 18 02:37:15 +0000 2018
>Originator:     zhenhua,lin
>Release:        no
>Organization:
no
>Environment:
no.
This problem found at the code review phase.
>Description:
Sorry for my poor English.

In the following situation will cause usb xfer re-entry, and cause the usb stack crash:
1) XFER timeout, causes *hci_timeout be called;
2) *hci_timeout adds the ohci_timeout_task() to the task, in order to execute this abort transaction in a process context;

>>>>>>>>>>>>>>>>>>>>>>>>>>>>
   	/* Execute the abort in a process context. */
	usb_init_task(&oxfer->abort_task, ohci_timeout_task, addr);
	usb_add_task(oxfer->xfer.pipe->device, &oxfer->abort_task,
	    USB_TASKQ_HC);
<<<<<<<<<<<<<<<<<<<<<<<<<<<<

3) If this xfer comes back at this time,
   Of course, the system will response to the interrupt first;
   This will cause this xfer be done, and removed from the xfer;
4) Timeout abort transaction will be called after the interrupt, and call the usb_transfer_complete().

This will cause the xfer re-entry.
>How-To-Repeat:
see above, Thanks.
>Fix:
void
*hci_timeout_task(void *addr)
{
	usbd_xfer_handle xfer = addr;
	int s;

	DPRINTF(("*hci_timeout_task: xfer=%p\n", xfer));

	s = splusb();
	*hci_abort_xfer(xfer, USBD_TIMEOUT);
	splx(s);
}


to ==========>


void
*hci_timeout_task(void *addr)
{
	usbd_xfer_handle xfer = addr;
	int s;

	DPRINTF(("*hci_timeout_task: xfer=%p\n", xfer));

        if (xfer->done != 1)
	{
            s = splusb();
	    *hci_abort_xfer(xfer, USBD_TIMEOUT);
	    splx(s);
        }
}

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: xsrc-manager->martin
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Sun, 14 Jun 2009 12:57:33 +0000
Responsible-Changed-Why:
I'll handle it


State-Changed-From-To: open->analyzed
State-Changed-By: martin@NetBSD.org
State-Changed-When: Sun, 14 Jun 2009 12:57:33 +0000
State-Changed-Why:
We know what to do..


State-Changed-From-To: analyzed->closed
State-Changed-By: mrg@NetBSD.org
State-Changed-When: Tue, 18 Sep 2018 02:37:15 +0000
State-Changed-Why:
this is almost certainly fixed by the usb abort fixes present on all
supported branches, and was reported against a very old release.

apparently, we knew this problem back in 2009...


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.