NetBSD Problem Report #41596

From www@NetBSD.org  Sun Jun 14 12:33:25 2009
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 7F8D563C2DD
	for <gnats-bugs@gnats.netbsd.org>; Sun, 14 Jun 2009 12:33:25 +0000 (UTC)
Message-Id: <20090614123324.E2F3C63B8B4@www.NetBSD.org>
Date: Sun, 14 Jun 2009 12:33:24 +0000 (UTC)
From: linzhenhua01172@gmail.com
Reply-To: linzhenhua01172@gmail.com
To: gnats-bugs@NetBSD.org
Subject: usb xfer re-entry. When the xfer's interrupt & the xfer's abort task occur at the same time, this will cause the USB stack crash.
X-Send-Pr-Version: www-1.0

>Number:         41596
>Category:       kern
>Synopsis:       usb xfer re-entry. When the xfer's interrupt & the xfer's abort task occur at the same time, this will cause the USB stack crash.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jun 14 12:35:00 +0000 2009
>Closed-Date:    Sun Jun 14 13:02:30 +0000 2009
>Last-Modified:  Sun Jun 14 13:02:30 +0000 2009
>Originator:     zhenhua,lin
>Release:        no
>Organization:
no
>Environment:
no.
This problem found at the code review phase.
>Description:
Sorry for my poor English.


In the following situation will cause usb xfer re-entry, and cause the usb stack crash:
1) XFER timeout, causes *hci_timeout be called;
2) *hci_timeout adds the ohci_timeout_task() to the task, in order to execute this abort transaction in a process context;


>>>>>>>>>>>>>>>>>>>>>>>>>>>>
   	/* Execute the abort in a process context. */
	usb_init_task(&oxfer->abort_task, ohci_timeout_task, addr);
	usb_add_task(oxfer->xfer.pipe->device, &oxfer->abort_task,
	    USB_TASKQ_HC);
<<<<<<<<<<<<<<<<<<<<<<<<<<<<


3) If this xfer comes back at this time,
   Of course, the system will response to the interrupt first;
   This will cause this xfer be done, and removed from the xfer;
4) Timeout abort transaction will be called after the interrupt, and call the usb_transfer_complete().


This will cause the xfer re-entry.
>How-To-Repeat:
see above, Thanks.
>Fix:
void
*hci_timeout_task(void *addr)
{
	usbd_xfer_handle xfer = addr;
	int s;


	DPRINTF(("*hci_timeout_task: xfer=%p\n", xfer));


+       if (xfer->done != 1)
+       {
            s = splusb();
	    *hci_abort_xfer(xfer, USBD_TIMEOUT);
	    splx(s);
+       }
}

>Release-Note:

>Audit-Trail:

State-Changed-From-To: open->closed
State-Changed-By: martin@NetBSD.org
State-Changed-When: Sun, 14 Jun 2009 13:02:30 +0000
State-Changed-Why:
Trackinst this as 41595 already


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.