NetBSD Problem Report #50217

From prlw1@cam.ac.uk  Mon Sep  7 13:45:40 2015
Return-Path: <prlw1@cam.ac.uk>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 84307A6554
	for <gnats-bugs@gnats.NetBSD.org>; Mon,  7 Sep 2015 13:45:40 +0000 (UTC)
Message-Id: <20150907134533.GA1574@quark.internal.precedence.co.uk>
Date: Mon, 7 Sep 2015 14:45:33 +0100
From: Patrick Welche <prlw1@cam.ac.uk>
Reply-To: prlw1@cam.ac.uk
To: gnats-bugs@NetBSD.org
Cc: prlw1@cam.ac.uk
Subject: ehci panic on unplug

>Number:         50217
>Category:       kern
>Synopsis:       ehci panic (un)plugging uplcom
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Sep 07 13:50:01 +0000 2015
>Last-Modified:  Mon Sep 07 14:27:22 +0000 2015
>Originator:     Patrick Welche
>Release:        NetBSD 7.99.21
>Organization:
>Environment:
NetBSD-7.99.21/amd64 of 5 Sep 2015
>Description:
Just unplugged a

uplcom0: Prolific Technology PL2303 Serial adapter (ATEN/IOGEAR UC232A), rev 1.10/2.02, addr 3

at which point essentially everything froze with the disk light
flickering. After a minute or so I plugged it back in, and:

#0  0xffffffff80118b15 in cpu_reboot (howto=howto@entry=260, 
    bootstr=bootstr@entry=0x0) at ../../../../arch/amd64/amd64/machdep.c:671
#1  0xffffffff80527eb2 in vpanic (fmt=fmt@entry=0xffffffff807a6d23 "trap", 
    ap=ap@entry=0xfffffe8040205cf0) at ../../../../kern/subr_prf.c:342
#2  0xffffffff80527f6d in panic (fmt=fmt@entry=0xffffffff807a6d23 "trap")
    at ../../../../kern/subr_prf.c:258
#3  0xffffffff8011a49f in trap (frame=0xfffffe8040205e10)
    at ../../../../arch/amd64/amd64/trap.c:298
#4  0xffffffff80100f46 in alltraps ()
#5  0xffffffff8020fd35 in usb_transfer_complete (
    xfer=xfer@entry=0xfffffe8107e44170) at ../../../../dev/usb/usbdi.c:873
#6  0xffffffff802cde01 in ehci_idone (ex=ex@entry=0xfffffe8107e44170)
    at ../../../../dev/usb/ehci.c:1138
#7  0xffffffff802d03ff in ehci_check_qh_intr (sc=<optimized out>, 
    ex=<optimized out>) at ../../../../dev/usb/ehci.c:908
#8  ehci_check_intr (sc=0xfffffe8107d85000, ex=0xfffffe8107e44170)
    at ../../../../dev/usb/ehci.c:817
#9  ehci_softintr (v=<optimized out>) at ../../../../dev/usb/ehci.c:787
#10 0xffffffff8020deca in usb_soft_intr (arg=0xfffffe8107d85040)
    at ../../../../dev/usb/usb.c:1025
#11 0xffffffff80507d34 in softint_execute (l=<optimized out>, 
    s=<optimized out>, si=<optimized out>)
    at ../../../../kern/kern_softint.c:589
#12 softint_dispatch (pinned=<optimized out>, s=4)
    at ../../../../kern/kern_softint.c:871
#13 0xffffffff8011402f in Xsoftintr ()
(gdb) frame 5
#5  0xffffffff8020fd35 in usb_transfer_complete (
    xfer=xfer@entry=0xfffffe8107e44170) at ../../../../dev/usb/usbdi.c:873
873                     SIMPLEQ_REMOVE_HEAD(&pipe->queue, next);
(gdb) list
868                     if (xfer != SIMPLEQ_FIRST(&pipe->queue))
869                             printf("%s: bad dequeue %p != %p\n", __func__,
870                                    xfer, SIMPLEQ_FIRST(&pipe->queue));
871                     xfer->busy_free = XFER_BUSY;
872     #endif
873                     SIMPLEQ_REMOVE_HEAD(&pipe->queue, next);
874             }
875             USBHIST_LOG(usbdebug, "xfer %p: repeat %d new head = %p",
876                 xfer, repeat, SIMPLEQ_FIRST(&pipe->queue), 0);
877
(gdb) print *pipe
$2 = {iface = 0x0, device = 0xfffffe813b2c1c48, endpoint = 0xfffffe813b2c1c80, 
  refcnt = 1, running = 0 '\000', aborting = 0 '\000', queue = {
    sqh_first = 0x0, sqh_last = 0xfffffe813b2c1ba8}, next = {le_next = 0x0, 
    le_prev = 0x0}, async_task = {next = {tqe_next = 0x0, tqe_prev = 0x0}, 
    fun = 0xffffffff802101bd <usbd_clear_endpoint_stall_task>, 
    arg = 0xfffffe813b2c1b88, queue = 2, flags = 128}, intrxfer = 0x0, 
  repeat = 0 '\000', interval = -1, flags = 128 '', 
  methods = 0xffffffff807372a0 <ehci_device_ctrl_methods>}

#define	SIMPLEQ_REMOVE_HEAD(head, field) do {				\
	if (((head)->sqh_first = (head)->sqh_first->field.sqe_next) == NULL) \
		(head)->sqh_last = &(head)->sqh_first;			\
} while (/*CONSTCOND*/0)

Looks like head->sqh_first == NULL, so looking at head->sqh_first->anything
isn't going to go well?

>How-To-Repeat:
>Fix:
Another aspect of PR 50149 ?

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: gnats-admin->kern-bug-people
Responsible-Changed-By: prlw1@NetBSD.org
Responsible-Changed-When: Mon, 07 Sep 2015 14:27:22 +0000
Responsible-Changed-Why:
pending -> kern


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.