NetBSD Problem Report #39651
From www@NetBSD.org Mon Sep 29 15:10:56 2008
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by narn.NetBSD.org (Postfix) with ESMTP id 2309963BD01
for <gnats-bugs@gnats.netbsd.org>; Mon, 29 Sep 2008 15:10:56 +0000 (UTC)
Message-Id: <20080929151055.BCC0863BCFE@narn.NetBSD.org>
Date: Mon, 29 Sep 2008 15:10:55 +0000 (UTC)
From: lacombar@gmail.com
Reply-To: lacombar@gmail.com
To: gnats-bugs@NetBSD.org
Subject: Panic in uhci_device_ctrl_start() while unplugging USB device
X-Send-Pr-Version: www-1.0
>Number: 39651
>Category: kern
>Synopsis: Panic in uhci_device_ctrl_start() while unplugging USB device
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Sep 29 15:15:00 +0000 2008
>Closed-Date: Sun Nov 15 01:11:06 +0000 2009
>Last-Modified: Sun Nov 15 01:11:06 +0000 2009
>Originator: Arnaud Lacombe
>Release: 4.99.72
>Organization:
n/a
>Environment:
NetBSD oui 4.99.72 NetBSD 4.99.72 (OUI) #0: Sun Sep 28 17:00:00 EDT 2008 of@oui:/build/current/obj/20080928/sys/arch/i386/compile/OUI i386
>Description:
The system panic in uhci_device_ctrl_start() after several plug/unplug of a USB device. After reboot, gdb gives the following backtrace:
#6 0xc03c41ac in trap (frame=0xcb109b44) at /src/sys/arch/i386/i386/trap.c:352
#7 0xc010cb1f in calltrap ()
#8 0xc0204482 in uhci_device_ctrl_start (xfer=0xc0f8b100) at /src/sys/dev/usb/uhci.c:2467
#9 0xc043060f in usb_transfer_complete (xfer=0xc0f8b200) at /src/sys/dev/usb/usbdi.c:887
#10 0xc0201c2e in uhci_abort_xfer (xfer=0xc0f8b200, status=<value optimized out>) at /src/sys/dev/usb/uhci.c:2201
#11 0xc04310e9 in usbd_abort_pipe (pipe=0xc1028600) at /src/sys/dev/usb/usbdi.c:721
#12 0xc04326d1 in usbd_kill_pipe (pipe=0x1) at /src/sys/dev/usb/usb_subr.c:751
#13 0xc0432718 in usb_free_device (dev=0xc1028b80) at /src/sys/dev/usb/usb_subr.c:1444
#14 0xc04351c4 in uhub_explore (dev=0xc0f85a00) at /src/sys/dev/usb/uhub.c:469
#15 0xc042e81a in usb_discover (sc=0xca6ccdd4) at /src/sys/dev/usb/usb.c:800
#16 0xc042ebd7 in usb_event_thread (arg=0xca6ccdd4) at /src/sys/dev/usb/usb.c:381
#17 0xc01002e1 in lwp_trampoline ()
the faulty code is:
uhci_device_ctrl_start() {
[...]
upipe->u.ctl.length = len;
memcpy(KERNADDR(&upipe->u.ctl.reqdma, 0), req, sizeof *req);
[...]
}
A crash dump is available for further analysis.
>How-To-Repeat:
Plug/unplug a USB device. Seems to happen more often with umass devices.
>Fix:
n/a
>Release-Note:
>Audit-Trail:
From: Jeremy Morse <jmorse@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/39651 CVS commit: src/sys/dev/usb
Date: Fri, 12 Dec 2008 05:35:11 +0000 (UTC)
Module Name: src
Committed By: jmorse
Date: Fri Dec 12 05:35:11 UTC 2008
Modified Files:
src/sys/dev/usb: umass.c usbdi.c usbdi.h
Log Message:
PR#39651
Fix two problems in umass:
* usb xfers being freed before being removed from pipe, leading to null deref
* config_activate requests not supported, which leads to config_deactivate requests not being passed through. Spotted by jmcneill@
Added mechanism to usbdi allowing the default pipe to be aborted
To generate a diff of this commit:
cvs rdiff -r1.129 -r1.130 src/sys/dev/usb/umass.c
cvs rdiff -r1.124 -r1.125 src/sys/dev/usb/usbdi.c
cvs rdiff -r1.76 -r1.77 src/sys/dev/usb/usbdi.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Manuel Bouyer <bouyer@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/39651 CVS commit: [netbsd-5] src/sys/dev/usb
Date: Sat, 13 Dec 2008 21:44:42 +0000 (UTC)
Module Name: src
Committed By: bouyer
Date: Sat Dec 13 21:44:42 UTC 2008
Modified Files:
src/sys/dev/usb [netbsd-5]: umass.c usbdi.c usbdi.h
Log Message:
Pull up following revision(s) (requested by jmorse in ticket #185):
sys/dev/usb/usbdi.c: revision 1.125
sys/dev/usb/umass.c: revision 1.130
sys/dev/usb/usbdi.h: revision 1.77
PR#39651
Fix two problems in umass:
* usb xfers being freed before being removed from pipe, leading to null
deref
* config_activate requests not supported, which leads to
config_deactivate requests not being passed through. Spotted by jmcneill@=
Added mechanism to usbdi allowing the default pipe to be aborted
To generate a diff of this commit:
cvs rdiff -r1.129 -r1.129.4.1 src/sys/dev/usb/umass.c
cvs rdiff -r1.124 -r1.124.4.1 src/sys/dev/usb/usbdi.c
cvs rdiff -r1.76 -r1.76.10.1 src/sys/dev/usb/usbdi.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->feedback
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sat, 03 Jan 2009 03:43:25 +0000
State-Changed-Why:
Patches were committed; is this fixed now?
From: Jeremy Morse <jeremy.morse@gmail.com>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@netbsd.org, netbsd-bugs@netbsd.org,
gnats-admin@netbsd.org, dholland@NetBSD.org, lacombar@gmail.com
Subject: Re: kern/39651 (Panic in uhci_device_ctrl_start() while unplugging
USB device)
Date: Sun, 04 Jan 2009 19:51:51 +0000
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigC96BD3653E353E07EBB27A7E
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
dholland@NetBSD.org wrote:
> Synopsis: Panic in uhci_device_ctrl_start() while unplugging USB device=
>=20
> State-Changed-From-To: open->feedback
> State-Changed-By: dholland@NetBSD.org
> State-Changed-When: Sat, 03 Jan 2009 03:43:25 +0000
> State-Changed-Why:
> Patches were committed; is this fixed now?
>=20
The patch fixes what was certainly a umass fault - I can't reproduce the
panic any more when detaching such a usb device. However, no-one else
appears to have tested it.
--=20
Thanks,
Jeremy
--------------enigC96BD3653E353E07EBB27A7E
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQEcBAEBAgAGBQJJYRNcAAoJEF93OTEVsi2V2jgH/RgKbCd7v7eYdSyJTxseXrWV
WC4MJBHGoEiRsqmWH4+5LsoPeUHOJaDG5LUA7lr41vmGytLLYBi2G9sJrT1UQiFx
kJUzD+1bVCYrCv7MVChuT6XQJWCNE6cxDL7MQrB8l7azujzORoo2pDEWziWxdMfH
fjwMuGunEy9QE4syRPsgsFaVbWu0ToTM2LwIJ/8AN4dswylai4jV9UmwzEPh/lJA
ffvcm2DtGM9C1NPsRQIgNqSJ98EcSE1Kebne8lGYSfj/6eYLyEdzba7hO+704+LF
WxskzTltOqlCmn7gbSPaRNDVppGBtNlQq10qaVFCgsfC+nWSvzHezLKZqJPbhQs=
=bIID
-----END PGP SIGNATURE-----
--------------enigC96BD3653E353E07EBB27A7E--
From: David Holland <dholland-bugs@netbsd.org>
To: Jeremy Morse <jeremy.morse@gmail.com>
Cc: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org,
netbsd-bugs@netbsd.org, gnats-admin@netbsd.org, dholland@NetBSD.org,
lacombar@gmail.com
Subject: Re: kern/39651 (Panic in uhci_device_ctrl_start() while unplugging
USB device)
Date: Sun, 4 Jan 2009 20:04:01 +0000
On Sun, Jan 04, 2009 at 07:51:51PM +0000, Jeremy Morse wrote:
> dholland@NetBSD.org wrote:
> > Synopsis: Panic in uhci_device_ctrl_start() while unplugging USB device
> >
> > State-Changed-From-To: open->feedback
> > State-Changed-By: dholland@NetBSD.org
> > State-Changed-When: Sat, 03 Jan 2009 03:43:25 +0000
> > State-Changed-Why:
> > Patches were committed; is this fixed now?
> >
>
> The patch fixes what was certainly a umass fault - I can't reproduce the
> panic any more when detaching such a usb device. However, no-one else
> appears to have tested it.
Right, that's why we're asking the submitter :-)
--
David A. Holland
dholland@netbsd.org
State-Changed-From-To: feedback->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sun, 15 Nov 2009 01:11:06 +0000
State-Changed-Why:
feedback timeout.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home