NetBSD Problem Report #49728
From snj@blef.org Sat Mar 7 08:05:34 2015
Return-Path: <snj@blef.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 30E92A6552
for <gnats-bugs@gnats.NetBSD.org>; Sat, 7 Mar 2015 08:05:34 +0000 (UTC)
Message-Id: <20150307080532.332F110D592@vc136-84.vc.panix.com>
Date: Sat, 7 Mar 2015 00:05:32 -0800 (PST)
From: snj@blef.org
To: gnats-bugs@gnats.NetBSD.org
Subject: crash in uhid
X-Send-Pr-Version: 3.95
>Number: 49728
>Category: kern
>Synopsis: uhid boom
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: mrg
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Mar 07 08:10:00 +0000 2015
>Closed-Date: Mon Oct 10 01:33:49 +0000 2016
>Last-Modified: Mon Oct 10 01:33:49 +0000 2016
>Originator: Soren Jacobsen
>Release: NetBSD 7.0_BETA
>Organization:
>Environment:
NetBSD nimbus.blef.org 7.0_BETA NetBSD 7.0_BETA (NIMBUS) #0: Fri Mar 6 11:56:05 PST 2015 snj@nimbus.blef.org:/usr/tmpobj/sys/arch/amd64/compile/NIMBUS amd64
Architecture: x86_64
Machine: amd64
>Description:
uvm_fault(0xfffffe811e369e68, 0x0, 1) -> e
fatal page fault in supervisor mode
trap type 6 code 0 rip ffffffff808fcef4 cs 8 rflags 10206 cr2 28 ilevel 6 rsp fffffe8120c5abf8
curlwp 0xfffffe823bbdfb60 pid 13305.1 lowest kstack 0xfffffe8120c582c0
panic: trap
cpu4: Begin traceback...
vpanic() at netbsd:vpanic+0x13c
snprintf() at netbsd:snprintf
startlwp() at netbsd:startlwp
alltraps() at netbsd:alltraps+0x96
uhidread() at netbsd:uhidread+0x1dd
spec_read() at netbsd:spec_read+0x5e
VOP_READ() at netbsd:VOP_READ+0x37
vn_read() at netbsd:vn_read+0x94
dofileread() at netbsd:dofileread+0x90
sys_read() at netbsd:sys_read+0x5f
syscall() at netbsd:syscall+0x9a
--- syscall (number 3) ---
7f7ff443c1fa:
cpu4: End traceback...
>How-To-Repeat:
Plug in Sony DualShock 3, spend an hour playing Symphony of the
Night under retroarch, wait for the boom, grumble about losing progress,
wait for dump to finish, go back to slaying the undead.
>Fix:
Yes, please!
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: kern-bug-people->mrg
Responsible-Changed-By: snj@NetBSD.org
Responsible-Changed-When: Sat, 07 Mar 2015 08:10:49 +0000
Responsible-Changed-Why:
assign to mrg, per his request
From: matthew green <mrg@eterna.com.au>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: re: kern/49728: crash in uhid
Date: Sat, 07 Mar 2015 19:35:50 +1100
AFAICT, i failed to properly protect sc_q when converting this
driver on the usbmp branch, and this is likely a list being
updated while also traversed. i don't have a fix, but it should
not be a big deal.
there might also be the same problem in some of the other drivers
so i plan to survey them all that i've updated for this (there
aren't many to check, fortunately.)
of course, anyone else is else welcome to look at this, i may
not find time for a week or more.
.mrg.
State-Changed-From-To: open->pending-pullups
State-Changed-By: mrg@NetBSD.org
State-Changed-When: Sat, 07 Mar 2015 20:21:40 +0000
State-Changed-Why:
i commited a fix, and it needs to be pulled up.
From: "matthew green" <mrg@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/49728 CVS commit: src/sys/dev/usb
Date: Sat, 7 Mar 2015 20:20:55 +0000
Module Name: src
Committed By: mrg
Date: Sat Mar 7 20:20:55 UTC 2015
Modified Files:
src/sys/dev/usb: TODO.usbmp uatp.c ucycom.c uhid.c uhidev.c uhidev.h
ukbd.c uyurex.c
Log Message:
properly protect uhid's sc_q member with sc_lock. should fix PR#49728.
while here, remove D_MPSAFE from uhid* and all uhid users, as it really
needs all the callers to be safe and they're not.
XXX: pullup-7
To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/sys/dev/usb/TODO.usbmp
cvs rdiff -u -r1.10 -r1.11 src/sys/dev/usb/uatp.c
cvs rdiff -u -r1.41 -r1.42 src/sys/dev/usb/ucycom.c
cvs rdiff -u -r1.92 -r1.93 src/sys/dev/usb/uhid.c
cvs rdiff -u -r1.62 -r1.63 src/sys/dev/usb/uhidev.c
cvs rdiff -u -r1.16 -r1.17 src/sys/dev/usb/uhidev.h
cvs rdiff -u -r1.129 -r1.130 src/sys/dev/usb/ukbd.c
cvs rdiff -u -r1.9 -r1.10 src/sys/dev/usb/uyurex.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/49728 CVS commit: [netbsd-7] src/sys/dev/usb
Date: Sat, 21 Mar 2015 17:30:44 +0000
Module Name: src
Committed By: snj
Date: Sat Mar 21 17:30:43 UTC 2015
Modified Files:
src/sys/dev/usb [netbsd-7]: TODO.usbmp uatp.c ucycom.c uhid.c uhidev.c
uhidev.h ukbd.c uyurex.c
Log Message:
Pull up following revision(s) (requested by mrg in ticket #626):
sys/dev/usb/TODO.usbmp: revision 1.9
sys/dev/usb/uatp.c: revision 1.11
sys/dev/usb/ucycom.c: revision 1.42
sys/dev/usb/uhid.c: revision 1.93, 1.94
sys/dev/usb/uhidev.c: revision 1.63
sys/dev/usb/uhidev.h: revision 1.17
sys/dev/usb/ukbd.c: revision 1.130
sys/dev/usb/uyurex.c: revision 1.10
properly protect uhid's sc_q member with sc_lock. should fix PR#49728.
while here, remove D_MPSAFE from uhid* and all uhid users, as it really
needs all the callers to be safe and they're not.
--
don't take the device lock when stopping the uhidev. that calls
to abort and close pipes, both of which may take an adaptive lock.
fixes a LOCKDEBUG abort see on one particular machine.
To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.8.2.1 src/sys/dev/usb/TODO.usbmp
cvs rdiff -u -r1.10 -r1.10.2.1 src/sys/dev/usb/uatp.c
cvs rdiff -u -r1.39 -r1.39.2.1 src/sys/dev/usb/ucycom.c
cvs rdiff -u -r1.92 -r1.92.2.1 src/sys/dev/usb/uhid.c
cvs rdiff -u -r1.61.2.1 -r1.61.2.2 src/sys/dev/usb/uhidev.c
cvs rdiff -u -r1.15.2.1 -r1.15.2.2 src/sys/dev/usb/uhidev.h
cvs rdiff -u -r1.129 -r1.129.4.1 src/sys/dev/usb/ukbd.c
cvs rdiff -u -r1.9 -r1.9.12.1 src/sys/dev/usb/uyurex.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Mon, 10 Oct 2016 01:33:49 +0000
State-Changed-Why:
handling the pullup took two weeks; noticing that it had been handled,
18 months. derple
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.