Re: CVS commit: src/sys/dev/usb

[Christoph Egger <Christoph_Egger%gmx.de@localhost>]

On 04.09.10 03:31, matthew green wrote:
>> Module Name: src
>> Committed By:        cegger
>> Date:                Fri Sep  3 23:15:09 UTC 2010
>>
>> Modified Files:
>>      src/sys/dev/usb: usbdi.c
>>
>> Log Message:
>> fix NULL pointer dereference on detaching:
>> Attach an USB device that looks like this:
>> ugen1 at uhub0 port 2
>> ugen1: detached
>> ugen1: at uhub0 port 2 (addr 3) disconnected
>>
>> When unplugging the device:
>>
>> usb_transfer_complete: xfer=0xffff80000832a800 not busy 0x00000055
>> usb_transfer_complete: bad dequeue 0xffff80000832a800 != 0x0
> 
> this change seems to be a workaround hack rather than any sort of
> actual bug fix.  the code immediately before it is checking that
> the queue head is not the same as this xfer, and prints a message
> under DIAG that there is likely a problem.  ie, you're avoiding a
> crash in a place already known to be problematic, and instead of
> trying to fix it you're patching over it without actually figuring
> out what is going wrong.
> 
> please revert this change and debug the crash properly.

usb_transfer_complete: xfer=0xffff80000832a800 not busy 0x00000055
usb_transfer_complete: bad dequeue 0xffff80000832a800 != 0x0
fatal page fault in supervisor mode
trap type 6 code 0 rip 0xffffffff8078fe62 cs 8 rflags 10282 cr2 78 cpl 4
rsp 0xf
fff80004b654c70
kernel: page fault trap, code=0
Stopped in pid 0.3 (system) at netbsd:usb_transfer_complete+0xf3: movq
0x78(%rax
),%rax
db{0}> bt
usb_transfer_complete+0xf3
ohci_softintr+0x340
softint_dispatch+0xd0
DDB lost frame for Xsoftintr+0x4f, trying 0xffff80004b654d70
Xsoftintr+0x4f
--- interrupt ---
0:
db{0}> sh reg
[...]
rax   0
[...]


Using gdb and list *(usb_transfer_complete+0xf3) points to line 803
which is the SIMPLEQ_REMOVE_HEAD macro.

listing the rip 0xffffffff8078fe62 points to line 777
which is

  if (xfer->actlen > xfer->length) {

Are there two threads interfering ?

Christoph