On 04.09.10 03:31, matthew green wrote:
>> Module Name: src
>> Committed By: cegger
>> Date: Fri Sep 3 23:15:09 UTC 2010
>>
>> Modified Files:
>> src/sys/dev/usb: usbdi.c
>>
>> Log Message:
>> fix NULL pointer dereference on detaching:
>> Attach an USB device that looks like this:
>> ugen1 at uhub0 port 2
>> ugen1: detached
>> ugen1: at uhub0 port 2 (addr 3) disconnected
>>
>> When unplugging the device:
>>
>> usb_transfer_complete: xfer=0xffff80000832a800 not busy 0x00000055
>> usb_transfer_complete: bad dequeue 0xffff80000832a800 != 0x0
>
> this change seems to be a workaround hack rather than any sort of
> actual bug fix. the code immediately before it is checking that
> the queue head is not the same as this xfer, and prints a message
> under DIAG that there is likely a problem. ie, you're avoiding a
> crash in a place already known to be problematic, and instead of
> trying to fix it you're patching over it without actually figuring
> out what is going wrong.
>
> please revert this change and debug the crash properly.
usb_transfer_complete: xfer=0xffff80000832a800 not busy 0x00000055
usb_transfer_complete: bad dequeue 0xffff80000832a800 != 0x0
fatal page fault in supervisor mode
trap type 6 code 0 rip 0xffffffff8078fe62 cs 8 rflags 10282 cr2 78 cpl 4
rsp 0xf
fff80004b654c70
kernel: page fault trap, code=0
Stopped in pid 0.3 (system) at netbsd:usb_transfer_complete+0xf3: movq
0x78(%rax
),%rax
db{0}> bt
usb_transfer_complete+0xf3
ohci_softintr+0x340
softint_dispatch+0xd0
DDB lost frame for Xsoftintr+0x4f, trying 0xffff80004b654d70
Xsoftintr+0x4f
--- interrupt ---
0:
db{0}> sh reg
[...]
rax 0
[...]
Using gdb and list *(usb_transfer_complete+0xf3) points to line 803
which is the SIMPLEQ_REMOVE_HEAD macro.
listing the rip 0xffffffff8078fe62 points to line 777
which is
if (xfer->actlen > xfer->length) {
Are there two threads interfering ?
Christoph
