From owner-freebsd-bugs@FreeBSD.ORG  Thu Aug 14 13:40:21 2003
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E209D37B405
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 14 Aug 2003 13:40:20 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7CAE743FD7
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 14 Aug 2003 13:40:18 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h7EKeIUp054593
	for <freebsd-bugs@freefall.freebsd.org>;
	Thu, 14 Aug 2003 13:40:18 -0700 (PDT)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h7EKeIG4054592;
	Thu, 14 Aug 2003 13:40:18 -0700 (PDT)
Resent-Date: Thu, 14 Aug 2003 13:40:18 -0700 (PDT)
Resent-Message-Id: <200308142040.h7EKeIG4054592@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Emil Sit <sit@amsterdam.lcs.mit.edu>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A52F037B401
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 14 Aug 2003 13:35:22 -0700 (PDT)
Received: from finite-subcover.lcs.mit.edu (finite-subcover.lcs.mit.edu
	[18.26.4.108])	by mx1.FreeBSD.org (Postfix) with ESMTP id BF18543FCB
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 14 Aug 2003 13:35:21 -0700 (PDT)
	(envelope-from sit@finite-subcover.lcs.mit.edu)
Received: from finite-subcover.lcs.mit.edu (localhost [127.0.0.1])
	h7EKZJhv000535	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 14 Aug 2003 16:35:19 -0400 (EDT)
	(envelope-from sit@finite-subcover.lcs.mit.edu)
Received: (from sit@localhost)h7EKZJEd000534;
	Thu, 14 Aug 2003 16:35:19 -0400 (EDT)
Message-Id: <200308142035.h7EKZJEd000534@finite-subcover.lcs.mit.edu>
Date: Thu, 14 Aug 2003 16:35:19 -0400 (EDT)
From: Emil Sit <sit@amsterdam.lcs.mit.edu>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: kern/55587: null dereference in usbdi.c: usb_transfer_complete
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Emil Sit <sit@amsterdam.lcs.mit.edu>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Aug 2003 20:40:21 -0000


>Number:         55587
>Category:       kern
>Synopsis:       null dereference in usbdi.c: usb_transfer_complete
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 14 13:40:17 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Emil Sit
>Release:        FreeBSD 4.8-RELEASE-p3 i386
>Organization:
Massachusetts Institute of Technology
>Environment:
System: FreeBSD finite-subcover.lcs.mit.edu 4.8-RELEASE-p3 FreeBSD 4.8-RELEASE-p3 #2: Thu Aug 14 13:55:06 EDT 2003 sit@finite-subcover.lcs.mit.edu:/usr/obj/usr/src/sys/PDOS-UNI i386

The machine is an IBM ThinkPad X21; this bug was tested with a
microsoft and logitech (dell) usb mouse.

>Description:
	
	When USB mouse is unplugged, kernel attempts to dereference
	a null pointer at sys/dev/usb/usbdi.c:756. 

	The stack trace is:
		usb_transfer_complete
		uhci_idone
		uhci_check_intr
		uhci_intr
		intr_mux

	The particular instruction is usb_transfer_complete+0xd4,
	which turns out to be address 9f0 in usbdi.o:

 9e8:	8b 4b 04             	mov    0x4(%ebx),%ecx
 9eb:	8b 43 08             	mov    0x8(%ebx),%eax
 9ee:	8b 00                	mov    (%eax),%eax
 9f0:	8a 40 03             	mov    0x3(%eax),%al
 9f3:	24 03                	and    $0x3,%al
 9f5:	0f b6 d0             	movzbl %al,%edx

	corresponding to:

	/* Count completed transfers. */
	++pipe->device->bus->stats.uds_requests
		[pipe->endpoint->edesc->bmAttributes & UE_XFERTYPE];

	%ebx contains pipe, so %eax contains endpoint.
	Apparently, edesc is NULL (verified as %eax containing 0 in ddb).

	This happens after the mouse is unplugged, since the kernel
	does log:

Aug 14 14:15:52 finite-subcover /kernel: ums0: Microsoft Microsoft Wheel Mouse Optical<AE>, rev 1.10/1.21, addr 3, iclass 3/1
Aug 14 14:15:52 finite-subcover /kernel: ums0: 3 buttons and Z dir.
Aug 14 14:16:11 finite-subcover /kernel: ums0: at uhub1 port 1 (addr 3) disconnected
Aug 14 14:16:11 finite-subcover /kernel: ums0: detached
Aug 14 14:23:15 finite-subcover /kernel: Copyright (c) 1992-2003 The FreeBSD Project.

	Once in a while, it works okay, and the log messages look like:

Aug 14 15:56:04 finite-subcover /kernel: ums0: at uhub1 port 1 (addr 3) disconnected
Aug 14 15:56:04 finite-subcover /kernel: ums0: detached
Aug 14 15:56:04 finite-subcover moused: unable to open /dev/ums0: Device not configured
Aug 14 15:56:13 finite-subcover /kernel: uhub1: at uhub0 port 1 (addr 2) disconnected
Aug 14 15:56:13 finite-subcover /kernel: uhub1: detached

	I'm guessing this is not specific to USB mice but I don't
	have other USB devices handy, nor do I currently have time
	to try and track down the root cause.

>How-To-Repeat:
	Boot machine.
	Plug in USB mouse.
	Unplug USB mouse.
	Wait.

>Fix:
	Unknown.

>Release-Note:
>Audit-Trail:
>Unformatted: