Date: Thu, 14 Aug 2003 16:35:19 -0400 (EDT) From: Emil Sit <sit@amsterdam.lcs.mit.edu> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/55587: null dereference in usbdi.c: usb_transfer_complete Message-ID: <200308142035.h7EKZJEd000534@finite-subcover.lcs.mit.edu> Resent-Message-ID: <200308142040.h7EKeIG4054592@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 55587 >Category: kern >Synopsis: null dereference in usbdi.c: usb_transfer_complete >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Aug 14 13:40:17 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Emil Sit >Release: FreeBSD 4.8-RELEASE-p3 i386 >Organization: Massachusetts Institute of Technology >Environment: System: FreeBSD finite-subcover.lcs.mit.edu 4.8-RELEASE-p3 FreeBSD 4.8-RELEASE-p3 #2: Thu Aug 14 13:55:06 EDT 2003 sit@finite-subcover.lcs.mit.edu:/usr/obj/usr/src/sys/PDOS-UNI i386 The machine is an IBM ThinkPad X21; this bug was tested with a microsoft and logitech (dell) usb mouse. >Description: When USB mouse is unplugged, kernel attempts to dereference a null pointer at sys/dev/usb/usbdi.c:756. The stack trace is: usb_transfer_complete uhci_idone uhci_check_intr uhci_intr intr_mux The particular instruction is usb_transfer_complete+0xd4, which turns out to be address 9f0 in usbdi.o: 9e8: 8b 4b 04 mov 0x4(%ebx),%ecx 9eb: 8b 43 08 mov 0x8(%ebx),%eax 9ee: 8b 00 mov (%eax),%eax 9f0: 8a 40 03 mov 0x3(%eax),%al 9f3: 24 03 and $0x3,%al 9f5: 0f b6 d0 movzbl %al,%edx corresponding to: /* Count completed transfers. */ ++pipe->device->bus->stats.uds_requests [pipe->endpoint->edesc->bmAttributes & UE_XFERTYPE]; %ebx contains pipe, so %eax contains endpoint. Apparently, edesc is NULL (verified as %eax containing 0 in ddb). This happens after the mouse is unplugged, since the kernel does log: Aug 14 14:15:52 finite-subcover /kernel: ums0: Microsoft Microsoft Wheel Mouse Optical<AE>, rev 1.10/1.21, addr 3, iclass 3/1 Aug 14 14:15:52 finite-subcover /kernel: ums0: 3 buttons and Z dir. Aug 14 14:16:11 finite-subcover /kernel: ums0: at uhub1 port 1 (addr 3) disconnected Aug 14 14:16:11 finite-subcover /kernel: ums0: detached Aug 14 14:23:15 finite-subcover /kernel: Copyright (c) 1992-2003 The FreeBSD Project. Once in a while, it works okay, and the log messages look like: Aug 14 15:56:04 finite-subcover /kernel: ums0: at uhub1 port 1 (addr 3) disconnected Aug 14 15:56:04 finite-subcover /kernel: ums0: detached Aug 14 15:56:04 finite-subcover moused: unable to open /dev/ums0: Device not configured Aug 14 15:56:13 finite-subcover /kernel: uhub1: at uhub0 port 1 (addr 2) disconnected Aug 14 15:56:13 finite-subcover /kernel: uhub1: detached I'm guessing this is not specific to USB mice but I don't have other USB devices handy, nor do I currently have time to try and track down the root cause. >How-To-Repeat: Boot machine. Plug in USB mouse. Unplug USB mouse. Wait. >Fix: Unknown. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308142035.h7EKZJEd000534>