kern/55587: null dereference in usbdi.c: usb_transfer_complete
Emil Sit
sit at amsterdam.lcs.mit.edu
Thu Aug 14 13:40:21 PDT 2003
>Number: 55587
>Category: kern
>Synopsis: null dereference in usbdi.c: usb_transfer_complete
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Aug 14 13:40:17 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Emil Sit
>Release: FreeBSD 4.8-RELEASE-p3 i386
>Organization:
Massachusetts Institute of Technology
>Environment:
System: FreeBSD finite-subcover.lcs.mit.edu 4.8-RELEASE-p3 FreeBSD 4.8-RELEASE-p3 #2: Thu Aug 14 13:55:06 EDT 2003 sit at finite-subcover.lcs.mit.edu:/usr/obj/usr/src/sys/PDOS-UNI i386
The machine is an IBM ThinkPad X21; this bug was tested with a
microsoft and logitech (dell) usb mouse.
>Description:
When USB mouse is unplugged, kernel attempts to dereference
a null pointer at sys/dev/usb/usbdi.c:756.
The stack trace is:
usb_transfer_complete
uhci_idone
uhci_check_intr
uhci_intr
intr_mux
The particular instruction is usb_transfer_complete+0xd4,
which turns out to be address 9f0 in usbdi.o:
9e8: 8b 4b 04 mov 0x4(%ebx),%ecx
9eb: 8b 43 08 mov 0x8(%ebx),%eax
9ee: 8b 00 mov (%eax),%eax
9f0: 8a 40 03 mov 0x3(%eax),%al
9f3: 24 03 and $0x3,%al
9f5: 0f b6 d0 movzbl %al,%edx
corresponding to:
/* Count completed transfers. */
++pipe->device->bus->stats.uds_requests
[pipe->endpoint->edesc->bmAttributes & UE_XFERTYPE];
%ebx contains pipe, so %eax contains endpoint.
Apparently, edesc is NULL (verified as %eax containing 0 in ddb).
This happens after the mouse is unplugged, since the kernel
does log:
Aug 14 14:15:52 finite-subcover /kernel: ums0: Microsoft Microsoft Wheel Mouse Optical<AE>, rev 1.10/1.21, addr 3, iclass 3/1
Aug 14 14:15:52 finite-subcover /kernel: ums0: 3 buttons and Z dir.
Aug 14 14:16:11 finite-subcover /kernel: ums0: at uhub1 port 1 (addr 3) disconnected
Aug 14 14:16:11 finite-subcover /kernel: ums0: detached
Aug 14 14:23:15 finite-subcover /kernel: Copyright (c) 1992-2003 The FreeBSD Project.
Once in a while, it works okay, and the log messages look like:
Aug 14 15:56:04 finite-subcover /kernel: ums0: at uhub1 port 1 (addr 3) disconnected
Aug 14 15:56:04 finite-subcover /kernel: ums0: detached
Aug 14 15:56:04 finite-subcover moused: unable to open /dev/ums0: Device not configured
Aug 14 15:56:13 finite-subcover /kernel: uhub1: at uhub0 port 1 (addr 2) disconnected
Aug 14 15:56:13 finite-subcover /kernel: uhub1: detached
I'm guessing this is not specific to USB mice but I don't
have other USB devices handy, nor do I currently have time
to try and track down the root cause.
>How-To-Repeat:
Boot machine.
Plug in USB mouse.
Unplug USB mouse.
Wait.
>Fix:
Unknown.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list