kernel panic trying to utilize a da(4)/umass(4) device with ohci(4)

Brian F. Feldman green at
Thu Nov 20 19:09:42 PST 2003

Thanks for the patches to try!  They unfortunately didn't fix the crash I 
have, but I found out why it's occurring.

See ohci.c:1389:
                if (std->td.td_cbp != 0)
                        len -= le32toh(std->td.td_be) -
                               le32toh(std->td.td_cbp) + 1;

In one of my transfers (look in my log for the 2560 byte one) that statement 
actually adds 8192 to len, which is utterly bogus because you can see it 
only allocates 2560 -- hence when it tries to finish the transfer it 
memcpy()'s way too much memory and my kernel segfaults.  If I #if 0 this out,
I'm left only with "umass0: BBB reset failed, STALLED" messages... which is 
a lot better than before!  I don't know under what situations that bit of 
code makes sense, but it definitely needs more reviewing!

Please check out my debugging messages and tell me if you see any hints as 
to why the transfers are getting stalled.  I should have looked at the 
debugging messages long ago, I guess.   Thanks!

Brian Fundakowski Feldman                           \'[ FreeBSD ]''''''''''\
  <> green at                               \  The Power to Serve! \
 Opinions expressed are my own.                       \,,,,,,,,,,,,,,,,,,,,,,\

More information about the freebsd-current mailing list