From owner-freebsd-usb@FreeBSD.ORG Tue Jan 25 23:50:18 2005 Return-Path: Delivered-To: freebsd-usb@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F9A716A4CF for ; Tue, 25 Jan 2005 23:50:18 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C383543D48 for ; Tue, 25 Jan 2005 23:50:17 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j0PNoHWO030281 for ; Tue, 25 Jan 2005 23:50:17 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j0PNoHAj030280; Tue, 25 Jan 2005 23:50:17 GMT (envelope-from gnats) Resent-Date: Tue, 25 Jan 2005 23:50:17 GMT Resent-Message-Id: <200501252350.j0PNoHAj030280@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-usb@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Adam Kropelin Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E926316A4CE for ; Tue, 25 Jan 2005 23:42:53 +0000 (GMT) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF71C43D39 for ; Tue, 25 Jan 2005 23:42:53 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j0PNgr1p069493 for ; Tue, 25 Jan 2005 23:42:53 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id j0PNgra5069492; Tue, 25 Jan 2005 23:42:53 GMT (envelope-from nobody) Message-Id: <200501252342.j0PNgra5069492@www.freebsd.org> Date: Tue, 25 Jan 2005 23:42:53 GMT From: Adam Kropelin To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Subject: usb/76687: ugen USB_SET_TIMEOUT panics kernel when timeout ocurrs X-BeenThere: freebsd-usb@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: FreeBSD support for USB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jan 2005 23:50:18 -0000 >Number: 76687 >Category: usb >Synopsis: ugen USB_SET_TIMEOUT panics kernel when timeout ocurrs >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-usb >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jan 25 23:50:17 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Adam Kropelin >Release: 6.0-CURRENT >Organization: >Environment: FreeBSD freebsd53.kroptech.com 6.0-CURRENT FreeBSD 6.0-CURRENT #0: Mon Jan 24 22:19:49 EST 2005 root@freebsd53.kroptech.com:/usr/src/sys/i386/compile/GENERIC.adk i386 >Description: My userspace device driver (apcupsd bsd-usb) makes extensive use of ugen ioctls. Occasionally the USB_DO_REQUEST ioctl hangs (seemingly forever) and as a workaround I am attempting to implement timeouts via USB_SET_TIMEOUT. In doing so I am finding that if a request times out and the device still responds afterward, the kernel panics. The backtrace is... usb_transfer_complete+0xcd uhci_abort_xfer+0xcf uhci_timeout_task+0xd usb_task_thread+0x7d fork_exit+0xa4 fork_trampoline+0x8 --- trap 0x1, eip = 0, esp = 0xcc744d7c, ebp = 0 --- ..which corresponds to this code... /* if we allocated the buffer in usbd_transfer() we free it here. */ if (xfer->rqflags & URQ_AUTO_DMABUF) { c059e6d4 testb $0x10,0x48(%ebx) c059e6d8 je c059e6f8 if (!repeat) { c059e6da cmpl $0x0,0xffffffe8(%ebp) c059e6de jne c059e714 struct usbd_bus *bus = pipe->device->bus; c059e6e0 mov 0x4(%esi),%eax c059e6e3 mov (%eax),%eax bus->methods->freem(bus, dmap); c059e6e5 mov 0x4(%eax),%edx c059e6e8 pushl 0xfffffff0(%ebp) c059e6eb push %eax c059e6ec call *0x10(%edx) xfer->rqflags &= ~URQ_AUTO_DMABUF; c059e6ef andl $0xffffffef,0x48(%ebx) c059e6f3 add $0x8,%esp c059e6f6 mov %esi,%esi } } if (!repeat) { c059e6f8 cmpl $0x0,0xffffffe8(%ebp) c059e6fc jne c059e714 /* Remove request from queue. */ #ifdef DIAGNOSTIC if (xfer != SIMPLEQ_FIRST(&pipe->queue)) printf("usb_transfer_complete: bad dequeue %p != %p\n", xfer, SIMPLEQ_FIRST(&pipe->queue)); xfer->busy_free = XFER_BUSY; #endif SIMPLEQ_REMOVE_HEAD(&pipe->queue, next); c059e6fe mov 0x14(%esi),%eax c059e701 mov 0x4c(%eax),%eax c059e704 mov %eax,0x14(%esi) c059e707 test %eax,%eax c059e709 jne c059e714 c059e70b lea 0x14(%esi),%eax c059e70e mov %eax,0x18(%esi) c059e711 lea 0x0(%esi),%esi } >How-To-Repeat: Open a ugen control endpoint, set a very short timeout (say, 1 msec) using USB_SET_TIMEOUT ioctl, and issue a valid USB_DO_REQUEST ioctl. >Fix: >Release-Note: >Audit-Trail: >Unformatted: