From owner-freebsd-current@FreeBSD.ORG  Mon Jan 26 11:19:27 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5AB6516A4CE
	for <freebsd-current@freebsd.org>;
	Mon, 26 Jan 2004 11:19:27 -0800 (PST)
Received: from mail-store1.service.ohio-state.edu
	(mail-store1.service.ohio-state.edu [128.146.216.22])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 37ABB43D46
	for <freebsd-current@freebsd.org>;
	Mon, 26 Jan 2004 11:19:20 -0800 (PST)
	(envelope-from mistry.7@osu.edu)
Received: from osu.edu (mail1.service.ohio-state.edu [128.146.216.23])
 by mail1.service.ohio-state.edu
 (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003))
 with ESMTP id <0HS4001M02Z6H3@mail1.service.ohio-state.edu> for
 freebsd-current@freebsd.org; Mon, 26 Jan 2004 14:18:43 -0500 (EST)
Received: from [128.146.216.20] by mail1.service.ohio-state.edu (mshttpd);
	Mon, 26 Jan 2004 14:18:42 -0500
Date: Mon, 26 Jan 2004 14:18:42 -0500
From: ANISH MISTRY <mistry.7@osu.edu>
To: des@des.no (=?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?=)
Message-id: <79dba5f6.a5f679db@osu.edu>
MIME-version: 1.0
X-Mailer: iPlanet Messenger Express 5.2 HotFix 1.14 (built Mar 18 2003)
Content-type: text/plain; charset=iso-8859-1
Content-language: en
Content-transfer-encoding: quoted-printable
Content-disposition: inline
X-Accept-Language: en
Priority: normal
cc: freebsd-current@freebsd.org
Subject: Re: usb panic
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jan 2004 19:19:27 -0000

I can confirm this=2C I posted about the same thing a few months ago=2C a=
nd was just told =22not to do that=22=2C but if you have a fix I=27d be w=
illing to test it out=2E

--
Anish Mistry

----- Original Message -----
From=3A des=40des=2Eno (Dag-Erling Sm=F8rgrav)
Date=3A Monday=2C January 26=2C 2004 2=3A11 pm
Subject=3A usb panic

=3E Doing =22kldunload ums=3B kldload ums=22 while a mouse was connected =
(to
=3E trigger a devd event without having to physically disconnect and
=3E reconnect the mouse) triggered the following panic=3A
=3E =

=3E kernel=3A type 12 trap=2C code=3D0
=3E Stopped at      strncpy+0x14=3A   movb    0(=25edx)=2C=25al
=3E db=3E where
=3E strncpy(c66a6524=2C0=2C10=2Cc1745504=2Cc66a6400) at strncpy+0x14
=3E usbd=5Ffill=5Fdeviceinfo(c5f92900=2Cc66a6400=2C1=2C0=2Cc05b707e) at =

=3E usbd=5Ffill=5Fdeviceinfo+0x121usbioctl(c05ffe20=2Cc1745504=2Cc66a6400=
=2C1=2Cc64aa690) at usbioctl+0x223
=3E spec=5Fioctl(ec00ab88=2Cec00ac34=2Cc04f4c0f=2Cec00ab88=2Cc05f7bc0) at=
 =

=3E spec=5Fioctl+0xf2spec=5Fvnoperate(ec00ab88) at spec=5Fvnoperate+0x13
=3E vn=5Fioctl(c63f3aa0=2Cc1745504=2Cc66a6400=2Cc66fb080=2Cc64aa690) at =

=3E vn=5Fioctl+0x17fioctl(c64aa690=2Cec00ad14=2C3=2C1=2C282) at ioctl+0x3=
7c
=3E syscall(2f=2C2f=2C2f=2C6=2C0) at syscall+0x22b
=3E Xint0x80=5Fsyscall() at Xint0x80=5Fsyscall+0x1d
=3E --- syscall (54=2C FreeBSD ELF32=2C ioctl)=2C eip =3D 0x880b7a17=2C e=
sp =3D =

=3E 0xbfbfe2ac=2C ebp =3D 0xbfbfe458 ---
=3E =

=3E as usual=2C dumps are broken=2C but the code at least looks like this=
=3A
=3E =

=3E (gdb) l *(usbd=5Ffill=5Fdeviceinfo+0x121)
=3E 0x33d5 is in usbd=5Ffill=5Fdeviceinfo =

=3E (/usr/src/sys/dev/usb/usb=5Fsubr=2Ec=3A1282)=2E1277            if (de=
v-
=3E =3Esubdevs !=3D NULL) =7B
=3E 1278                    for (i =3D 0=3B dev-=3Esubdevs=5Bi=5D =26=26
=3E 1279                                 i =3C USB=5FMAX=5FDEVNAMES=3B i+=
+) =7B
=3E 1280                            strncpy(di-=3Eudi=5Fdevnames=5Bi=5D=2C=
 =

=3E USBDEVPTRNAME(dev-=3Esubdevs=5Bi=5D)=2C
=3E 1281                                    USB=5FMAX=5FDEVNAMELEN)=3B
=3E 1282                            di-
=3E =3Eudi=5Fdevnames=5Bi=5D=5BUSB=5FMAX=5FDEVNAMELEN-1=5D =3D =27=5C0=27=
=3B
=3E 1283                    =7D
=3E 1284            =7D else =7B
=3E 1285                    i =3D 0=3B
=3E 1286            =7D
=3E =

=3E so dev-=3Esubdevs=5Bi=5D is not NULL=2C but it does not have a name s=
ince
=3E USBDEVPTRNAME(dev-=3Esubdevs=5Bi=5D) is NULL=2E  Looks like better lo=
cking and
=3E invariants are required=3B it shouldn=27t be possible (IMHO) for that=
 code
=3E to stumble across an incomplete bdev=2E
=3E =

=3E (BTW=2C we should use strlcpy() here rather than strncpy())
=3E =

=3E DES
=3E -- =

=3E Dag-Erling Sm=F8rgrav - des=40des=2Eno
=3E =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F
=3E freebsd-current=40freebsd=2Eorg mailing list
=3E http=3A//lists=2Efreebsd=2Eorg/mailman/listinfo/freebsd-current
=3E To unsubscribe=2C send any mail to =22freebsd-current-
=3E unsubscribe=40freebsd=2Eorg=22