From owner-freebsd-current@FreeBSD.ORG  Thu Nov 20 19:09:42 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from green.bikeshed.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id 81A1116A4CE; Thu, 20 Nov 2003 19:09:42 -0800 (PST)
Received: from green.bikeshed.org
	(green@pcp04368313pcs.nrockv01.md.comcast.net [69.140.209.127])
	by green.bikeshed.org (8.12.10/8.12.9) with ESMTP id hAL39e6p001208;
	Thu, 20 Nov 2003 22:09:40 -0500 (EST)
	(envelope-from green@green.bikeshed.org)
Received: from localhost (green@localhost)hAL39X6Y001205;
	Thu, 20 Nov 2003 22:09:38 -0500 (EST)
Message-Id: <200311210309.hAL39X6Y001205@green.bikeshed.org>
X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4
To: Ian Dowse <iedowse@maths.tcd.ie>
In-Reply-To: Message from Ian Dowse <iedowse@maths.tcd.ie> 
	<200311200912.aa00855@salmon.maths.tcd.ie> 
From: "Brian F. Feldman" <green@FreeBSD.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 20 Nov 2003 22:09:33 -0500
Sender: green@green.bikeshed.org
cc: Josef Karthauser <joe@FreeBSD.org>
cc: current@FreeBSD.org
Subject: Re: kernel panic trying to utilize a da(4)/umass(4) device with
	ohci(4) 
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Nov 2003 03:09:42 -0000

Thanks for the patches to try!  They unfortunately didn't fix the crash I 
have, but I found out why it's occurring.

See ohci.c:1389:
                if (std->td.td_cbp != 0)
                        len -= le32toh(std->td.td_be) -
                               le32toh(std->td.td_cbp) + 1;

In one of my transfers (look in my log for the 2560 byte one) that statement 
actually adds 8192 to len, which is utterly bogus because you can see it 
only allocates 2560 -- hence when it tries to finish the transfer it 
memcpy()'s way too much memory and my kernel segfaults.  If I #if 0 this out,
I'm left only with "umass0: BBB reset failed, STALLED" messages... which is 
a lot better than before!  I don't know under what situations that bit of 
code makes sense, but it definitely needs more reviewing!

Please check out my debugging messages and tell me if you see any hints as 
to why the transfers are getting stalled.  I should have looked at the 
debugging messages long ago, I guess.   Thanks!

http://green.homeunix.org/~green/ohci-debugging.txt.gz

-- 
Brian Fundakowski Feldman                           \'[ FreeBSD ]''''''''''\
  <> green@FreeBSD.org                               \  The Power to Serve! \
 Opinions expressed are my own.                       \,,,,,,,,,,,,,,,,,,,,,,\