From sit@finite-subcover.lcs.mit.edu  Thu Aug 14 13:35:22 2003
Return-Path: <sit@finite-subcover.lcs.mit.edu>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A52F037B401
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 14 Aug 2003 13:35:22 -0700 (PDT)
Received: from finite-subcover.lcs.mit.edu (finite-subcover.lcs.mit.edu [18.26.4.108])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BF18543FCB
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 14 Aug 2003 13:35:21 -0700 (PDT)
	(envelope-from sit@finite-subcover.lcs.mit.edu)
Received: from finite-subcover.lcs.mit.edu (localhost [127.0.0.1])
	by finite-subcover.lcs.mit.edu (8.12.8p1/8.12.8) with ESMTP id h7EKZJhv000535
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 14 Aug 2003 16:35:19 -0400 (EDT)
	(envelope-from sit@finite-subcover.lcs.mit.edu)
Received: (from sit@localhost)
	by finite-subcover.lcs.mit.edu (8.12.8p1/8.12.8/Submit) id h7EKZJEd000534;
	Thu, 14 Aug 2003 16:35:19 -0400 (EDT)
Message-Id: <200308142035.h7EKZJEd000534@finite-subcover.lcs.mit.edu>
Date: Thu, 14 Aug 2003 16:35:19 -0400 (EDT)
From: Emil Sit <sit@amsterdam.lcs.mit.edu>
Reply-To: Emil Sit <sit@amsterdam.lcs.mit.edu>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: null dereference in usbdi.c: usb_transfer_complete
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         55587
>Category:       kern
>Synopsis:       null dereference in usbdi.c: usb_transfer_complete
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-usb
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 14 13:40:17 PDT 2003
>Closed-Date:    Wed Mar 23 09:42:15 GMT 2005
>Last-Modified:  Wed Mar 23 09:42:15 GMT 2005
>Originator:     Emil Sit
>Release:        FreeBSD 4.8-RELEASE-p3 i386
>Organization:
Massachusetts Institute of Technology
>Environment:
System: FreeBSD finite-subcover.lcs.mit.edu 4.8-RELEASE-p3 FreeBSD 4.8-RELEASE-p3 #2: Thu Aug 14 13:55:06 EDT 2003 sit@finite-subcover.lcs.mit.edu:/usr/obj/usr/src/sys/PDOS-UNI i386

The machine is an IBM ThinkPad X21; this bug was tested with a
microsoft and logitech (dell) usb mouse.

>Description:
	
	When USB mouse is unplugged, kernel attempts to dereference
	a null pointer at sys/dev/usb/usbdi.c:756. 

	The stack trace is:
		usb_transfer_complete
		uhci_idone
		uhci_check_intr
		uhci_intr
		intr_mux

	The particular instruction is usb_transfer_complete+0xd4,
	which turns out to be address 9f0 in usbdi.o:

 9e8:	8b 4b 04             	mov    0x4(%ebx),%ecx
 9eb:	8b 43 08             	mov    0x8(%ebx),%eax
 9ee:	8b 00                	mov    (%eax),%eax
 9f0:	8a 40 03             	mov    0x3(%eax),%al
 9f3:	24 03                	and    $0x3,%al
 9f5:	0f b6 d0             	movzbl %al,%edx

	corresponding to:

	/* Count completed transfers. */
	++pipe->device->bus->stats.uds_requests
		[pipe->endpoint->edesc->bmAttributes & UE_XFERTYPE];

	%ebx contains pipe, so %eax contains endpoint.
	Apparently, edesc is NULL (verified as %eax containing 0 in ddb).

	This happens after the mouse is unplugged, since the kernel
	does log:

Aug 14 14:15:52 finite-subcover /kernel: ums0: Microsoft Microsoft Wheel Mouse Optical<AE>, rev 1.10/1.21, addr 3, iclass 3/1
Aug 14 14:15:52 finite-subcover /kernel: ums0: 3 buttons and Z dir.
Aug 14 14:16:11 finite-subcover /kernel: ums0: at uhub1 port 1 (addr 3) disconnected
Aug 14 14:16:11 finite-subcover /kernel: ums0: detached
Aug 14 14:23:15 finite-subcover /kernel: Copyright (c) 1992-2003 The FreeBSD Project.

	Once in a while, it works okay, and the log messages look like:

Aug 14 15:56:04 finite-subcover /kernel: ums0: at uhub1 port 1 (addr 3) disconnected
Aug 14 15:56:04 finite-subcover /kernel: ums0: detached
Aug 14 15:56:04 finite-subcover moused: unable to open /dev/ums0: Device not configured
Aug 14 15:56:13 finite-subcover /kernel: uhub1: at uhub0 port 1 (addr 2) disconnected
Aug 14 15:56:13 finite-subcover /kernel: uhub1: detached

	I'm guessing this is not specific to USB mice but I don't
	have other USB devices handy, nor do I currently have time
	to try and track down the root cause.

>How-To-Repeat:
	Boot machine.
	Plug in USB mouse.
	Unplug USB mouse.
	Wait.

>Fix:
	Unknown.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->joe 
Responsible-Changed-By: joe 
Responsible-Changed-When: Fri Aug 15 05:18:08 PDT 2003 
Responsible-Changed-Why:  
I'll take this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=55587 

From: Josef Karthauser <joe@FreeBSD.org>
To: Emil Sit <sit@amsterdam.lcs.mit.edu>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: kern/55587: null dereference in usbdi.c: usb_transfer_complete
Date: Fri, 15 Aug 2003 13:21:24 +0100

 --i3lJ51RuaGWuFYNw
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Thu, Aug 14, 2003 at 04:35:19PM -0400, Emil Sit wrote:
 > When USB mouse is unplugged, kernel attempts to dereference a null
 > pointer at sys/dev/usb/usbdi.c:756.
 
 There are lots of detach bugs in the USB stack in RELENG_4.  There are
 plans afoot to merge the recent changes from -current into -stable,
 hopefully before the next release.  This should improve things no end.
 
 Joe
 --=20
 Josef Karthauser (joe@tao.org.uk)	       http://www.josef-k.net/
 FreeBSD (cvs meister, admin and hacker)     http://www.uk.FreeBSD.org/
 Physics Particle Theory (student)   http://www.pact.cpes.sussex.ac.uk/
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D An eclectic mix of fact an=
 d theory. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 
 --i3lJ51RuaGWuFYNw
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.2 (FreeBSD)
 
 iEYEARECAAYFAj880EQACgkQXVIcjOaxUBaJtgCgmY5sXDSy9latc+q9IX2l1e2R
 j0EAoOrHLLLsBLxlIeOe2HdTupfrEduI
 =OXnT
 -----END PGP SIGNATURE-----
 
 --i3lJ51RuaGWuFYNw--
State-Changed-From-To: open->analyzed 
State-Changed-By: joe 
State-Changed-When: Sat Nov 8 03:51:25 PST 2003 
State-Changed-Why:  
I'm still addressing a problem before I MFC the stack to -stable, but 
if in the mean time you want to try the code you can download it from 
http://www.josef-k.net/freebsd/. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=55587 
Responsible-Changed-From-To: joe->freebsd-usb 
Responsible-Changed-By: joe 
Responsible-Changed-When: Wed Nov 10 11:01:30 GMT 2004 
Responsible-Changed-Why:  
Hand this over to the usb mailling list. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=55587 
State-Changed-From-To: analyzed->feedback 
State-Changed-By: iedowse 
State-Changed-When: Wed Mar 23 02:16:55 GMT 2005 
State-Changed-Why:  

Does this problem still occur with more recent releases? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=55587 
State-Changed-From-To: feedback->closed 
State-Changed-By: iedowse 
State-Changed-When: Wed Mar 23 09:38:52 GMT 2005 
State-Changed-Why:  

Submitter says this can be closed - thanks! If you do see this 
problem again feel free to request that the PR be reopened. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=55587 
>Unformatted:
