netbsd-bugs: kern/7473: Crash in usbd_abort_pipe when closing detached mouse

Subject: kern/7473: Crash in usbd_abort_pipe when closing detached mouse
To: None <gnats-bugs@gnats.netbsd.org>
From: Dave Huang <khym@bga.com>
List: netbsd-bugs
Date: 04/25/1999 21:05:47

>Number:         7473
>Category:       kern
>Synopsis:       Crash in usbd_abort_pipe when closing detached mouse
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Apr 25 21:05:00 1999
>Last-Modified:
>Originator:     Dave Huang
>Organization:
Name: Dave Huang     |   Mammal, mammal / their names are called /
INet: khym@bga.com   |   they raise a paw / the bat, the cat /
FurryMUCK: Dahan     |   dolphin and dog / koala bear and hog -- TMBG
Dahan: Hani G Y+C 23 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+ PL++
>Release:        NetBSD-1.4_BETA as of April 25, 1999
>Environment:
	
System: NetBSD fluff.metonymy.com 1.4_BETA NetBSD 1.4_BETA (FLUFF) #17: Sun Apr 25 14:31:46 CDT 1999 khym@dahan.metonymy.com:/usr/src.local/sys/arch/i386/compile/FLUFF i386


>Description:
	If a process opens a USB mouse device, then the mouse is
unplugged, when the process closes the device, the kernel crashes with
a uvm_fault at the first line of usbd_abort_pipe() (the if statement).
>How-To-Repeat:
Plug in mouse:

ums0 at uhub0 port 1 configuration 1 interface 0
ums0: Kensington Mouse-in-a-Box, rev 1.00/1.41, addr 2, iclass 3/1
ums0: 3 buttons and Z dir.
wsmouse1 at ums0

% hexdump -C /dev/wsmouse1

Unplug mouse:

uhub0: port error, restarting port 1
ums0: at uhub0 port 1 (addr 2) disconnected

^C the hexdump:

uvm_fault(0xf55f2e70, 0xdeadb000, 0, 1) -> 1
kernel: page fault trap, code=0
Stopped in hexdump at   _usbd_abort_pipe+0xe:    cmpl    $0,0x4(%eax)
db> t
_usbd_abort_pipe(...) at _usbd_abort_pipe+0xe
_ums_disable(...) at _ums_disable+0xf
_wsmouseclose(...) at _wsmouseclose+0x35
_spec_close(...) at _spec_close+0x102
_nfsspec_close(...) at _nfsspec_close+0xb4
_vn_close(...) at _vn_close+0x50
_vn_closefile(...) at _vn_closefile+0x19
_closef(...) at _closef+0x132
_fdfree(...) at _fdfree+0x3e
_exit1(...) at _exit1+0xe5
_sigexit(...) at _sigexit+0x3c
_postsig(2) at _postsig+0xb0
_syscall() at _syscall+0x252
--- syscall (number 3) ---
0x4007a769:
db>

>Fix:
Unknown
>Audit-Trail:
>Unformatted: