Subject: kern/28086: ubsa0 unitialised pointers causes panic
To: None <gnats-bugs@gnats.netbsd.org>
From: None <netbsd@precedence.co.uk>
List: netbsd-bugs
Date: 11/08/2004 08:59:51
>Number:         28086
>Category:       kern
>Synopsis:       ubsa0 unitialised pointers causes panic
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Nov 08 09:00:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Stephen Borrill
>Release:        NetBSD 2.0_RC4
>Organization:
Precedence Technologies Ltd
>Environment:
	<The following information is extracted from your kernel. Please>
	<append output of "ldd", "ident" where relevant (multiple lines).>
System: NetBSD laptop 2.0_RC4 NetBSD 2.0_RC4 (LAPTOP) #0: Tue Oct 26 17:17:21 BST 2004 root@laptop:/usr/2.0/sys/arch/i386/compile/LAPTOP i386
Architecture: i386
Machine: i386
>Description:
While trying to get a Vodafone 3G mobile connect card working (which is a
ubsa attached at ohci), the kernel kept panicking when ever I tried to
output data to the ucom port. I tracked this down to an uninitialised
pointer being called in usbd_open_pipe_ival() which should have been set up
in the ubsa_attach() function. This problem appears to have always been
present. Has ubsa ever worked?

kernel: page fault trap, code=0
usbd_open_pipe_ival(0,81,1,cb168c88,64) at netbsd:usbd_open_pipe_ival+0x1a
(First parameter should not be zero!)
usbd_open_pipe_intr()
ubsa_open()
ucomopen()
spec_open()
spec_vnoperate()
VOP_OPEN()
vn_open()
sys_open()
syscall_plain()

>How-To-Repeat:
if
Plug in Vodafone 3G Mobile Connect card (with a supporting kernel: see pr
filed elsewhere for this) or probably any other ubsa device. Assume it
attaches as ucom0 at ubsa0 and ubsa0 at ohci0. Then output data to the 
com port (echo A > /etc/ttyU0). 
	
>Fix:
--- ubsa.c.orig	Mon Jan  5 13:28:18 2004
+++ ubsa.c	Fri Nov  5 16:57:12 2004
@@ -346,6 +348,9 @@
 		goto error;
 	}
 
+	/* Keep interface for interrupt */
+	sc->sc_intr_iface = sc->sc_iface;
+
 	if (uca.bulkin == -1) {
 		printf("%s: Could not find data bulk in\n", devname);
 		sc->sc_dying = 1;

>Release-Note:
>Audit-Trail:
>Unformatted:
 	<Please check that the above is correct for the bug being reported,>
 	<and append source date of snapshot, if applicable (one line).>