netbsd-bugs: Re: kern/29326

Subject: Re: kern/29326
To: None <joff@netbsd.org>
From: Andreas Gustafsson <gson@gson.org>
List: netbsd-bugs
Date: 02/24/2005 11:53:21
joff@netbsd.org writes:
> Please try rev 1.3 of src/sys/dev/usb/if_atu.c

It's still crashing:

Program received signal SIGSEGV, Segmentation fault.
0xc043f33d in m_copydata (m=0xc12a9500, off=0, len=30, vp=0x8) at ../../../../kern/uipc_mbuf.c:690
690                     memcpy(cp, mtod(m, caddr_t) + off, count);
(gdb) where
#0  0xc043f33d in m_copydata (m=0xc12a9500, off=0, len=30, vp=0x8) at ../../../../kern/uipc_mbuf.c:690
#1  0xc06e0195 in atu_tx_start (sc=0xc1292000, ni=0xc1472800, c=0xc1292f4c, m=0xc12a9500)
    at ../../../../dev/usb/if_atu.c:1724
#2  0xc06e0613 in atu_start (ifp=0xc1292038) at ../../../../dev/usb/if_atu.c:1856
#3  0xc04b8e1d in ieee80211_mgmt_output (ifp=0xc1292038, ni=0xc1472800, m=0xc12a9500, type=176)
    at ../../../../net80211/ieee80211_output.c:180
#4  0xc04ba498 in ieee80211_send_mgmt (ic=0xc1292038, ni=0xc1472800, type=176, arg=1)
    at ../../../../net80211/ieee80211_output.c:807
#5  0xc04bb3d2 in ieee80211_newstate (ic=0xc1292038, nstate=IEEE80211_S_AUTH, mgt=-1)
    at ../../../../net80211/ieee80211_proto.c:471
#6  0xc06deda0 in atu_newstate (ic=0xc1292038, nstate=IEEE80211_S_AUTH, arg=-1) at ../../../../dev/usb/if_atu.c:1131
#7  0xc04b75f8 in ieee80211_end_scan (ic=0xc1292038) at ../../../../net80211/ieee80211_node.c:444
#8  0xc06dec23 in atu_task (arg=0xc1292000) at ../../../../dev/usb/if_atu.c:1083
#9  0xc069f976 in usb_task_thread (arg=0xcad2b108) at ../../../../dev/usb/usb.c:366
#10 0xc0100331 in proc_trampoline ()
(gdb) up
#1  0xc06e0195 in atu_tx_start (sc=0xc1292000, ni=0xc1472800, c=0xc1292f4c, m=0xc12a9500)
    at ../../../../dev/usb/if_atu.c:1724
1724            m_copydata(m, 0, m->m_pkthdr.len, c->atu_buf + ATU_TX_HDRLEN);
(gdb) print *c
$1 = {atu_sc = 0xc1292000, atu_xfer = 0x0, atu_buf = 0x0, atu_mbuf = 0x0, atu_idx = 7 '\a', atu_length = 0, 
  atu_in_xfer = 0, atu_list = {sle_next = 0xc1292f30}}
(gdb) print /x ifp->if_flags
$2 = 0x8842

I'm also seeing crashes in a different place:

Program received signal SIGSEGV, Segmentation fault.
0xc06dfe0e in atu_rxeof (xfer=0xc1473b00, priv=0xc1292f68, status=USBD_NORMAL_COMPLETION)
    at ../../../../dev/usb/if_atu.c:1608
1608            memcpy(mtod(m, char *), c->atu_buf + ATU_RX_HDRLEN, len);
(gdb) where
#0  0xc06dfe0e in atu_rxeof (xfer=0xc1473b00, priv=0xc1292f68, status=USBD_NORMAL_COMPLETION)
    at ../../../../dev/usb/if_atu.c:1608
#1  0xc06a1d18 in usb_transfer_complete (xfer=0xc1473b00) at ../../../../dev/usb/usbdi.c:838
#2  0xc02dc106 in ohci_softintr (v=0xc13f6000) at ../../../../dev/usb/ohci.c:1365
#3  0xc04e3054 in softintr_dispatch (which=1) at ../../../../arch/x86/x86/softintr.c:104
#4  0xc0102d2a in Xsoftnet ()
(gdb) print c
$1 = (struct atu_chain *) 0xc1292f68
(gdb) print *c
$2 = {atu_sc = 0xc1292000, atu_xfer = 0xc1473b00, atu_buf = 0xcba39000 "\202\213\226$0Hl\003\001\001\005\004",
  atu_mbuf = 0xc12bad00, atu_idx = 0 '\0', atu_length = 0, atu_in_xfer = 0, atu_list = {sle_next = 0x0}}
(gdb) print len
$3 = 35710

-- 
Andreas Gustafsson, gson@gson.org