kern/49660: ucom panics when closing after detach

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/49660: ucom panics when closing after detach
From: Takahiro HAYASHI <t.hash425%gmail.com@localhost>
Date: Thu, 12 Feb 2015 12:50:00 +0000 (UTC)

>Number:         49660
>Category:       kern
>Synopsis:       ucom panics when closing after detach
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Feb 12 12:50:00 +0000 2015
>Originator:     Takahiro HAYASHI
>Release:        NetBSD 7.99.4
>Organization:
>Environment:
System: NetBSD 7.99.4 amd64
Architecture: x86_64
Machine: amd64
>Description:
	ucom panics in ucom_shutdown when closing after detach.
	For example, as mentioned in How-To-Repeat, it happens
	when the ucom is closed after it is unplugged.

(connect ucom device)
uftdi0 at uhub4 port 1
uftdi0: FTDI FT232R USB UART, rev 2.00/6.00, addr 2
ucom0 at uftdi0 portno 1
uftdi0: WARNING: power management not supported
# tail -f /dev/ttyU0
(here I unplug the device)
ucom0: detached
uftdi0: detached
uftdi0: at uhub4 port 1 (addr 2) disconnected
(and type ^C to terminate tail)
^Cuvm_fault(0xfffffe80034dcb80, 0x0, 1) -> e
fatal page fault in supervisor mode
trap type 6 code 0 rip ffffffff804120f3 cs 8 rflags 10246 cr2 241 ilevel 6 rsp fffffe8003558ad8
curlwp 0xfffffe803f1ab5c0 pid 6.1 lowest kstack 0xfffffe80035562c0
kernel: page fault trap, code=0
Stopped in pid 6.1 (tail) at    netbsd:ucom_cleanup+0x13:       testb   $0x40,24
1(%rax)
db{0}> trace
ucom_cleanup() at netbsd:ucom_cleanup+0x13	<-- line 358 ucom_shutdown
ucomopen() at netbsd:ucomopen+0x470		<-- line 588
cdev_open() at netbsd:cdev_open+0xb2
spec_open() at netbsd:spec_open+0x25d
VOP_OPEN() at netbsd:VOP_OPEN+0x33
vn_open() at netbsd:vn_open+0x1e3
do_open() at netbsd:do_open+0x111
do_sys_openat() at netbsd:do_sys_openat+0x68
sys_open() at netbsd:sys_open+0x24
syscall() at netbsd:syscall+0x9a
--- syscall (number 5) ---

	Note that I have NOT run 'ttyflags ttyU0', so ttyU0 does not have
	'softcar' or 'local' flags.
	In addition, this ucom is not connected to any terminals.
	When I open ttyU0, ucom waits for hardware flow controll signal.
	That's why opening ttyU0 is blocked in ucomopen.

	ucom_detach explicitly sets sc->sc_tty = NULL when it's detached.
	When device is closed, ucom_cleanup calls ucom_shutdown that checks
	ISSET(sc_tty->t_cflag, HUPCL), and then it fires.

	netbsd-{5,6,7,HEAD} are affected.


>How-To-Repeat:
	1) connect ucom device
	2) tail -f /dev/ttyU0
	3) unplug ucom device
	4) type ctrl-C
>Fix:
	I think ucom_shutdown should also check sc_dying.

-- 
t-hash

Prev by Date: kern/49659: axen patch
Next by Date: Re: kern/49659 (axen patch)
Previous by Thread: kern/49659: axen patch
Next by Thread: Re: kern/49659 (axen patch)
Indexes:

Home | Main Index | Thread Index | Old Index