From: Ondrej Zary <linux@rainbow-software.org>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: debugging oops after disconnecting Nexio USB touchscreen
Date: Mon, 30 Nov 2009 16:30:59 +0100 [thread overview]
Message-ID: <200911301631.00484.linux@rainbow-software.org> (raw)
In-Reply-To: <Pine.LNX.4.44L0.0911271304240.30903-100000@netrider.rowland.org>
On Friday 27 November 2009, Alan Stern wrote:
> On Fri, 27 Nov 2009, Ondrej Zary wrote:
> > Hello,
> > I have problems debbugging an oops. It happens when Nexio USB touchscreen
> > (using my new code http://lkml.org/lkml/2009/11/25/568) is disconnected:
> >
> > BUG: unable to handle kernel NULL pointer dereference at 00000048
> > IP: [<f7c38afd>] start_unlink_async+0xb2/0x160 [ehci_hcd]
>
> ...
>
> > It does not happen everytime - sometimes it survives the first
> > disconnect. Tried adding printk()s to start_unlink_async function - and
> > the oops does not appear. Looks like a race. It might be a bug in my code
> > but I'm not able to find it.
> >
> > It also happens only when the touchscreen is connected through a hub:
> > Bus 001 Device 002: ID 2001:f103 D-Link Corp. [hex] DUB-H7 7-port USB 2.0
> > hub When connected directly to the machine, it does not oops.
>
> That's understandable, since the stack trace showed that the oops
> occurred while the hub driver was running.
>
> > Tried decodecode:
> > Code: 00 fb e9 bb 00 00 00 c6 46 68 02 89 f0 e8 ee e8 ff ff 85 db 89 c7
> > 89 43 18 75 06 68 c5 e4 c3 f7 e8 b4 5f 68 c9 50 8b 43 14 89 c6 <8b> 40 48
> > 39 f8 75 f7 85 f6 75 0b 68 0c e5 c3 f7 e8 99 5f 68 c9
> > All code
> > ========
> > 0: 00 fb add %bh,%bl
> > 2: e9 bb 00 00 00 jmp 0xc2
> > 7: c6 46 68 02 movb $0x2,0x68(%esi)
> > b: 89 f0 mov %esi,%eax
> > d: e8 ee e8 ff ff call 0xffffe900
> > 12: 85 db test %ebx,%ebx
> > 14: 89 c7 mov %eax,%edi
> > 16: 89 43 18 mov %eax,0x18(%ebx)
> > 19: 75 06 jne 0x21
> > 1b: 68 c5 e4 c3 f7 push $0xf7c3e4c5
> > 20: e8 b4 5f 68 c9 call 0xc9685fd9
> > 25: 50 push %eax
> > 26: 8b 43 14 mov 0x14(%ebx),%eax
> > 29: 89 c6 mov %eax,%esi
> > 2b:* 8b 40 48 mov 0x48(%eax),%eax <-- trapping
> > instruction 2e: 39 f8 cmp %edi,%eax
> > 30: 75 f7 jne 0x29
> > 32: 85 f6 test %esi,%esi
> > 34: 75 0b jne 0x41
> > 36: 68 0c e5 c3 f7 push $0xf7c3e50c
> > 3b: e8 99 5f 68 c9 call 0xc9685fd9
> >
> > Code starting with the faulting instruction
> > ===========================================
> > 0: 8b 40 48 mov 0x48(%eax),%eax
> > 3: 39 f8 cmp %edi,%eax
> > 5: 75 f7 jne 0xfffffffe
> > 7: 85 f6 test %esi,%esi
> > 9: 75 0b jne 0x16
> > b: 68 0c e5 c3 f7 push $0xf7c3e50c
> > 10: e8 99 5f 68 c9 call 0xc9685fae
> >
> > and "make drivers/usb/host/ehci-hcd.s" but I'm not able to find the above
> > code in ehci-hcd.s.
> >
> > What am I doing wrong?
>
> With your disassembly? Nothing that I can see. You might be able to
> locate the code in question by comparing the output above and the
> contents of ehci-hcd.s with the output of "objdump -D
> drivers/usb/host/ehci-hcd.o" -- search for the start of the
> start_unlink_async() routine and go forward from there.
Thanks, found it there:
00001a4b <start_unlink_async>:
1a4b: 55 push %ebp
1a4c: 57 push %edi
1a4d: 56 push %esi
1a4e: 89 d6 mov %edx,%esi
1a50: 53 push %ebx
1a51: 89 c3 mov %eax,%ebx
1a53: 83 ec 04 sub $0x4,%esp
1a56: 65 a1 14 00 00 00 mov %gs:0x14,%eax
1a5c: 89 04 24 mov %eax,(%esp)
1a5f: 31 c0 xor %eax,%eax
1a61: 85 db test %ebx,%ebx
1a63: 75 0b jne 1a70 <start_unlink_async+0x25>
1a65: 68 57 01 00 00 push $0x157
1a6a: e8 fc ff ff ff call 1a6b <start_unlink_async+0x20>
1a6f: 58 pop %eax
1a70: 83 7b 04 00 cmpl $0x0,0x4(%ebx)
1a74: 75 0b jne 1a81 <start_unlink_async+0x36>
1a76: 68 91 01 00 00 push $0x191
1a7b: e8 fc ff ff ff call 1a7c <start_unlink_async+0x31>
1a80: 58 pop %eax
1a81: 85 f6 test %esi,%esi
1a83: 75 0b jne 1a90 <start_unlink_async+0x45>
1a85: 68 d1 01 00 00 push $0x1d1
1a8a: e8 fc ff ff ff call 1a8b <start_unlink_async+0x40>
1a8f: 58 pop %eax
1a90: 8b 43 04 mov 0x4(%ebx),%eax
1a93: 8b 28 mov (%eax),%ebp
1a95: 3b 73 14 cmp 0x14(%ebx),%esi
1a98: 75 3f jne 1ad9 <start_unlink_async+0x8e>
1a9a: 68 0b 02 00 00 push $0x20b
1a9f: e8 fc ff ff ff call 1aa0 <start_unlink_async+0x55>
1aa4: 83 7b fc 00 cmpl $0x0,-0x4(%ebx)
1aa8: 58 pop %eax
1aa9: 0f 84 e5 00 00 00 je 1b94 <start_unlink_async+0x149>
1aaf: 83 7b 18 00 cmpl $0x0,0x18(%ebx)
1ab3: 0f 85 db 00 00 00 jne 1b94 <start_unlink_async+0x149>
1ab9: 83 e5 df and $0xffffffdf,%ebp
1abc: 8b 43 04 mov 0x4(%ebx),%eax
1abf: 89 28 mov %ebp,(%eax)
1ac1: f0 83 04 24 00 lock addl $0x0,(%esp)
1ac6: 8d 83 08 01 00 00 lea 0x108(%ebx),%eax
1acc: f0 80 a3 08 01 00 00 lock andb $0xfb,0x108(%ebx)
1ad3: fb
1ad4: e9 bb 00 00 00 jmp 1b94 <start_unlink_async+0x149>
1ad9: c6 46 68 02 movb $0x2,0x68(%esi)
1add: 89 f0 mov %esi,%eax
1adf: e8 ee e8 ff ff call 3d2 <qh_get>
1ae4: 85 db test %ebx,%ebx
1ae6: 89 c7 mov %eax,%edi
1ae8: 89 43 18 mov %eax,0x18(%ebx)
1aeb: 75 0b jne 1af8 <start_unlink_async+0xad>
1aed: 68 d1 01 00 00 push $0x1d1
1af2: e8 fc ff ff ff call 1af3 <start_unlink_async+0xa8>
1af7: 58 pop %eax
1af8: 8b 43 14 mov 0x14(%ebx),%eax
1afb: 89 c6 mov %eax,%esi
==> 1afd: 8b 40 48 mov 0x48(%eax),%eax
1b00: 39 f8 cmp %edi,%eax
1b02: 75 f7 jne 1afb <start_unlink_async+0xb0>
1b04: 85 f6 test %esi,%esi
1b06: 75 0b jne 1b13 <start_unlink_async+0xc8>
1b08: 68 18 02 00 00 push $0x218
1b0d: e8 fc ff ff ff call 1b0e <start_unlink_async+0xc3>
1b12: 58 pop %eax
1b13: 8b 07 mov (%edi),%eax
1b15: 89 06 mov %eax,(%esi)
1b17: 8b 47 48 mov 0x48(%edi),%eax
1b1a: 89 46 48 mov %eax,0x48(%esi)
1b1d: f0 83 04 24 00 lock addl $0x0,(%esp)
1b22: f6 43 fc 01 testb $0x1,-0x4(%ebx)
1b26: 75 18 jne 1b40 <start_unlink_async+0xf5>
1b28: 8b 14 24 mov (%esp),%edx
1b2b: 65 33 15 14 00 00 00 xor %gs:0x14,%edx
1b32: 75 6c jne 1ba0 <start_unlink_async+0x155>
1b34: 5d pop %ebp
1b35: 89 d8 mov %ebx,%eax
1b37: 5b pop %ebx
1b38: 5e pop %esi
1b39: 5f pop %edi
1b3a: 5d pop %ebp
1b3b: e9 50 fe ff ff jmp 1990 <end_unlink_async>
1b40: 83 cd 40 or $0x40,%ebp
1b43: 8b 43 04 mov 0x4(%ebx),%eax
1b46: 89 28 mov %ebp,(%eax)
1b48: 8b 43 04 mov 0x4(%ebx),%eax
1b4b: 8b 00 mov (%eax),%eax
1b4d: 83 bb a8 00 00 00 00 cmpl $0x0,0xa8(%ebx)
1b54: 74 0f je 1b65 <start_unlink_async+0x11a>
1b56: ba ac 00 00 00 mov $0xac,%edx
1b5b: b8 33 02 00 00 mov $0x233,%eax
1b60: e8 fc ff ff ff call 1b61 <start_unlink_async+0x116>
1b65: b8 0a 00 00 00 mov $0xa,%eax
1b6a: 8b 35 00 00 00 00 mov 0x0,%esi
1b70: e8 fc ff ff ff call 1b71 <start_unlink_async+0x126>
1b75: 8b 14 24 mov (%esp),%edx
1b78: 65 33 15 14 00 00 00 xor %gs:0x14,%edx
1b7f: 75 1f jne 1ba0 <start_unlink_async+0x155>
1b81: 5f pop %edi
1b82: 8d 14 30 lea (%eax,%esi,1),%edx
1b85: 8d 83 a8 00 00 00 lea 0xa8(%ebx),%eax
1b8b: 5b pop %ebx
1b8c: 5e pop %esi
1b8d: 5f pop %edi
1b8e: 5d pop %ebp
1b8f: e9 fc ff ff ff jmp 1b90 <start_unlink_async+0x145>
1b94: 8b 04 24 mov (%esp),%eax
1b97: 65 33 05 14 00 00 00 xor %gs:0x14,%eax
1b9e: 74 05 je 1ba5 <start_unlink_async+0x15a>
1ba0: e8 fc ff ff ff call 1ba1 <start_unlink_async+0x156>
1ba5: 5e pop %esi
1ba6: 5b pop %ebx
1ba7: 5e pop %esi
1ba8: 5f pop %edi
1ba9: 5d pop %ebp
1baa: c3 ret
It does not make much sense to me but I think that it crashes iside this list
manipulation:
prev = ehci->async;
while (prev->qh_next.qh != qh)
prev = prev->qh_next.qh;
prev->hw_next = qh->hw_next;
prev->qh_next = qh->qh_next;
wmb ();
--
Ondrej Zary
next prev parent reply other threads:[~2009-11-30 15:31 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-27 13:38 debugging oops after disconnecting Nexio USB touchscreen Ondrej Zary
2009-11-27 18:19 ` Alan Stern
2009-11-30 15:30 ` Ondrej Zary [this message]
2009-11-30 20:19 ` Alan Stern
2009-12-01 10:06 ` Ondrej Zary
2009-12-01 15:11 ` Alan Stern
2009-12-02 8:52 ` Ondrej Zary
2009-12-02 9:42 ` Oliver Neukum
2009-12-03 9:30 ` Ondrej Zary
2009-12-02 15:58 ` Alan Stern
2009-12-03 12:31 ` Ondrej Zary
2009-12-03 19:39 ` Alan Stern
2009-12-03 20:55 ` Ondrej Zary
2009-12-03 22:22 ` Alan Stern
2009-12-04 12:22 ` Ondrej Zary
2009-12-04 15:47 ` Alan Stern
2009-12-04 19:17 ` Ondrej Zary
2009-12-04 19:34 ` Alan Stern
2009-12-04 19:55 ` Ondrej Zary
2009-12-04 21:24 ` Alan Stern
2009-12-07 9:02 ` Ondrej Zary
2009-12-07 15:22 ` Alan Stern
2009-12-08 9:03 ` Ondrej Zary
2009-12-08 15:03 ` Alan Stern
2009-12-08 15:21 ` Ondrej Zary
2009-12-07 15:07 ` Ondrej Zary
2009-12-07 16:02 ` Alan Stern
2009-12-10 15:40 ` Ondrej Zary
2009-12-10 20:38 ` Alan Stern
2009-12-11 19:42 ` Ondrej Zary
2009-12-11 20:49 ` Alan Stern
2009-12-05 7:36 ` Andreas Mohr
2009-12-05 17:16 ` Alan Stern
2009-12-06 11:38 ` Andreas Mohr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200911301631.00484.linux@rainbow-software.org \
--to=linux@rainbow-software.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.