Re: repeatable crash via usb unplugging with ups

Sun, 05 Feb 2023 02:22:02 -0800 

On Sat, Feb 04, 2023 at 09:18:44AM -0800, Peter Van Eenoo wrote:
> I've found a repeatable crash after unplugging a usb port that's connected
> to a UPS. I can't trigger it if I quickly plug it in and unplug it but only
> after leaving it connected for a few hours and then I unplug it. It crashes
> at the same spot every time.
> 
> I can't get a crash dump from it because every time I try boot
> crash/sync/dump it just hangs and never writes or reboots.
> 
> login: uhid0 detached
> uhid1 detached
> uhid2 detached
> uhid3 detached
> uhid4 detached
> uhid5 detached
> uhid6 detached
> uhid7 detached
> uhid8 detached
> uhid9 detached
> upd0 detached
> uhid10 detached
> uhid11 detached
> uhid12 detached
> uhid13 detached
> uhid14 detached
> uhid15 detached
> uhid16 detached
> uhid17 detached
> uhid18 detached
> uhid19 detached
> uhid20 detached
> uhid21 detached
> uhid22 detached
> uhid23 detached
> uhid24 detached
> uhidev0 detached
> usbd_start_next: error=5
> usbd_start_next: error=5
> multiply freed item 0xffff800000a3d300
> panic: free: duplicated free
> Stopped at      db_enter+0x10:  popq    %rbp
>     TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
>  191599  18517     73   0x1100010       0x80    1  syslogd
> * 93216  36036      0     0x14000      0x200    0K usbtask
> db_enter() at db_enter+0x10
> panic(ffffffff81f836b9) at panic+0xbf
> free(ffff800000a3d300,7f,20) at free+0x3b3
> uhidev_get_report_async_cb(fffffd841f61a000,ffff800000a3d300,6) at
> uhidev_get_r
> eport_async_cb+0x95
> usb_transfer_complete(fffffd841f61a000) at usb_transfer_complete+0x1e4
> usbd_close_pipe(ffff8000012bf000) at usbd_close_pipe+0x56
> usb_free_device(ffff800007ffe500) at usb_free_device+0x21
> usbd_detach(ffff800007ffe500,ffff80000016c180) at usbd_detach+0x81
> uhub_port_connect(ffff80000016c180,b,2a0) at uhub_port_connect+0x75
> uhub_explore(ffff800000178900) at uhub_explore+0xbb
> usb_explore(ffff800000178800) at usb_explore+0x12a
> usb_task_thread(ffff800022a00fd0) at usb_task_thread+0xe5
> end trace frame: 0x0, count: 3

Does the following diff help?

diff --git sys/dev/usb/uhidev.c sys/dev/usb/uhidev.c
index 26b5b04088d..1771e146cbb 100644
--- sys/dev/usb/uhidev.c
+++ sys/dev/usb/uhidev.c
@@ -911,6 +911,7 @@ uhidev_get_report_async(struct uhidev_softc *sc, int type, 
int id, void *data,
 
        if (usbd_request_async(xfer, &req, info, uhidev_get_report_async_cb)) {
                free(info, M_TEMP, sizeof(*info));
+               usbd_free_xfer(xfer);
                actlen = -1;
        }

Reply via email to