[Libusbx-devel] libusbx bug in handle_bulk_completion - wrong pointer computations

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Libusbx-devel] libusbx bug in handle_bulk_completion - wrong pointer computations

Erik Rull
Hi all,

getting a tpriv->urbs NULL pointer causes negative urb_idx and successively an
undefined behavior! This happens when removing a USB device during a transfer
with a chance of ~ 20%.

With the small extension the error can be made visible:

static int handle_bulk_completion(struct usbi_transfer *itransfer,
        struct usbfs_urb *urb)
{
        struct linux_transfer_priv *tpriv =
usbi_transfer_get_os_priv(itransfer);
        struct libusb_transfer *transfer =
USBI_TRANSFER_TO_LIBUSB_TRANSFER(itransfer);
        int urb_idx = urb - tpriv->urbs;

        usbi_mutex_lock(&itransfer->lock);
        usbi_dbg("handling completion status %d of bulk urb %d/%d", urb->status,
                urb_idx + 1, tpriv->num_urbs);
+       if (urb_idx < -2)
+       {
+         usbi_dbg("usb_idx lt 0: %d %p %p
%d",urb_idx,urb,tpriv->urbs,tpriv->num_urbs);
+       }


example result:

Nov 14 00:15:31 (none) daemon.debug my_prog: [ 6.744000] [00007c5b] libusbx:
debug [usbi_handle_transfer_completion] transfer 0x880b114 has callback
0xb7045e40
Nov 14 00:15:31 (none) daemon.debug my_prog: [ 6.744000] [00007c5b] libusbx:
debug [sync_transfer_cb] actual_length=0
Nov 14 00:15:31 (none) daemon.debug my_prog: [ 6.744000] [00007c5b] libusbx:
debug [reap_for_handle] urb type=3 status=-2 transferred=0
Nov 14 00:15:31 (none) daemon.debug my_prog: [ 6.744000] [00007c5b] libusbx:
debug [handle_bulk_completion] handling completion status -2 of bulk urb
-1168226879/4
Nov 14 00:15:31 (none) daemon.debug my_prog: [ 6.744000] [00007c5b] libusbx:
debug [handle_bulk_completion] usb_idx lt 0: -1168226880 0x833fd00 (nil) 4
Nov 14 00:15:31 (none) daemon.debug my_prog: [ 6.774000] [00007c51] libusbx:
debug [linux_netlink_read_message] netlink hotplug found device busnum: 2,
devaddr: 77, sys_name: 2-1.4, removed: yes

It looks like an inconsistency between the tpriv->urbs pointer and
tpriv->num_urbs. If there are no URBs (null pointer) but the number of urbs is >
0 there is an inconsistency appearing somewhere...

Best regards,

Erik

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
libusbx-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/libusbx-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Libusbx-devel] libusbx bug in handle_bulk_completion - wrong pointer computations

Hans de Goede
Hi Erik,

On 01/21/2014 10:42 AM, Erik Rull wrote:
> Hi all,
>
> getting a tpriv->urbs NULL pointer causes negative urb_idx and successively an
> undefined behavior! This happens when removing a USB device during a transfer
> with a chance of ~ 20%.

Thanks for looking into this, the big question is why tpriv->urbs becomes NULL,
that should never happen for a not yet finished trasnfer, it would be great if
you could debug this further focusing on why tpriv->urbs becomes NULL.

It may be helpful to also print the transfer pointer when this happens, and then
look in the debugging traces to see what exactly is happening with this transfer
before the problem.

Regards,

Hans

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
libusbx-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/libusbx-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Libusbx-devel] libusbx bug in handle_bulk_completion - wrong pointer computations

Erik Rull
Hi Hans,

Hans de Goede wrote:

> Hi Erik,
>
> On 01/21/2014 10:42 AM, Erik Rull wrote:
>> Hi all,
>>
>> getting a tpriv->urbs NULL pointer causes negative urb_idx and successively an
>> undefined behavior! This happens when removing a USB device during a transfer
>> with a chance of ~ 20%.
>
> Thanks for looking into this, the big question is why tpriv->urbs becomes NULL,
> that should never happen for a not yet finished trasnfer, it would be great if
> you could debug this further focusing on why tpriv->urbs becomes NULL.
>
> It may be helpful to also print the transfer pointer when this happens, and then
> look in the debugging traces to see what exactly is happening with this transfer
> before the problem.
>
> Regards,
>
> Hans
>

I will try that - should I trace all tpriv->urbs assignments? Or can you
already exclude some of them - just to reduce the number of messages?

Update will be posted when I have more details.

Best regards,

Erik


------------------------------------------------------------------------------
Android&trade; apps run on BlackBerry&reg;10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
libusbx-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/libusbx-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Libusbx-devel] libusbx bug in handle_bulk_completion - wrong pointer computations

Erik Rull
In reply to this post by Hans de Goede
Hi Hans,

Hans de Goede wrote:

> Hi Erik,
>
> On 01/21/2014 10:42 AM, Erik Rull wrote:
>> Hi all,
>>
>> getting a tpriv->urbs NULL pointer causes negative urb_idx and successively an
>> undefined behavior! This happens when removing a USB device during a transfer
>> with a chance of ~ 20%.
>
> Thanks for looking into this, the big question is why tpriv->urbs becomes NULL,
> that should never happen for a not yet finished trasnfer, it would be great if
> you could debug this further focusing on why tpriv->urbs becomes NULL.
>
> It may be helpful to also print the transfer pointer when this happens, and then
> look in the debugging traces to see what exactly is happening with this transfer
> before the problem.
>
> Regards,
>
> Hans
>

a short update - not yet complete:
when inserting a usleep(1000) in the first line of discard_urbs(...)
everything works fine! Might it be possible that the kernel does not get
the time to update all its structures? The process using the libusb is
running at nice -19 and the kernel is preemptive.

I will proceed with the urbs-NULL-pointer-assignment and let you know my
results.

Best regards,

Erik


------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
libusbx-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/libusbx-devel
Loading...