[Libusbx-devel] SIGSEGV in list_del / io.c

Thu, 13 Feb 2014 03:42:36 -0800 

Hi all,

during the debug for the unplug issue reported, I encounter now SIGSEGVs on
other places:

I added some debug output to the libusb/io.c:

int usbi_handle_transfer_completion(struct usbi_transfer *itransfer,
        enum libusb_transfer_status status)
{
        struct libusb_transfer *transfer =
                USBI_TRANSFER_TO_LIBUSB_TRANSFER(itransfer);
        struct libusb_context *ctx = TRANSFER_CTX(transfer);
        struct libusb_device_handle *handle = transfer->dev_handle;
        uint8_t flags;
        int r = 0;
        usbi_dbg("entered... %p",ctx);

        /* FIXME: could be more intelligent with the timerfd here. we don't need
         * to disarm the timerfd if there was no timer running, and we only need
         * to rearm the timerfd if the transfer that expired was the one with
         * the shortest timeout. */

        usbi_mutex_lock(&ctx->flying_transfers_lock);
        usbi_dbg("locked mutex %p %p",itransfer,&itransfer->list);
        usbi_dbg("list pointers %p
%p",itransfer->list.next,itransfer->list.prev);
        list_del(&itransfer->list);
        usbi_dbg("deleted list");

The corresponding output when removing the device is:

[ 6.973000] [00001d59] libusbx: debug [usbi_handle_transfer_completion]
entered... 0x884cdf0
[ 6.973000] [00001d59] libusbx: debug [usbi_handle_transfer_completion] locked
mutex 0x8813eb8 0x8813ebc
[ 6.973000] [00001d59] libusbx: debug [usbi_handle_transfer_completion] list
pointers (nil) (nil)
Caught a signal (11: SIGSEGV)

This can be easily explained because the list_del looks like this:

static inline void list_del(struct list_head *entry)
{
        entry->next->prev = entry->prev;
        entry->prev->next = entry->next;
        entry->next = entry->prev = NULL;
}

=> entry->next and entry->prev are already NULL! So this delete should never be
done, adding some checkings would be helpful.

But when adding a check against NULL for each prev and next in the list_del
before accessing them, the process does not die but stalls on another point when
trying to do a bulk read the device after connecting:

/lib/libusb-1.0.so.0:libusb_ref_device()
/lib/libusb-1.0.so.0:libusb_submit_transfer()

and the last libusb debug output lines are:

[ 6.849000] [00001fae] libusbx: debug [usbi_handle_transfer_completion]
entered... 0x884cdf0
[ 6.849000] [00001fae] libusbx: debug [usbi_handle_transfer_completion] locked
mutex 0x8813eb8 0x8813ebc
[ 6.849000] [00001fae] libusbx: debug [usbi_handle_transfer_completion] list
pointers (nil) (nil)
[ 6.849000] [00001fae] libusbx: debug [usbi_handle_transfer_completion] deleted
list
[ 6.849000] [00001fae] libusbx: debug [usbi_handle_transfer_completion] transfer
0x8813eec has callback 0xb708b0c0
[ 6.849000] [00001fae] libusbx: debug [sync_transfer_cb] actual_length=0
[ 6.849000] [00001fae] libusbx: debug [usbi_handle_transfer_completion] part 3
[ 6.849000] [00001fae] libusbx: debug [usbi_handle_transfer_completion] part 4
[ 6.849000] [00001fae] libusbx: debug [libusb_unref_device] destroy device 2.57
[ 6.849000] [00001fae] libusbx: debug [usbi_handle_transfer_completion] part 5
[ 6.849000] [00001fae] libusbx: debug [op_handle_events] Reap for handle done!
0x884cf40
[ 6.849000] [00001fae] libusbx: debug [op_handle_events] Reap for handle done!
0x884cf40
[ 6.855000] [00001fae] libusbx: debug [submit_bulk_transfer] need 4 urbs for new
transfer with length 65536
[ 6.981000] [00001fa4] libusbx: debug [linux_netlink_read_message] netlink
hotplug found device busnum: 2, devaddr: 57, sys_name: 2-1.4, removed: yes
[ 6.981000] [00001fa4] libusbx: debug [linux_device_disconnected] starting
device disconnect...
[ 6.981000] [00001fa4] libusbx: debug [linux_device_disconnected] lock
acquired...
[ 6.981000] [00001fa4] libusbx: debug [linux_device_disconnected] getting device
by session... 0x884cdf0
[ 6.981000] [00001fa4] libusbx: debug [linux_device_disconnected] device:
0x884f0b8

I don't know exactly how to proceed here - any hint would be appreciated.

Best regards,

Erik

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
libusbx-devel mailing list
libusbx-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libusbx-devel

Reply via email to