Re: [Libusbx-devel] libusb segfaults - causes pcscd to crash

sebastiank Tue, 07 Aug 2012 00:30:34 -0700

Good morning Pete, Ludovic and Orin,

yesterday, I recompiled the latest libusbx version from the git
repository with debug information (version 1.0.12.10545) and replaced 
it on the computers.

> On 2012.08.03 15:51, Pete Batard wrote:
> If you do observe the crash again, and since you're recompiling the 
> library, I would also advise you to try changing line 1307 in 
> libusb/io.c from:
> 
>     if (r) {
>
> to
>     if (r && (r != LIBUSB_ERROR_BUSY)) {
I applied the suggested code change as well.

Please see the attached file with a new backtrace of the segmentation
fault. The file contains all of the commands you told me to execute
last week.

If you need anything else, please let me know.

=========
Regards

Sebastian
=========

Syslog
======
Aug  7 03:26:18 kernel: [186531.500116] pcscd[26721]: segfault at 8 ip 00c1fe89 
sp b6fd1ff0 error 4 in libusb-1.0.so.0.1.0[c1a000+11000]

gdb /usr/sbin/pcscd core
========================
GNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/pcscd...done.
[New Thread 26721]
[New Thread 26725]
[New Thread 26870]
[New Thread 26701]
[New Thread 26702]
Reading symbols from /lib/i386-linux-gnu/libusb-1.0.so.0...done.
Loaded symbols for /lib/i386-linux-gnu/libusb-1.0.so.0
Reading symbols from /lib/i386-linux-gnu/libdl.so.2...(no debugging symbols 
found)...done.
Loaded symbols for /lib/i386-linux-gnu/libdl.so.2
Reading symbols from /lib/i386-linux-gnu/librt.so.1...(no debugging symbols 
found)...done.
Loaded symbols for /lib/i386-linux-gnu/librt.so.1
Reading symbols from /lib/i386-linux-gnu/libpthread.so.0...(no debugging 
symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libpthread.so.0
Reading symbols from /lib/i386-linux-gnu/libc.so.6...(no debugging symbols 
found)...done.
Loaded symbols for /lib/i386-linux-gnu/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from 
/usr/lib/pcsc/drivers/ifdokrfid_lnx_i686-2.10.0.1.bundle/Contents/Linux/ifdokrfid.so...done.
Loaded symbols for 
/usr/lib/pcsc/drivers/ifdokrfid_lnx_i686-2.10.0.1.bundle/Contents/Linux/ifdokrfid.so
Reading symbols from /lib/libpcsclite.so.1...done.
Loaded symbols for /lib/libpcsclite.so.1
Core was generated by `/usr/sbin/pcscd --debug --apdu'.
Program terminated with signal 11, Segmentation fault.
#0  0x00c1fe89 in add_to_flying_list (transfer=0xb5600468) at io.c:1184
1184    io.c: Datei oder Verzeichnis nicht gefunden.
        in io.c

(gdb) backtrace
===============
#0  0x00c1fe89 in add_to_flying_list (transfer=0xb5600468) at io.c:1184
#1  0x00c20358 in libusb_submit_transfer (transfer=0xb560049c) at io.c:1377
#2  0x00c221e8 in do_sync_bulk_transfer (dev_handle=0x9254140, endpoint=5 
'\005', buffer=0x9255b98 "k\b", length=18, transferred=0xb6fd213c, 
timeout=1000, type=2 '\002') at sync.c:175
#3  0x00c2236f in libusb_bulk_transfer (dev_handle=0x9254140, endpoint=5 
'\005', data=0x9255b98 "k\b", length=18, transferred=0xb6fd213c, timeout=1000) 
at sync.c:270
#4  0x00e018a7 in CCIDDevSend (Lun=0, TxBuffer=0x9255b98 "k\b", TxLength=18, 
ulEscapeSpecificTimeout=1000) at ./bus/usb/usb.c:1055
#5  0x00df5fba in CCIDDevSendWrap (Lun=0, request=0x9255b98 "k\b", slot=18) at 
ccid/common.c:901
#6  0x00df72a8 in PC_to_RDR_Escape (Lun=0, slot=0x9254bd0, pTxBuffer=0xb6fd223c 
"G\003\a?\006?+", dwTxLength=8, pRxBuffer=0xb6fd21fc 
"\033\340\034\355\a?\006?+", pdwRxLength=0xb6fd227c, fIsLocked=0 '\000') at 
ccid/common.c:3026
#7  0x00e0c68f in WriteMultipleRegisters (slot=0x9254bd0, ucEnterAction=3 
'\003', pbWriteBuffer=0xb6fd22b6 "\a?\006?+", ulBytesToWrite=6) at 
./okccid/rfid/rfid_fw5x.c:85
#8  0x00e0c79c in RC632ResetTimerUnit (psRFIDReader=0x9254ca0) at 
./okccid/rfid/rfid_fw5x.c:1436
#9  0x00e0856e in RFIDCardDetectAndTrack (pSlot=0x9254bd0) at 
./okccid/rfid/rfid.c:2347
#10 0x00e09d30 in RFIDUpdateCurrentStateThread (pSlot=0x9254bd0) at 
./okccid/rfid/rfid.c:593
#11 0x00d02d31 in start_thread () from /lib/i386-linux-gnu/libpthread.so.0
#12 0x001e346e in clone () from /lib/i386-linux-gnu/libc.so.6


(gdb) print timeout
===================
$1 = (struct timeval *) 0xb5600474

(gdb) print timeout->tv_sec
===========================
$2 = 186532

(gdb) print *transfer
=====================
$3 = {num_iso_packets = 0, list = {prev = 0x0, next = 0x0}, timeout = {tv_sec = 
186532, tv_usec = 500094}, transferred = 0, flags = 0 '\000', lock = {__data = 
{__lock = 1, __count = 0, __owner = 26721, __kind = 0, __nusers = 1, {
        __spins = 0, __list = {__next = 0x0}}}, __size = 
"\001\000\000\000\000\000\000\000ah\000\000\000\000\000\000\001\000\000\000\000\000\000",
 __align = 1}}

(gdb) print *ctx
================
$4 = {debug = 0, debug_fixed = 0, ctrl_pipe = {8, 9}, usb_devs = {prev = 
0x9254000, next = 0x92549c0}, usb_devs_lock = {__data = {__lock = 0, __count = 
0, __owner = 0, __kind = 0, __nusers = 0, {__spins = 0, __list = {__next = 
0x0}}},
    __size = '\000' <repeats 23 times>, __align = 0}, open_devs = {prev = 
0x925415c, next = 0x925415c}, open_devs_lock = {__data = {__lock = 0, __count = 
0, __owner = 0, __kind = 0, __nusers = 0, {__spins = 0, __list = {__next = 
0x0}}},
    __size = '\000' <repeats 23 times>, __align = 0}, flying_transfers = {prev 
= 0xb560046c, next = 0xb560046c}, flying_transfers_lock = {__data = {__lock = 
1, __count = 0, __owner = 26721, __kind = 0, __nusers = 1, {__spins = 0,
        __list = {__next = 0x0}}}, __size = 
"\001\000\000\000\000\000\000\000ah\000\000\000\000\000\000\001\000\000\000\000\000\000",
 __align = 1}, pollfds = {prev = 0x9254178, next = 0x92533e0}, pollfds_lock = 
{__data = {__lock = 0,
      __count = 0, __owner = 0, __kind = 0, __nusers = 0, {__spins = 0, __list 
= {__next = 0x0}}}, __size = '\000' <repeats 23 times>, __align = 0}, 
pollfd_modify = 0, pollfd_modify_lock = {__data = {__lock = 0, __count = 0,
      __owner = 0, __kind = 0, __nusers = 0, {__spins = 0, __list = {__next = 
0x0}}}, __size = '\000' <repeats 23 times>, __align = 0}, fd_added_cb = 0, 
fd_removed_cb = 0, fd_cb_user_data = 0x0, events_lock = {__data = {__lock = 0,
      __count = 0, __owner = 0, __kind = 1, __nusers = 0, {__spins = 0, __list 
= {__next = 0x0}}}, __size = '\000' <repeats 12 times>, 
"\001\000\000\000\000\000\000\000\000\000\000", __align = 0}, 
event_handler_active = 0,
  event_waiters_lock = {__data = {__lock = 0, __count = 0, __owner = 0, __kind 
= 0, __nusers = 0, {__spins = 0, __list = {__next = 0x0}}}, __size = '\000' 
<repeats 23 times>, __align = 0}, event_waiters_cond = {__data = {__lock = 0,
      __futex = 0, __total_seq = 0, __wakeup_seq = 0, __woken_seq = 0, __mutex 
= 0x0, __nwaiters = 0, __broadcast_seq = 0}, __size = '\000' <repeats 47 
times>, __align = 0}, timerfd = 10}

(gdb) print ctx->flying_transfers
=================================
$5 = {prev = 0xb560046c, next = 0xb560046c}

(gdb) print &ctx->flying_transfers
==================================
$6 = (struct list_head *) 0x9253ec8

(gdb) print 0xb5600468
======================
$7 = 3042968680

(gdb) x/4xw 0xb5600468
======================
0xb5600468:     0x00000000      0x00000000      0x00000000      0x0002d8a4

(gdb) print *(struct usbi_transfer*)0xb5600468
==============================================
$8 = {num_iso_packets = 0, list = {prev = 0x0, next = 0x0}, timeout = {tv_sec = 
186532, tv_usec = 500094}, transferred = 0, flags = 0 '\000', lock = {__data = 
{__lock = 1, __count = 0, __owner = 26721, __kind = 0, __nusers = 1, {
        __spins = 0, __list = {__next = 0x0}}}, __size = 
"\001\000\000\000\000\000\000\000ah\000\000\000\000\000\000\001\000\000\000\000\000\000",
 __align = 1}}

(gdb) print ((struct usbi_transfer*)0xb5600468)->num_iso_packets
================================================================
$9 = 0

(gdb) print ((struct usbi_transfer*)0xb5600468)->transferred
============================================================
$10 = 0

(gdb) print ((struct usbi_transfer*)0xb5600468)->flags
======================================================
$11 = 0 '\000'

(gdb) print ((struct usbi_transfer*)0xb5600468)->list
=====================================================
$12 = {prev = 0x0, next = 0x0}

(gdb) print ((struct usbi_transfer*)0xb5600468)->timeout
========================================================
$13 = {tv_sec = 186532, tv_usec = 500094}

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
libusbx-devel mailing list
libusbx-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libusbx-devel

Re: [Libusbx-devel] libusb segfaults - causes pcscd to crash

Reply via email to