Re: T40 panics at usb_get_next_event() when ACPI is disabled

From: Brian Buchanan <bwb_at_holo.org>
Date: Mon, 7 Jun 2004 08:31:18 -0700 (PDT)
Yes, I see this too on my T40p, but only when booting with the mouse
plugged into the laptop through a USB hub connected to the docking
station.  If the mouse is plugged in directly to the laptop (I haven't
tried plugging the USB hub directly into the laptop) or not plugged in,
the problem does not occur.  My hypothesis is that because a certain
event list entry is being overwritten, the USB event list only grows long
enough to use this area of memory in this configuration.

I wrote a function to perform a sanity check on the event list and
determined that the list is not corrupt after all the USB boot-time events
have been queued.  The list becomes corrupted some time between then and
when usbd attempts to read the event queue.  One of the events, the same
one every time, is overwritten with something like 0x01000010 (I don't
have a log of the actual bit pattern).  Since it's happening to the same
object every time, the next step would be to set a watch point in the
debugger.  I'll probably give this a try once I have a chance to consult
with someone who knows more about kernel debugging.

I did experiment with rolling back some usb commits, but it does not
appear that a change to the usb subsystem is what caused this breakage.  I
think something else in the system is misbehaving and overwriting memory.

- Brian

-- 
Brian Buchanan, CISSP                                         bwb_at_holo.org
--------------------------------------------------------------------------
FreeBSD - The Power to Serve                        http://www.freebsd.org

On Mon, 7 Jun 2004, Tai-hwa Liang wrote:

> Hello,
>
>   Recent -CURRENT(cvsup'ed on May-26-2004) kernel panics when the rc script
> is trying to invoke /usr/sbin/usbd. It's 100% reproducible on my Thinkpad T40
> when the USB optical mouse is attached and the ACPI is disabled(option 2 in
> the boot menu).
>
>   I've tried to comment out the #ifdef DIAGNOSTIC statement around
> sys/dev/usb/usb.c:752; however, it seems that the extra NULL check on ue
> doesn't help in this case: The system still panics at the same place....
> With ACPI enabled(or the USB mouse detached) during booting, the usbd
> would start successfully.
>
>   Is there any T40 user running into the same problem on your -CURRENT?
> The GENERIC kernel came from 5.2.1-RELEASE doesn't seem to have this
> problem.
>
> For complete dmesg, please consult:
>
> 	http://www.mmlab.cse.yzu.edu.tw/~avatar/dmesg-noacpi.txt
> 	http://www.mmlab.cse.yzu.edu.tw/~avatar/dmesg-acpi.txt
>
> ------------------------ backtrace ---------------------------
> GNU gdb 5.2.1 (FreeBSD)
> Copyright 2002 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i386-undermydesk-freebsd"...
> panic: from debugger
> panic messages:
> ---
> Fatal trap 12: page fault while in kernel mode
> fault virtual address	= 0x0
> fault code		= supervisor read, page not present
> instruction pointer	= 0x8:0xc074af0d
> stack pointer	        = 0x10:0xcdce59fc
> frame pointer	        = 0x10:0xcdce5a08
> code segment		= base 0x0, limit 0xfffff, type 0x1b
> 			= DPL 0, pres 1, def32 1, gran 1
> processor eflags	= interrupt enabled, resume, IOPL = 0
> current process		= 403 (usbd)
> kernel: type 12 trap, code=0
> panic: from debugger
> at line 453 in file ../../../ddb/db_command.c
> Stack backtrace:
>
>
> Fatal trap 3: breakpoint instruction fault while in kernel mode
> instruction pointer	= 0x8:0xc05a9f9d
> stack pointer	        = 0x10:0xcdce57dc
> frame pointer	        = 0x10:0xcdce57e0
> code segment		= base 0x0, limit 0xfffff, type 0x1b
> 			= DPL 0, pres 1, def32 1, gran 1
> processor eflags	= IOPL = 0
> current process		= 403 (usbd)
> panic: from debugger
> at line 453 in file ../../../ddb/db_command.cUptime: 15s
> Dumping 255 MB
>  16 32 48 64 80 96 112 128 144 160 176 192 208 224 240
> ---
> Reading symbols from /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/md/md.ko.debug...done.
> Loaded symbols for /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/md/md.ko.debug
> Reading symbols from /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/linux/linux.ko.debug...done.
> Loaded symbols for /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/linux/linux.ko.debug
> Reading symbols from /boot/kernel/if_em.ko...done.
> Loaded symbols for /boot/kernel/if_em.ko
> Reading symbols from /boot/kernel/if_wi.ko...done.
> Loaded symbols for /boot/kernel/if_wi.ko
> Reading symbols from /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/wlan/wlan.ko.debug...done.
> Loaded symbols for /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/wlan/wlan.ko.debug
> Reading symbols from /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/rc4/rc4.ko.debug...done.
> Loaded symbols for /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/rc4/rc4.ko.debug
> Reading symbols from /boot/kernel/snd_ich.ko...done.
> Loaded symbols for /boot/kernel/snd_ich.ko
> Reading symbols from /boot/kernel/snd_pcm.ko...done.
> Loaded symbols for /boot/kernel/snd_pcm.ko
> Reading symbols from /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/ums/ums.ko.debug...done.
> Loaded symbols for /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/ums/ums.ko.debug
> Reading symbols from /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/---Type <return> to continue, or q <return> to quit---
> usb/usb.ko.debug...done.
> Loaded symbols for /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/usb/usb.ko.debug
> Reading symbols from /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/umass/umass.ko.debug...done.
> Loaded symbols for /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/umass/umass.ko.debug
> Reading symbols from /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/agp/agp.ko.debug...done.
> Loaded symbols for /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/agp/agp.ko.debug
> Reading symbols from /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/random/random.ko.debug...done.
> Loaded symbols for /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/random/random.ko.debug
> Reading symbols from /boot/kernel/if_ath.ko...done.
> Loaded symbols for /boot/kernel/if_ath.ko
> Reading symbols from /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/ath_hal/ath_hal.ko.debug...done.
> Loaded symbols for /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/ath_hal/ath_hal.ko.debug
> Reading symbols from /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/smbfs/smbfs.ko.debug...done.
> Loaded symbols for /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/smbfs/smbfs.ko.debug
> Reading symbols from /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/libmchain/libmchain.ko.debug...done.
> Loaded symbols for /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/libmchain/libmchain.ko.debug
> Reading symbols from /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/libiconv/libiconv.ko.debug...done.
> Loaded symbols for /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/libiconv/libiconv.ko.debug
> Reading symbols from /boot/kernel/radeon.ko...done.
> Loaded symbols for /boot/kernel/radeon.ko
> Reading symbols from /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/msdosfs/msdosfs.ko.debug...done.
> Loaded symbols for /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/msdosfs/msdosfs.ko.debug
> Reading symbols from /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/msdosfs_iconv/msdosfs_iconv.ko.debug...done.
> Loaded symbols for /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/msdosfs_iconv/msdosfs_iconv.ko.debug
> Reading symbols from /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/linprocfs/linprocfs.ko.debug...done.
> Loaded symbols for /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/linprocfs/linprocfs.ko.debug
> Reading symbols from /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/pseudofs/pseudofs.ko.debug...done.
> Loaded symbols for /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/pseudofs/pseudofs.ko.debug
> Reading symbols from /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/procfs/procfs.ko.debug...done.
> Loaded symbols for /usr/src/sys/i386/compile/rtfm/modules/usr/src/sys/modules/procfs/procfs.ko.debug
> #0  doadump () at ../../../kern/kern_shutdown.c:236
> 236		dumping++;
> (kgdb) where
> #0  doadump () at ../../../kern/kern_shutdown.c:236
> #1  0xc04c88e7 in boot (howto=260) at ../../../kern/kern_shutdown.c:370
> #2  0xc04c8bf9 in __panic () at ../../../kern/kern_shutdown.c:548
> #3  0xc0450bdb in db_panic () at ../../../ddb/db_command.c:453
> #4  0xc0450b68 in db_command (last_cmdp=0xc061fec0, cmd_table=0xc05fa760,
>     aux_cmd_tablep=0xc05f4db4, aux_cmd_tablep_end=0xc05f4db8)
>     at ../../../ddb/db_command.c:348
> #5  0xc0450c48 in db_command_loop () at ../../../ddb/db_command.c:475
> #6  0xc04533e5 in db_trap (type=12, code=0) at ../../../ddb/db_trap.c:73
> #7  0xc05a9d2d in kdb_trap (type=12, code=0, regs=0xcdce59bc)
>     at ../../../i386/i386/db_interface.c:159
> #8  0xc05b8123 in trap_fatal (frame=0xcdce59bc, eva=0)
>     at ../../../i386/i386/trap.c:810
> #9  0xc05b7e8f in trap_pfault (frame=0xcdce59bc, usermode=0, eva=0)
>     at ../../../i386/i386/trap.c:733
> #10 0xc05b7ac9 in trap (frame=
>       {tf_fs = 24, tf_es = -842137584, tf_ds = -1067909104, tf_edi = -842114540, tf_esi = 0, tf_ebp = -842114552, tf_isp = -842114584, tf_ebx = 0, tf_edx = 19, tf_ecx = 96, tf_eax = -842114540, tf_trapno = 12, tf_err = 0, tf_eip = -1066094835, tf_cs = 8, tf_eflags = 66050, tf_esp = 0, tf_ss = 983056})
>     at ../../../i386/i386/trap.c:420
> #11 0xc074af0d in usb_get_next_event (ue=0xcdce5a14)
>     at /usr/src/sys/dev/usb/usb.c:752
> #12 0xc074ab24 in usbread (dev=0xc062632c, uio=0xcdce5c88, flag=983056)
>     at /usr/src/sys/dev/usb/usb.c:510
> #13 0xc0490e90 in spec_read (ap=0xcdce5c18)
>     at ../../../fs/specfs/spec_vnops.c:273
> #14 0xc04909d7 in spec_vnoperate (ap=0x0)
>     at ../../../fs/specfs/spec_vnops.c:118
> #15 0xc052250d in vn_read (fp=0xc2c7d088, uio=0xcdce5c88,
>     active_cred=0xc14f3e00, flags=0, td=0xc2afd930) at vnode_if.h:398
> #16 0xc04eac8f in dofileread (td=0xc2afd930, fp=0xc2c7d088, fd=7,
>     buf=0xbfbfeb60, nbyte=0, offset=0, flags=0) at ../../../sys/file.h:233
> #17 0xc04eab83 in read (td=0xc2afd930, uap=0xcdce5d14)
>     at ../../../kern/sys_generic.c:107
> #18 0xc05b842b in syscall (frame=
>       {tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = -1077940696, tf_esi = -1077941416, tf_ebp = -1077941016, tf_isp = -842113676, tf_ebx = 7, tf_edx = 20, tf_ecx = -1077941584, tf_eax = 3, tf_trapno = 12, tf_err = 2, tf_eip = 671899255, tf_cs = 31, tf_eflags = 658, tf_esp = -1077941444, tf_ss = 47})
>     at ../../../i386/i386/trap.c:1004
> #19 0x280c5e77 in ?? ()
> ---Can't read userspace from dump, or kernel process---
>
> (kgdb) set print pretty
> (kgdb) f 11
> #11 0xc074af0d in usb_get_next_event (ue=0xcdce5a14)
>     at /usr/src/sys/dev/usb/usb.c:752
> 752		*ue = ueq->ue;
> (kgdb) print ueq
> $1 = (struct usb_event_q *) 0x0
> (kgdb) print ue
> $2 = (struct usb_event *) 0xcdce5a14
> (kgdb)
> _______________________________________________
> freebsd-current_at_freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org"
>
>
> !DSPAM:40c4258d639762113816006!
>
>
Received on Mon Jun 07 2004 - 13:31:22 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:56 UTC