Page fault with ugen

From: Jan-Espen Pettersen <sigsegv_at_leakingmemory.org>
Date: Fri, 11 Jun 2004 00:21:10 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I got a page fault immediately after dettach of an ugen device open by
a process (coldsync).

panic messages:
- ---
Fatal trap 12: page fault while in kernel mode
fault virtual address    = 0xc4269370
fault code        = supervisor write, page not present
instruction pointer    = 0x8:0xc049c5c2
stack pointer            = 0x10:0xe334fb3c
frame pointer            = 0x10:0xe334fb58
code segment        = base 0x0, limit 0xfffff, type 0x1b
~            = DPL 0, pres 1, def32 1, gran 1
processor eflags    = interrupt enabled, resume, IOPL = 0
current process        = 57673 (coldsync)
kernel: type 12 trap, code=0


Fatal trap 12: page fault while in kernel mode
fault virtual address    = 0xc4269370
fault code        = supervisor write, page not present
instruction pointer    = 0x8:0xc049c5c2
stack pointer            = 0x10:0xe334fb3c
frame pointer            = 0x10:0xe334fb58
code segment        = base 0x0, limit 0xfffff, type 0x1b
~            = DPL 0, pres 1, def32 1, gran 1
processor eflags    = interrupt enabled, resume, IOPL = 0
current process        = 57673 (coldsync)
kernel: type 12 trap, code=0


Fatal trap 12: page fault while in kernel mode
fault virtual address    = 0xc4269370
fault code        = supervisor write, page not present
instruction pointer    = 0x8:0xc049c5c2
stack pointer            = 0x10:0xe334fb3c
frame pointer            = 0x10:0xe334fb58
code segment        = base 0x0, limit 0xfffff, type 0x1b
~            = DPL 0, pres 1, def32 1, gran 1
processor eflags    = interrupt enabled, resume, IOPL = 0
current process        = 57673 (coldsync)
kernel: type 12 trap, code=0


Fatal trap 12: page fault while in kernel mode
fault virtual address    = 0xc4269370
fault code        = supervisor write, page not present
instruction pointer    = 0x8:0xc049c5c2
stack pointer            = 0x10:0xe334fb3c
frame pointer            = 0x10:0xe334fb58
code segment        = base 0x0, limit 0xfffff, type 0x1b
~            = DPL 0, pres 1, def32 1, gran 1
processor eflags    = interrupt enabled, resume, IOPL = 0
current process        = 57673 (coldsync)
kernel: type 12 trap, code=0
Dumping 1023 MB
~ 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 256 272 288 304
320 336 352 368 384 400 416 432 448 464 480 496 512 528 544 560 576
592 608 624 640 656 672 688 704 720 736 752 768 784 800 816 832 848
864 880 896 912 928 944 960 976 992 1008
- ---


(kgdb) bt
#0  doadump () at /usr/src/FreeBSD-CURRENT/sys/kern/kern_shutdown.c:236
#1  0xc04593ea in db_fncall (dummy1=0, dummy2=0, dummy3=-1066485292,
~    dummy4=0xe334f978 "") at
/usr/src/FreeBSD-CURRENT/sys/ddb/db_command.c:551
#2  0xc04591f0 in db_command (last_cmdp=0xc06ab720, cmd_table=0x0,
~    aux_cmd_tablep=0xc067aa24, aux_cmd_tablep_end=0xc067aa28)
~    at /usr/src/FreeBSD-CURRENT/sys/ddb/db_command.c:348
#3  0xc04592d0 in db_command_loop ()
~    at /usr/src/FreeBSD-CURRENT/sys/ddb/db_command.c:475
#4  0xc045ba65 in db_trap (type=12, code=0)
~    at /usr/src/FreeBSD-CURRENT/sys/ddb/db_trap.c:73
#5  0xc0611b75 in kdb_trap (type=12, code=0, regs=0xe334fafc)
~    at /usr/src/FreeBSD-CURRENT/sys/i386/i386/db_interface.c:159
#6  0xc061f93b in trap_fatal (frame=0xe334fafc, eva=3290862448)
~    at /usr/src/FreeBSD-CURRENT/sys/i386/i386/trap.c:810
#7  0xc061f6a7 in trap_pfault (frame=0xe334fafc, usermode=0,
eva=3290862448)
~    at /usr/src/FreeBSD-CURRENT/sys/i386/i386/trap.c:733
#8  0xc061f329 in trap (frame=
~      {tf_fs = 24, tf_es = 16, tf_ds = 16, tf_edi = 0, tf_esi =
- -1004104868, tf_ebp = -483067048, tf_isp = -483067096, tf_ebx =
- -1004104896, tf_edx = 4, tf_ecx = 1, tf_eax = 0, tf_trapno = 12,
tf_err = 2, tf_eip = -1068907070, tf_cs = 8, tf_eflags = 66050, tf_esp
= -969982592, tf_ss = -969982592})
~    at /usr/src/FreeBSD-CURRENT/sys/i386/i386/trap.c:420
#9  0xc049c5c2 in ugenclose (dev=0xc4269340, flag=3, mode=8192,
p=0xc4b65420)
~    at /usr/src/FreeBSD-CURRENT/sys/dev/usb/ugen.c:558
- ---Type <return> to continue, or q <return> to quit---
#10 0xc04b9912 in spec_close (ap=0xe334fba4)
~    at /usr/src/FreeBSD-CURRENT/sys/fs/specfs/spec_vnops.c:637
#11 0xc04b891f in spec_vnoperate (ap=0x0)
~    at /usr/src/FreeBSD-CURRENT/sys/fs/specfs/spec_vnops.c:118
#12 0xc053d58c in vn_close (vp=0xc2bac820, flags=0, file_cred=0x0, td=0x0)
~    at vnode_if.h:262
#13 0xc053e2f6 in vn_closefile (fp=0xc3089660, td=0xc4b65420)
~    at /usr/src/FreeBSD-CURRENT/sys/kern/vfs_vnops.c:930
#14 0xc04d0b98 in fdrop_locked (fp=0xc3089660, td=0xc4b65420)
~    at /usr/src/FreeBSD-CURRENT/sys/sys/file.h:288
#15 0xc04d0000 in fdrop (fp=0xc3089660, td=0xc4b65420)
~    at /usr/src/FreeBSD-CURRENT/sys/kern/kern_descrip.c:1879
#16 0xc04cffd3 in closef (fp=0xc3089660, td=0xc4b65420)
~    at /usr/src/FreeBSD-CURRENT/sys/kern/kern_descrip.c:1865
#17 0xc04ce831 in close (td=0xc4b65420, uap=0x0)
~    at /usr/src/FreeBSD-CURRENT/sys/kern/kern_descrip.c:966
#18 0xc061fbff in syscall (frame=
~      {tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = 134727680, tf_esi
= 134742272, tf_ebp = -1077941416, tf_isp = -483066508, tf_ebx =
671896672, tf_edx = 134701472, tf_ecx = 0, tf_eax = 6, tf_trapno = 12,
tf_err = 2, tf_eip = 673025551, tf_cs = 31, tf_eflags = 658, tf_esp =
- -1077941460, tf_ss = 47})
~    at /usr/src/FreeBSD-CURRENT/sys/i386/i386/trap.c:1004
#19 0x281d8e0f in ?? ()
- ---Can't read userspace from dump, or kernel process---

(kgdb) up 9
#9  0xc049c5c2 in ugenclose (dev=0xc4269340, flag=3, mode=8192,
p=0xc4b65420)
~    at /usr/src/FreeBSD-CURRENT/sys/dev/usb/ugen.c:558
558            usbd_close_pipe(sce->pipeh);
(kgdb) list
553                continue;
554            DPRINTFN(5, ("ugenclose: endpt=%d dir=%d sce=%p\n",
555                     endpt, dir, sce));
556    
557            usbd_abort_pipe(sce->pipeh);
558            usbd_close_pipe(sce->pipeh);
559            sce->pipeh = NULL;
560    
561            switch (sce->edesc->bmAttributes & UE_XFERTYPE) {
562            case UE_INTERRUPT:
(kgdb) print sce
$1 = (struct ugen_endpoint *) 0xc426935c
(kgdb) print *sce
can not access 0xc426935c, invalid address (c426935c)
can not access 0xc426935c, invalid address (c426935c)
Cannot access memory at address 0xc426935c
(kgdb) print sc
$2 = (struct ugen_softc *) 0xc4269000
(kgdb) print *sc
can not access 0xc4269000, invalid address (c4269000)
can not access 0xc4269000, invalid address (c4269000)
Cannot access memory at address 0xc4269000


I'm not sure if this is a solution or if it is just good luck (or
insufficient testing) that it works...
The question is if sc is really a junk pointer too, although I think
it should have paniced earlier if that was the case.

Index: sys/dev/usb/ugen.c
===================================================================
RCS file: /usr/ncvs/src/sys/dev/usb/ugen.c,v
retrieving revision 1.83
diff -u -r1.83 ugen.c
- --- sys/dev/usb/ugen.c    21 Feb 2004 21:10:48 -0000    1.83
+++ sys/dev/usb/ugen.c    10 Jun 2004 20:07:21 -0000
_at__at_ -546,6 +546,8 _at__at_
~     }

~     for (dir = OUT; dir <= IN; dir++) {
+        if (sc->sc_dying)
+            break;
~         if (!(flag & (dir == OUT ? FWRITE : FREAD)))
~             continue;
~         sce = &sc->sc_endpoints[endpt][dir];

( http://www.leakingmemory.org/patches/usb/ugen_pfault.diff )

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAyN7WH90qNYni6VoRAhqIAJ9LR484B9MI+7n3E201z4Ur/dCpWACZAVqV
r9M4lfPqXkuAoEoTPfbhKIc=
=tT0B
-----END PGP SIGNATURE-----
Received on Thu Jun 10 2004 - 20:20:51 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:56 UTC