Re: 7.0-BETA3 kernel panic when unplugging USB stick

From: Attilio Rao <attilio_at_freebsd.org>
Date: Tue, 27 Nov 2007 15:59:17 +0100
2007/11/26, Matthias Schmidt <xhr_at_gmx.net>:
> Hi everybody,
>
> I experienced a kernel panic with FreeBSD 7.0-BETA3 and an USB stick.
> After plugging the stick into the machine I got the following
> message:
>
> umass0: <vendor 0x0420 product 0x1307, class 0/0, rev 2.00/1.00, addr 3>
> on uhub2
>
> The stick wasn't correctly recognized and I couldn't use it.  Googling
> for that vendor ID I found the following PR:
>
> http://monkey.org/freebsd/archive/freebsd-bugs/200602/msg00384.html
>
> When I plugged out the stick, I got the below messages followed by a
> kernel panic:
>
> umass0: BBB reset failed, STALLED
> umass0: BBB bulk-in clear stall failed, STALLED
> umass0: BBB bulk-out clear stall failed, STALLED
> umass0: BBB reset failed, STALLED
> umass0: at uhub2 port 4 (addr 3) disconnected
>
> Backtrace below.  You can find a copy of the dmesg, pciconf -l -v
> output, kernel config and the corresponding crash dump under:
>
> http://www.mathematik.uni-marburg.de/~schmidtm/usbcrash/
>
> FreeBSD version is
>
> FreeBSD node008.lab.ds 7.0-BETA3 FreeBSD 7.0-BETA3 #0: Sun Nov 25
> 14:11:30 CET 2007 root_at_node008.lab.ds:/usr/src/sys/i386/compile/
> NODE008  i386
>
> with a GENERIC kernel supplemented only with WITNESS and debug options.
>
>
> GDB will not be able to debug user-mode threads:
> /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
> GNU gdb 6.1.1 [FreeBSD]
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you
> are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for
> details.
> This GDB was configured as "i386-marcel-freebsd".
>
> Unread portion of the kernel message buffer:
> umass0: BBB reset failed, STALLED
> umass0: BBB bulk-in clear stall failed, STALLED
> umass0: BBB bulk-out clear stall failed, STALLED
> umass0: BBB reset failed, STALLED
> umass0: at uhub2 port 4 (addr 3) disconnected
>
>
> Fatal trap 12: page fault while in kernel mode
> cpuid = 0; apic id = 00
> fault virtual address   = 0x10
> fault code              = supervisor read, page not present
> instruction pointer     = 0x20:0xc07453e3
> stack pointer           = 0x28:0xd51dc960
> frame pointer           = 0x28:0xd51dc970
> code segment            = base 0x0, limit 0xfffff, type 0x1b
>                         = DPL 0, pres 1, def32 1, gran 1
>                         processor eflags        = interrupt enabled,
>                         resume, IOPL = 0
>                         current process         = 30 (usb1)
> exclusive sleep mutex Giant r = 0 (0xc0bba270) locked _at_
> dev/usb/uhub.c:639
> panic: from debugger
> cpuid = 0
> Uptime: 16h39m33s
> Physical memory: 499 MB
> Dumping 100 MB: 85 69 53 37 21 5
>
> #0  doadump () at pcpu.h:195
>         195             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
> (kgdb)
> (kgdb) bt
> #0  doadump () at pcpu.h:195
> #1  0xc075137e in boot (howto=260) at ../../../kern/kern_shutdown.c:409
> #2  0xc075163b in panic (fmt=Variable "fmt" is not available.
>                 ) at ../../../kern/kern_shutdown.c:563
> #3  0xc048cf07 in db_panic (addr=Could not find the frame base for
>                 "db_panic".
>                 ) at ../../../ddb/db_command.c:433
> #4  0xc048d8f5 in db_command_loop () at ../../../ddb/db_command.c:401
> #5  0xc048f065 in db_trap (type=12, code=0) at
> ../../../ddb/db_main.c:222
> #6  0xc07783b6 in kdb_trap (type=12, code=0, tf=0xd51dc920) at
> ../../../kern/subr_kdb.c:502
> #7  0xc0a09d1f in trap_fatal (frame=0xd51dc920, eva=16) at
> ../../../i386/i386/trap.c:863
> #8  0xc0a09f53 in trap_pfault (frame=0xd51dc920, usermode=0, eva=16) at
> ../../../i386/i386/trap.c:785
> #9  0xc0a0a925 in trap (frame=0xd51dc920) at
> ../../../i386/i386/trap.c:463
> #10 0xc09f04ab in calltrap () at ../../../i386/i386/exception.s:139
> #11 0xc07453e3 in _mtx_assert (m=0x0, what=4, file=0xc0a59667
>                 "../../../cam/cam_xpt.c", line=4300)
>     at ../../../kern/kern_mutex.c:622
> #12 0xc046e064 in xpt_release_ccb (free_ccb=0xc2f16c00) at
>     ../../../cam/cam_xpt.c:4300
> #13 0xc046e5c0 in probedone (periph=0xc53ee380, done_ccb=0xc2f16c00) at
>     ../../../cam/cam_xpt.c:6095
> #14 0xc046ac7f in camisr_runqueue (V_queue=Variable "V_queue" is not
>                 available.
>                 ) at ../../../cam/cam_xpt.c:7255
> #15 0xc046f396 in xpt_bus_deregister (pathid=0) at
> ../../../cam/cam_xpt.c:4442
> #16 0xc06c80f0 in umass_cam_detach_sim (sc=0xc43a7000) at
> ../../../dev/usb/umass.c:2694
> #17 0xc06c819d in umass_detach (self=0xc53ee000) at
> ../../../dev/usb/umass.c:1542
> #18 0xc0772f1c in device_detach (dev=0xc53ee000) at device_if.h:212
> #19 0xc06ce882 in usb_disconnect_port (up=0xc2f5536c, parent=0xc2f55480)
> at ../../../dev/usb/usb_subr.c:1380
> #20 0xc06c5a6e in uhub_explore (dev=0xc2f55700) at
> ../../../dev/usb/uhub.c:462
> #21 0xc06c5a36 in uhub_explore (dev=0xc2f29100) at
> ../../../dev/usb/uhub.c:434
> #22 0xc06cc835 in usb_discover (v=Variable "v" is not available.
>                 ) at ../../../dev/usb/usb.c:724
> #23 0xc06cd207 in usb_event_thread (arg=0xc2f1ca00) at
> ../../../dev/usb/usb.c:440
> #24 0xc0733538 in fork_exit (callout=0xc06cd170 <usb_event_thread>,
>                 arg=0xc2f1ca00, frame=0xd51dcd38)
>     at ../../../kern/kern_fork.c:754
> #25 0xc09f0520 in fork_trampoline () at
>     ../../../i386/i386/exception.s:205
> (kgdb) up 9
> #9  0xc0a0a925 in trap (frame=0xd51dc920) at
>     ../../../i386/i386/trap.c:463
> 463                             (void) trap_pfault(frame, FALSE, eva);
> (kgdb) l
> 458
> 459                     KASSERT(cold || td->td_ucred != NULL,
> 460                         ("kernel trap doesn't have
>                             ucred"));
> 461                     switch (type) {
> 462                     case T_PAGEFLT:
>                                     /* page fault */
> 463                             (void)
>                                     trap_pfault(frame, FALSE, eva);
> 464                             goto out;
> 465
> 466                     case T_DNA:
> 467     #ifdef DEV_NPX
>
> If you need further information, don't hesitate to contact me.  I can
> even provide remote access to that box if its needed.

This seems a race in the sim with the lock field (it switches just
before to assert so that it get unconsistent when asserting).
Something is unclear to me (sorry if I missed the information): you
use SMP and PREEMPTION but I don't see any other core started in the
dmesg, what kind of hw is this?

Thanks,
Attilio


-- 
Peace can only be achieved by understanding - A. Einstein
Received on Tue Nov 27 2007 - 13:59:22 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:23 UTC