[panic] system crashes if remove usb dongle during probe

From: Gleb Kurtsou <gleb.kurtsou_at_gmail.com>
Date: Mon, 30 Jun 2008 01:31:56 +0300
If you get lucky enough you can crash -current just inserting and
removing usb flash dongle. Actually I've never seen such panics before.

~ % uname -a
FreeBSD h1.d 8.0-CURRENT FreeBSD 8.0-CURRENT #65: Sat Jun 28 23:38:02 EEST 2008     root_at_h1.d:/usr/obj/usr/freebsd-src/p4/sys/MY1  i386

Sources are few weeks old.

I have a dump and can provide with any additional info needed.

Note that this dongle is somewhat really special and FreeBSD seems not
to like it, but it works ok in linux and windows on the same and other
hardware. It can't even be probed without a patch.  I've been using the
patch since 2005 and had no problems so far. All other usb devices
worked as expected. (Patch is at the end of email. It just disables
CAM_AUTOSNS_VALID in umass.c)

And event with the patch system can't boot with dongle connected (can
get a dump and assist in debugging this panic too). 


Script started on Mon Jun 30 01:08:45 2008
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...

Unread portion of the kernel message buffer:
umass0: at uhub2 port 1 (addr 2) disconnected
(da0:umass-sim0:0:0:0): lost device


Fatal trap 12: page fault while in kernel mode
fault virtual address	= 0x0
fault code		= supervisor read, page not present
instruction pointer	= 0x20:0xc045894a
stack pointer	        = 0x28:0xc2b02848
frame pointer	        = 0x28:0xc2b02860
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 18 (usb2)
trap number		= 12
panic: page fault
KDB: stack backtrace:
db_trace_self_wrapper(c085dfa3,c08f32e0,c083c90e,c2b026fc,c2b026fc,...) at db_trace_self_wrapper+0x26
panic(c083c90e,c08853fe,c2d2aa2c,1,1,...) at panic+0xea
trap_fatal(c2d34af8,0,c088522d,33e,0,...) at trap_fatal+0x23d
trap_pfault(8bc,c2f33690,c2f33890,c2b027a0,c2d34a70,...) at trap_pfault+0x1f4
trap(c2b02808) at trap+0x361
calltrap() at calltrap+0x6
--- trap 0xc, eip = 0xc045894a, esp = 0xc2b02848, ebp = 0xc2b02860 ---
xpt_done(c2d9a400,c2d9a400,0,c08786e4,8da,...) at xpt_done+0x2a
xpt_action(c2d9a400,c2d9a400,260,c2b028e0,c07df2d1,...) at xpt_action+0x702
camperiphdone(c571bd80,c2d9a400,0,100,c4a3b814,...) at camperiphdone+0x59
camisr_runqueue(c3eb57c0,1,0,c3eb57d4,c4a3b800,...) at camisr_runqueue+0x165
xpt_bus_deregister(0,c4d71000,c5792480,c2b02c34,c057a3dc,...) at xpt_bus_deregister+0x172
umass_cam_detach_sim(c4d710f4,1,c5792480,c572d100,0,...) at umass_cam_detach_sim+0x1d
umass_detach(c5792480,c2c9385c,c08a71cc,98f,0,...) at umass_detach+0xcc
device_detach(c5792480,2,c2d256e0,c2d35930,c2d256e0,...) at device_detach+0x8f
usb_disconnect_port(c2d35930,c2d18e80,10,c2b02cd8,c061c805,...) at usb_disconnect_port+0x72
uhub_explore(c2d36180,c2d37680,c2b02cf8,c057f147,c2ccd210,...) at uhub_explore+0xff
usb_discover(c2ccd210,0,5c,c0850f2a,3a98,...) at usb_discover+0x2c
usb_event_thread(c2d37680,c2b02d38,c085a644,324,c2d34a70,...) at usb_event_thread+0x97
fork_exit(c057f0b0,c2d37680,c2b02d38) at fork_exit+0xa6
fork_trampoline() at fork_trampoline+0x8
--- trap 0, eip = 0, esp = 0xc2b02d70, ebp = 0 ---
Uptime: 11h12m7s
Physical memory: 503 MB
Dumping 194 MB: 179 163 147 131 115 99 83 (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  67 51 35 19 3

Reading symbols from /boot/kernel/zfs.ko...Reading symbols from /.boot/boot/kernel/zfs.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/zfs.ko
Reading symbols from /boot/kernel/opensolaris.ko...Reading symbols from /.boot/boot/kernel/opensolaris.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/opensolaris.ko
#0  doadump () at pcpu.h:196
196	pcpu.h: No such file or directory.
	in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:196
#1  0xc061426d in boot (howto=260) at /usr/freebsd-src/p4/sys/kern/kern_shutdown.c:418
#2  0xc06145d2 in panic (fmt=0xc083c90e "%s") at /usr/freebsd-src/p4/sys/kern/kern_shutdown.c:572
#3  0xc07ff8dd in trap_fatal (frame=0xc2b02808, eva=0) at /usr/freebsd-src/p4/sys/i386/i386/trap.c:934
#4  0xc07ffc14 in trap_pfault (frame=0xc2b02808, usermode=0, eva=0)
    at /usr/freebsd-src/p4/sys/i386/i386/trap.c:847
#5  0xc08004b1 in trap (frame=0xc2b02808) at /usr/freebsd-src/p4/sys/i386/i386/trap.c:525
#6  0xc07e7adb in calltrap () at /usr/freebsd-src/p4/sys/i386/i386/exception.s:165
#7  0xc045894a in xpt_done (done_ccb=0xc2d9a400) at /usr/freebsd-src/p4/sys/cam/cam_xpt.c:4835
#8  0xc0459fa2 in xpt_action (start_ccb=0xc2d9a400) at /usr/freebsd-src/p4/sys/cam/cam_xpt.c:3035
#9  0xc0454089 in camperiphdone (periph=0xc571bd80, done_ccb=0xc2d9a400)
    at /usr/freebsd-src/p4/sys/cam/cam_periph.c:1130
#10 0xc045a605 in camisr_runqueue (V_queue=Variable "V_queue" is not available.
) at /usr/freebsd-src/p4/sys/cam/cam_xpt.c:7316
#11 0xc045f162 in xpt_bus_deregister (pathid=0) at /usr/freebsd-src/p4/sys/cam/cam_xpt.c:4421
#12 0xc057a2dd in umass_cam_detach_sim (sc=0xc4d71000) at /usr/freebsd-src/p4/sys/dev/usb/umass.c:2712
#13 0xc057a3dc in umass_detach (self=0xc5792480) at /usr/freebsd-src/p4/sys/dev/usb/umass.c:1560
#14 0xc063a82f in device_detach (dev=0xc5792480) at device_if.h:212
#15 0xc057ffc2 in usb_disconnect_port (up=0xc2d35930, parent=0xc2d18e80)
    at /usr/freebsd-src/p4/sys/dev/usb/usb_subr.c:1380
#16 0xc05787bf in uhub_explore (dev=0xc2d36180) at /usr/freebsd-src/p4/sys/dev/usb/uhub.c:462
#17 0xc057e04c in usb_discover (v=Variable "v" is not available.
) at /usr/freebsd-src/p4/sys/dev/usb/usb.c:728
#18 0xc057f147 in usb_event_thread (arg=0xc2d37680) at /usr/freebsd-src/p4/sys/dev/usb/usb.c:440
#19 0xc05f68a6 in fork_exit (callout=0xc057f0b0 <usb_event_thread>, arg=0xc2d37680, frame=0xc2b02d38)
    at /usr/freebsd-src/p4/sys/kern/kern_fork.c:812
#20 0xc07e7b50 in fork_trampoline () at /usr/freebsd-src/p4/sys/i386/i386/exception.s:270
(kgdb) fr 7
#7  0xc045894a in xpt_done (done_ccb=0xc2d9a400) at /usr/freebsd-src/p4/sys/cam/cam_xpt.c:4835
4835				TAILQ_INSERT_TAIL(&sim->sim_doneq, &done_ccb->ccb_h,
(kgdb) l
4830			 * any of the "non-immediate" type of ccbs.
4831			 */
4832			sim = done_ccb->ccb_h.path->bus->sim;
4833			switch (done_ccb->ccb_h.path->periph->type) {
4834			case CAM_PERIPH_BIO:
4835				TAILQ_INSERT_TAIL(&sim->sim_doneq, &done_ccb->ccb_h,
4836						  sim_links.tqe);
4837				done_ccb->ccb_h.pinfo.index = CAM_DONEQ_INDEX;
4838				if ((sim->flags & CAM_SIM_ON_DONEQ) == 0) {
4839					mtx_lock(&cam_simq_lock);
(kgdb) p done_ccb->ccb_h
$2 = {pinfo = {priority = 5, generation = 18, index = -2}, xpt_links = {le = {le_next = 0x0, 
      le_prev = 0xc4d72a6c}, sle = {sle_next = 0x0}, tqe = {tqe_next = 0x0, tqe_prev = 0xc4d72a6c}, stqe = {
      stqe_next = 0x0}}, sim_links = {le = {le_next = 0x0, le_prev = 0xc4a3b814}, sle = {sle_next = 0x0}, 
    tqe = {tqe_next = 0x0, tqe_prev = 0xc4a3b814}, stqe = {stqe_next = 0x0}}, periph_links = {le = {
      le_next = 0x0, le_prev = 0x0}, sle = {sle_next = 0x0}, tqe = {tqe_next = 0x0, tqe_prev = 0x0}, stqe = {
      stqe_next = 0x0}}, retry_count = 0, cbfcnp = 0xc0462ef0 <dadone>, func_code = XPT_SCSI_IO, status = 8, 
  path = 0xc79c3360, path_id = 0, target_id = 0, target_lun = 0, flags = 64, periph_priv = {entries = {{
        ptr = 0x1, field = 1, bytes = "\001\000\000"}, {ptr = 0x0, field = 0, bytes = "\000\000\000"}}, 
    bytes = "\001\000\000\000\000\000\000"}, sim_priv = {entries = {{ptr = 0x0, field = 0, 
        bytes = "\000\000\000"}, {ptr = 0x0, field = 0, bytes = "\000\000\000"}}, 
    bytes = "\000\000\000\000\000\000\000"}, timeout = 5000, timeout_ch = {callout = 0x0}}
(kgdb) fr 8
#8  0xc0459fa2 in xpt_action (start_ccb=0xc2d9a400) at /usr/freebsd-src/p4/sys/cam/cam_xpt.c:3035
3035				(*(sim->sim_action))(sim, start_ccb);
(kgdb) l
3030	
3031			sim = path->bus->sim;
3032			if (SIM_DEAD(sim)) {
3033				/* The SIM has gone; just execute the CCB directly. */
3034				cam_ccbq_send_ccb(&path->device->ccbq, start_ccb);
3035				(*(sim->sim_action))(sim, start_ccb);
3036				break;
3037			}
3038	
3039			cam_ccbq_insert_ccb(&path->device->ccbq, start_ccb);
(kgdb) fr 9
#9  0xc0454089 in camperiphdone (periph=0xc571bd80, done_ccb=0xc2d9a400)
    at /usr/freebsd-src/p4/sys/cam/cam_periph.c:1130
1130			xpt_action(done_ccb);
(kgdb) l
1125			bcopy(done_ccb->ccb_h.saved_ccb_ptr, done_ccb,
1126			      sizeof(union ccb));
1127	
1128			periph->flags &= ~CAM_PERIPH_RECOVERY_INPROG;
1129	
1130			xpt_action(done_ccb);
1131	
1132			break;
1133		}
1134	
(kgdb) 




Index: umass.c
===================================================================
RCS file: /pub/mirror/FreeBSD-CVS/src/sys/dev/usb/umass.c,v
retrieving revision 1.123
diff -u -r1.123 umass.c
--- umass.c	19 Jul 2005 05:18:23 -0000	1.123
+++ umass.c	30 Oct 2005 22:06:23 -0000
_at__at_ -2467,7 +2467,7 _at__at_
 				sense->extra_len = 10;
  				ccb->csio.scsi_status = SCSI_STATUS_CHECK_COND;
 				ccb->ccb_h.status = CAM_SCSI_STATUS_ERROR |
-				    CAM_AUTOSNS_VALID;
+				    /* CAM_AUTOSNS_VALID */ 0;
 				xpt_done(ccb);
 				return;
 			}
_at__at_ -2762,7 +2762,7 _at__at_
 			 */
 
 			ccb->ccb_h.status = CAM_SCSI_STATUS_ERROR
-					    | CAM_AUTOSNS_VALID;
+					    | /* CAM_AUTOSNS_VALID */ 0;
 			csio->scsi_status = SCSI_STATUS_CHECK_COND;
 
 #if 0
_at__at_ -2793,7 +2793,7 _at__at_
 			break;
 		} else {
 			ccb->ccb_h.status = CAM_SCSI_STATUS_ERROR
-					    | CAM_AUTOSNS_VALID;
+					    | /* CAM_AUTOSNS_VALID */ 0;
 			csio->scsi_status = SCSI_STATUS_CHECK_COND;
 		}
 		xpt_done(ccb);
_at__at_ -2829,7 +2829,7 _at__at_
 	ccb->ccb_h.status = CAM_REQ_CMP;
 #endif
 	ccb->ccb_h.status = CAM_SCSI_STATUS_ERROR
-			    | CAM_AUTOSNS_VALID;
+			    | /* CAM_AUTOSNS_VALID */ 0;
 	ccb->csio.scsi_status = SCSI_STATUS_CHECK_COND;
 	xpt_done(ccb);
 }
Received on Sun Jun 29 2008 - 20:49:27 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:32 UTC