From owner-freebsd-usb@FreeBSD.ORG  Sat Jun 23 11:50:04 2007
Return-Path: <owner-freebsd-usb@FreeBSD.ORG>
X-Original-To: freebsd-usb@hub.freebsd.org
Delivered-To: freebsd-usb@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 262EE16A46B
	for <freebsd-usb@hub.freebsd.org>; Sat, 23 Jun 2007 11:50:04 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
	by mx1.freebsd.org (Postfix) with ESMTP id E7F7F13C4E5
	for <freebsd-usb@hub.freebsd.org>; Sat, 23 Jun 2007 11:50:03 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l5NBo3Ik059688
	for <freebsd-usb@freefall.freebsd.org>; Sat, 23 Jun 2007 11:50:03 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l5NBo3wp059687;
	Sat, 23 Jun 2007 11:50:03 GMT (envelope-from gnats)
Resent-Date: Sat, 23 Jun 2007 11:50:03 GMT
Resent-Message-Id: <200706231150.l5NBo3wp059687@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-usb@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Kazuaki ODA <kazuaki@aliceblue.jp>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 8710F16A400
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 23 Jun 2007 11:41:08 +0000 (UTC)
	(envelope-from kazuaki@aliceblue.jp)
Received: from pd5f7be.tokyff01.ap.so-net.ne.jp
	(pd5f7be.tokyff01.ap.so-net.ne.jp [202.213.247.190])
	by mx1.freebsd.org (Postfix) with ESMTP id 207C813C469
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 23 Jun 2007 11:41:08 +0000 (UTC)
	(envelope-from kazuaki@aliceblue.jp)
Received: from eyes.aliceblue.jp (dhcp21.aliceblue.jp [192.168.11.21])
	by pd5f7be.tokyff01.ap.so-net.ne.jp (Postfix) with ESMTP id 86EDF597C72
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 23 Jun 2007 20:41:07 +0900 (JST)
Received: from eyes.aliceblue.jp (localhost [127.0.0.1])
	by eyes.aliceblue.jp (8.14.1/8.14.1) with ESMTP id l5NBa6dS001749
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 23 Jun 2007 20:36:06 +0900 (JST)
	(envelope-from kazuaki@aliceblue.jp)
Received: (from kazuaki@localhost)
	by eyes.aliceblue.jp (8.14.1/8.14.1/Submit) id l5NBa61H001748;
	Sat, 23 Jun 2007 20:36:06 +0900 (JST)
	(envelope-from kazuaki@aliceblue.jp)
Message-Id: <200706231136.l5NBa61H001748@eyes.aliceblue.jp>
Date: Sat, 23 Jun 2007 20:36:06 +0900 (JST)
From: Kazuaki ODA <kazuaki@aliceblue.jp>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: usb/113964: [patch] ucom(4): kernel panic when dropping a connection
X-BeenThere: freebsd-usb@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Kazuaki ODA <kazuaki@aliceblue.jp>
List-Id: FreeBSD support for USB <freebsd-usb.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-usb>,
	<mailto:freebsd-usb-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-usb>
List-Post: <mailto:freebsd-usb@freebsd.org>
List-Help: <mailto:freebsd-usb-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-usb>,
	<mailto:freebsd-usb-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jun 2007 11:50:04 -0000


>Number:         113964
>Category:       usb
>Synopsis:       [patch] ucom(4): kernel panic when dropping a connection
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-usb
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 23 11:50:03 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Kazuaki ODA
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD eyes.aliceblue.jp 7.0-CURRENT FreeBSD 7.0-CURRENT #1: Sat Jun 23 17:59:18 JST 2007 kazuaki@eyes.aliceblue.jp:/usr/obj/usr/src/sys/EYES i386


>Description:
	# kgdb kernel.debug /var/crash/vmcore.0
	[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
	GNU gdb 6.1.1 [FreeBSD]
	Copyright 2004 Free Software Foundation, Inc.
	GDB is free software, covered by the GNU General Public License, and you are
	welcome to change it and/or distribute copies of it under certain conditions.
	Type "show copying" to see the conditions.
	There is absolutely no warranty for GDB.  Type "show warranty" for details.
	This GDB was configured as "i386-marcel-freebsd".
	
	Unread portion of the kernel message buffer:
	
	
	Fatal trap 12: page fault while in kernel mode
	cpuid = 1; apic id = 01
	fault virtual address   = 0x0
	fault code              = supervisor write, page not present
	instruction pointer     = 0x20:0xc06cabf9
	stack pointer           = 0x28:0xe671c970
	frame pointer           = 0x28:0xe671c970
	code segment            = base 0x0, limit 0xfffff, type 0x1b
	                        = DPL 0, pres 1, def32 1, gran 1
	processor eflags        = interrupt enabled, resume, IOPL = 0
	current process         = 858 (cu)
	trap number             = 12
	panic: page fault
	cpuid = 1
	Uptime: 2m58s
	Physical memory: 1001 MB
	Dumping 55 MB: 40 24 8
	
	#0  doadump () at pcpu.h:195
	195             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
	(kgdb) bt
	#0  doadump () at pcpu.h:195
	#1  0xc074b6d7 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
	#2  0xc074b999 in panic (fmt=Variable "fmt" is not available.
	) at /usr/src/sys/kern/kern_shutdown.c:563
	#3  0xc0a0411e in trap_fatal (frame=0xe671c930, eva=0)
	    at /usr/src/sys/i386/i386/trap.c:870
	#4  0xc0a043a0 in trap_pfault (frame=0xe671c930, usermode=0, eva=0)
	    at /usr/src/sys/i386/i386/trap.c:784
	#5  0xc0a04d02 in trap (frame=0xe671c930) at /usr/src/sys/i386/i386/trap.c:462
	#6  0xc09eacab in calltrap () at /usr/src/sys/i386/i386/exception.s:139
	#7  0xc06cabf9 in usbd_setup_xfer (xfer=0x0, pipe=0x0, priv=0xc4618600,
	    buffer=0xc45f9d00, length=1, flags=1, timeout=0, callback=0xc0d9f860)
	    at /usr/src/sys/dev/usb/usbdi.c:545
	#8  0xc0d9f45d in ?? ()
	#9  0x00000000 in ?? ()
	#10 0x00000000 in ?? ()
	#11 0xc4618600 in ?? ()
	#12 0xc45f9d00 in ?? ()
	#13 0x00000001 in ?? ()
	#14 0x00000001 in ?? ()
	#15 0x00000000 in ?? ()
	#16 0xc0d9f860 in ?? ()
	#17 0x00000001 in ?? ()
	#18 0xc4098800 in ?? ()
	#19 0x00000003 in ?? ()
	#20 0xe671c9b0 in ?? ()
	#21 0xc078c9b8 in ttstart (tp=0xc4098800) at tty.h:393
	Previous frame identical to this frame (corrupt stack?)
	(kgdb) frame 7
	#7  0xc06cabf9 in usbd_setup_xfer (xfer=0x0, pipe=0x0, priv=0xc4618600,
	    buffer=0xc45f9d00, length=1, flags=1, timeout=0, callback=0xc0d9f860)
	    at /usr/src/sys/dev/usb/usbdi.c:545
	545             xfer->pipe = pipe;
	(kgdb) p xfer
	$1 = 0x0
	(kgdb) quit
>How-To-Repeat:
	1) Login to serial console on a remote machine via USB-serial converter.
	   For example:
	   # cu -l /dev/cuaU0 -s 115200

	2) And run the following command on the remote machine.
	   # sh -c "while true; do echo 'Hello, world!'; done"

	3) Type ~. to drop the connection while running above command.
	   So you will get a kernel panic.
>Fix:

	I don't know the proper fix but the following patch is workaround for
	me.

--- ucom.c.patch begins here ---
--- sys/dev/usb/ucom.c.orig	2007-06-22 23:45:37.000000000 +0900
+++ sys/dev/usb/ucom.c	2007-06-23 17:47:18.000000000 +0900
@@ -532,6 +532,9 @@
 	if (sc->sc_dying)
 		return;
 
+	if (sc->sc_oxfer == NULL)
+		return;
+
 	s = spltty();
 
 	if (tp->t_state & TS_TBLOCK) {
--- ucom.c.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted: