From owner-freebsd-current@FreeBSD.ORG Thu Jun 10 22:20:51 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAA7E16A4CE for ; Thu, 10 Jun 2004 22:20:51 +0000 (GMT) Received: from endeavour.localnet.radiotube.org (enterprise.radiotube.org [81.0.166.237]) by mx1.FreeBSD.org (Postfix) with ESMTP id 39C4F43D45 for ; Thu, 10 Jun 2004 22:20:48 +0000 (GMT) (envelope-from sigsegv@leakingmemory.org) Received: from leakingmemory.org (localhost [127.0.0.1]) i5AMLA2c000910 for ; Fri, 11 Jun 2004 00:21:11 +0200 (CEST) (envelope-from sigsegv@leakingmemory.org) Message-ID: <40C8DED6.8010308@leakingmemory.org> Date: Fri, 11 Jun 2004 00:21:10 +0200 From: Jan-Espen Pettersen User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040411 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-current@freebsd.org X-Enigmail-Version: 0.84.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Page fault with ugen X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jun 2004 22:20:51 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I got a page fault immediately after dettach of an ugen device open by a process (coldsync). panic messages: - --- Fatal trap 12: page fault while in kernel mode fault virtual address = 0xc4269370 fault code = supervisor write, page not present instruction pointer = 0x8:0xc049c5c2 stack pointer = 0x10:0xe334fb3c frame pointer = 0x10:0xe334fb58 code segment = base 0x0, limit 0xfffff, type 0x1b ~ = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 57673 (coldsync) kernel: type 12 trap, code=0 Fatal trap 12: page fault while in kernel mode fault virtual address = 0xc4269370 fault code = supervisor write, page not present instruction pointer = 0x8:0xc049c5c2 stack pointer = 0x10:0xe334fb3c frame pointer = 0x10:0xe334fb58 code segment = base 0x0, limit 0xfffff, type 0x1b ~ = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 57673 (coldsync) kernel: type 12 trap, code=0 Fatal trap 12: page fault while in kernel mode fault virtual address = 0xc4269370 fault code = supervisor write, page not present instruction pointer = 0x8:0xc049c5c2 stack pointer = 0x10:0xe334fb3c frame pointer = 0x10:0xe334fb58 code segment = base 0x0, limit 0xfffff, type 0x1b ~ = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 57673 (coldsync) kernel: type 12 trap, code=0 Fatal trap 12: page fault while in kernel mode fault virtual address = 0xc4269370 fault code = supervisor write, page not present instruction pointer = 0x8:0xc049c5c2 stack pointer = 0x10:0xe334fb3c frame pointer = 0x10:0xe334fb58 code segment = base 0x0, limit 0xfffff, type 0x1b ~ = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 57673 (coldsync) kernel: type 12 trap, code=0 Dumping 1023 MB ~ 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 256 272 288 304 320 336 352 368 384 400 416 432 448 464 480 496 512 528 544 560 576 592 608 624 640 656 672 688 704 720 736 752 768 784 800 816 832 848 864 880 896 912 928 944 960 976 992 1008 - --- (kgdb) bt #0 doadump () at /usr/src/FreeBSD-CURRENT/sys/kern/kern_shutdown.c:236 #1 0xc04593ea in db_fncall (dummy1=0, dummy2=0, dummy3=-1066485292, ~ dummy4=0xe334f978 "") at /usr/src/FreeBSD-CURRENT/sys/ddb/db_command.c:551 #2 0xc04591f0 in db_command (last_cmdp=0xc06ab720, cmd_table=0x0, ~ aux_cmd_tablep=0xc067aa24, aux_cmd_tablep_end=0xc067aa28) ~ at /usr/src/FreeBSD-CURRENT/sys/ddb/db_command.c:348 #3 0xc04592d0 in db_command_loop () ~ at /usr/src/FreeBSD-CURRENT/sys/ddb/db_command.c:475 #4 0xc045ba65 in db_trap (type=12, code=0) ~ at /usr/src/FreeBSD-CURRENT/sys/ddb/db_trap.c:73 #5 0xc0611b75 in kdb_trap (type=12, code=0, regs=0xe334fafc) ~ at /usr/src/FreeBSD-CURRENT/sys/i386/i386/db_interface.c:159 #6 0xc061f93b in trap_fatal (frame=0xe334fafc, eva=3290862448) ~ at /usr/src/FreeBSD-CURRENT/sys/i386/i386/trap.c:810 #7 0xc061f6a7 in trap_pfault (frame=0xe334fafc, usermode=0, eva=3290862448) ~ at /usr/src/FreeBSD-CURRENT/sys/i386/i386/trap.c:733 #8 0xc061f329 in trap (frame= ~ {tf_fs = 24, tf_es = 16, tf_ds = 16, tf_edi = 0, tf_esi = - -1004104868, tf_ebp = -483067048, tf_isp = -483067096, tf_ebx = - -1004104896, tf_edx = 4, tf_ecx = 1, tf_eax = 0, tf_trapno = 12, tf_err = 2, tf_eip = -1068907070, tf_cs = 8, tf_eflags = 66050, tf_esp = -969982592, tf_ss = -969982592}) ~ at /usr/src/FreeBSD-CURRENT/sys/i386/i386/trap.c:420 #9 0xc049c5c2 in ugenclose (dev=0xc4269340, flag=3, mode=8192, p=0xc4b65420) ~ at /usr/src/FreeBSD-CURRENT/sys/dev/usb/ugen.c:558 - ---Type to continue, or q to quit--- #10 0xc04b9912 in spec_close (ap=0xe334fba4) ~ at /usr/src/FreeBSD-CURRENT/sys/fs/specfs/spec_vnops.c:637 #11 0xc04b891f in spec_vnoperate (ap=0x0) ~ at /usr/src/FreeBSD-CURRENT/sys/fs/specfs/spec_vnops.c:118 #12 0xc053d58c in vn_close (vp=0xc2bac820, flags=0, file_cred=0x0, td=0x0) ~ at vnode_if.h:262 #13 0xc053e2f6 in vn_closefile (fp=0xc3089660, td=0xc4b65420) ~ at /usr/src/FreeBSD-CURRENT/sys/kern/vfs_vnops.c:930 #14 0xc04d0b98 in fdrop_locked (fp=0xc3089660, td=0xc4b65420) ~ at /usr/src/FreeBSD-CURRENT/sys/sys/file.h:288 #15 0xc04d0000 in fdrop (fp=0xc3089660, td=0xc4b65420) ~ at /usr/src/FreeBSD-CURRENT/sys/kern/kern_descrip.c:1879 #16 0xc04cffd3 in closef (fp=0xc3089660, td=0xc4b65420) ~ at /usr/src/FreeBSD-CURRENT/sys/kern/kern_descrip.c:1865 #17 0xc04ce831 in close (td=0xc4b65420, uap=0x0) ~ at /usr/src/FreeBSD-CURRENT/sys/kern/kern_descrip.c:966 #18 0xc061fbff in syscall (frame= ~ {tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = 134727680, tf_esi = 134742272, tf_ebp = -1077941416, tf_isp = -483066508, tf_ebx = 671896672, tf_edx = 134701472, tf_ecx = 0, tf_eax = 6, tf_trapno = 12, tf_err = 2, tf_eip = 673025551, tf_cs = 31, tf_eflags = 658, tf_esp = - -1077941460, tf_ss = 47}) ~ at /usr/src/FreeBSD-CURRENT/sys/i386/i386/trap.c:1004 #19 0x281d8e0f in ?? () - ---Can't read userspace from dump, or kernel process--- (kgdb) up 9 #9 0xc049c5c2 in ugenclose (dev=0xc4269340, flag=3, mode=8192, p=0xc4b65420) ~ at /usr/src/FreeBSD-CURRENT/sys/dev/usb/ugen.c:558 558 usbd_close_pipe(sce->pipeh); (kgdb) list 553 continue; 554 DPRINTFN(5, ("ugenclose: endpt=%d dir=%d sce=%p\n", 555 endpt, dir, sce)); 556 557 usbd_abort_pipe(sce->pipeh); 558 usbd_close_pipe(sce->pipeh); 559 sce->pipeh = NULL; 560 561 switch (sce->edesc->bmAttributes & UE_XFERTYPE) { 562 case UE_INTERRUPT: (kgdb) print sce $1 = (struct ugen_endpoint *) 0xc426935c (kgdb) print *sce can not access 0xc426935c, invalid address (c426935c) can not access 0xc426935c, invalid address (c426935c) Cannot access memory at address 0xc426935c (kgdb) print sc $2 = (struct ugen_softc *) 0xc4269000 (kgdb) print *sc can not access 0xc4269000, invalid address (c4269000) can not access 0xc4269000, invalid address (c4269000) Cannot access memory at address 0xc4269000 I'm not sure if this is a solution or if it is just good luck (or insufficient testing) that it works... The question is if sc is really a junk pointer too, although I think it should have paniced earlier if that was the case. Index: sys/dev/usb/ugen.c =================================================================== RCS file: /usr/ncvs/src/sys/dev/usb/ugen.c,v retrieving revision 1.83 diff -u -r1.83 ugen.c - --- sys/dev/usb/ugen.c 21 Feb 2004 21:10:48 -0000 1.83 +++ sys/dev/usb/ugen.c 10 Jun 2004 20:07:21 -0000 @@ -546,6 +546,8 @@ ~ } ~ for (dir = OUT; dir <= IN; dir++) { + if (sc->sc_dying) + break; ~ if (!(flag & (dir == OUT ? FWRITE : FREAD))) ~ continue; ~ sce = &sc->sc_endpoints[endpt][dir]; ( http://www.leakingmemory.org/patches/usb/ugen_pfault.diff ) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAyN7WH90qNYni6VoRAhqIAJ9LR484B9MI+7n3E201z4Ur/dCpWACZAVqV r9M4lfPqXkuAoEoTPfbhKIc= =tT0B -----END PGP SIGNATURE-----