From owner-freebsd-usb@FreeBSD.ORG  Thu May 15 20:30:01 2008
Return-Path: <owner-freebsd-usb@FreeBSD.ORG>
Delivered-To: freebsd-usb@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CA6221065673
	for <freebsd-usb@hub.freebsd.org>; Thu, 15 May 2008 20:30:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id A4B038FC2F
	for <freebsd-usb@hub.freebsd.org>; Thu, 15 May 2008 20:30:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m4FKU16d010359
	for <freebsd-usb@freefall.freebsd.org>; Thu, 15 May 2008 20:30:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m4FKU1HU010358;
	Thu, 15 May 2008 20:30:01 GMT (envelope-from gnats)
Resent-Date: Thu, 15 May 2008 20:30:01 GMT
Resent-Message-Id: <200805152030.m4FKU1HU010358@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-usb@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Aragon Gouveia <aragon@phat.za.net>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6BA611065729
	for <freebsd-gnats-submit@FreeBSD.org>;
	Thu, 15 May 2008 20:26:45 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 577528FC15
	for <freebsd-gnats-submit@FreeBSD.org>;
	Thu, 15 May 2008 20:26:45 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m4FKPXfx099666
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 15 May 2008 20:25:33 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m4FKPXwA099665;
	Thu, 15 May 2008 20:25:33 GMT (envelope-from nobody)
Message-Id: <200805152025.m4FKPXwA099665@www.freebsd.org>
Date: Thu, 15 May 2008 20:25:33 GMT
From: Aragon Gouveia <aragon@phat.za.net>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: usb/123714: Panic when hald-storage-probe runs with umass device
	inserted
X-BeenThere: freebsd-usb@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: FreeBSD support for USB <freebsd-usb.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-usb>,
	<mailto:freebsd-usb-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-usb>
List-Post: <mailto:freebsd-usb@freebsd.org>
List-Help: <mailto:freebsd-usb-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-usb>,
	<mailto:freebsd-usb-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 15 May 2008 20:30:01 -0000


>Number:         123714
>Category:       usb
>Synopsis:       Panic when hald-storage-probe runs with umass device inserted
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-usb
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 15 20:30:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Aragon Gouveia
>Release:        7.0-STABLE
>Organization:
>Environment:
FreeBSD igor.geek.sh 7.0-STABLE FreeBSD 7.0-STABLE #5: Thu May 15 21:13:01 SAST 2008     root@igor.geek.sh:/usr/obj/usr/src/sys/IGOR  amd64
>Description:
To start off I'm not 100% sure if this is a USB problem.  It requires USB to reproduce though and I've never experienced a consistent crash like this in another context.  I'm filing this PR under usb, but please recategorise it if necessary.

If I boot my system with a USB mass storage device plugged in before the kernel loads, at the end of bootup when hald is started by rc a panic consistently occurs.

This ONLY happens if a umass device is inserted before the kernel loads and the kernel detects it at bootup.

Debugging information:

Unread portion of the kernel message buffer:
kernel trap 12 with interrupts disabled


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address	= 0x30
fault code		= supervisor read data, page not present
instruction pointer	= 0x8:0xffffffff8022e310
stack pointer	        = 0x10:0xffffffffb1abe930
frame pointer	        = 0x10:0xffffff0004fcb350
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags	= resume, IOPL = 0
current process		= 801 (hald-probe-storage)
trap number		= 12
panic: page fault
cpuid = 0
GEOM_MIRROR: Device gm0: rebuilding provider ad8s2 stopped.
Uptime: 14s
Physical memory: 8115 MB
Dumping 363 MB: 348 332 316 300 284 268 252 236 220 204 188 172 156 140 124 108 92 76 60 44 28 12

#0  doadump () at pcpu.h:194
194		__asm __volatile("movq %%gs:0,%0" : "=r" (td));
(kgdb) list *0xffffffff8022e310
0xffffffff8022e310 is in turnstile_broadcast (/usr/src/sys/kern/subr_turnstile.c:835).
830	
831		/*
832		 * Transfer the blocked list to the pending list.
833		 */
834		mtx_lock_spin(&td_contested_lock);
835		TAILQ_CONCAT(&ts->ts_pending, &ts->ts_blocked[queue], td_lockq);
836		mtx_unlock_spin(&td_contested_lock);
837	
838		/*
839		 * Give a turnstile to each thread.  The last thread gets
(kgdb) backtrace
#0  doadump () at pcpu.h:194
#1  0x0000000000000004 in ?? ()
#2  0xffffffff801fc471 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418
#3  0xffffffff801fc8a2 in panic (fmt=0x104 <Address 0x104 out of bounds>) at /usr/src/sys/kern/kern_shutdown.c:572
#4  0xffffffff8031e4ca in trap_fatal (frame=0xffffff0004fcb350, eva=18446742974281725032) at /usr/src/sys/amd64/amd64/trap.c:724
#5  0xffffffff8031efe8 in trap (frame=0xffffffffb1abe880) at /usr/src/sys/amd64/amd64/trap.c:251
#6  0xffffffff80305f5e in calltrap () at /usr/src/sys/amd64/amd64/exception.S:169
#7  0xffffffff8022e310 in turnstile_broadcast (ts=0x0, queue=0) at /usr/src/sys/kern/subr_turnstile.c:835
#8  0xffffffff801f1756 in _mtx_unlock_sleep (m=0xffffffff804d1540, opts=Variable "opts" is not available.
) at /usr/src/sys/kern/kern_mutex.c:611
#9  0xffffffff801f1a53 in unlock_mtx (lock=0x2) at /usr/src/sys/kern/kern_mutex.c:158
#10 0xffffffff80203c38 in _sleep (ident=0x0, lock=0xffffffff804d1540, priority=256, wmesg=0xffffffff8066d72b "sgread", timo=0)
    at /usr/src/sys/kern/kern_synch.c:187
#11 0xffffffff80666389 in sgread (dev=Variable "dev" is not available.
) at /usr/src/sys/modules/cam/../../cam/scsi/scsi_sg.c:798
#12 0xffffffff801ce572 in giant_read (dev=0xffffff00049f5800, uio=0xffffffffb1abeb00, ioflag=0)
    at /usr/src/sys/kern/kern_conf.c:421
#13 0xffffffff801b5fad in devfs_read_f (fp=0xffffff0004f844b0, uio=0xffffffffb1abeb00, cred=Variable "cred" is not available.
)
    at /usr/src/sys/fs/devfs/devfs_vnops.c:880
#14 0xffffffff8022fa81 in dofileread (td=0xffffff0004fcb350, fd=Variable "fd" is not available.
) at file.h:242
#15 0xffffffff80230602 in kern_readv (td=0xffffff0004fcb350, fd=4, auio=0xffffffffb1abeb00) at /usr/src/sys/kern/sys_generic.c:192
#16 0xffffffff802306c2 in read (td=Variable "td" is not available.
) at /usr/src/sys/kern/sys_generic.c:108
#17 0xffffffff8031ea4b in syscall (frame=0xffffffffb1abec70) at /usr/src/sys/amd64/amd64/trap.c:852
#18 0xffffffff8030616b in Xfast_syscall () at /usr/src/sys/amd64/amd64/exception.S:290
#19 0x0000000800ce6ebc in ?? ()
Previous frame inner to this frame (corrupt stack?)


My kernel config:
ident		IGOR
maxusers	256
makeoptions	DEBUG=-g
options 	SCHED_ULE		#ULE scheduler
options		COMPAT_43TTY
options		COMPAT_IA32
options 	COMPAT_FREEBSD4		#Compatible with FreeBSD4
options		COMPAT_FREEBSD5
options		COMPAT_FREEBSD6
options 	SYSVSHM			#SYSV-style shared memory
options 	SYSVMSG			#SYSV-style message queues
options 	SYSVSEM			#SYSV-style semaphores
cpu		HAMMER
device		acpi
options		SMP
options		PREEMPTION
options		ADAPTIVE_GIANT
options		STOP_NMI
options 	INET			#InterNETworking
device		loop		# Network loopback
device		ether		# Ethernet support
device		bpf		# Berkeley packet filter
options 	FFS			#Berkeley Fast Filesystem
options 	SOFTUPDATES		#Enable FFS soft updates support
options 	UFS_DIRHASH		#Improve performance on big directories
options		UFS_GJOURNAL
device		random		# Entropy device
device		pty		# Pseudo-ttys (telnet etc)
device		pci
device		atkbdc		# AT keyboard controller
device		atkbd		# AT keyboard
options		KBD_INSTALL_CDEV
device		kbdmux
device		psm
device		vga		# VGA video card driver
device		sc
options		SC_HISTORY_SIZE=1000
device		ata
device		atadisk			# ATA disk drives
device		atapicd			# ATAPI CDROM drives
options 	ATA_STATIC_ID		#Static device numbering
options 	_KPOSIX_PRIORITY_SCHEDULING #Posix P1003_1B real-time extensions
options		CONSPEED=115200
device		uhci
device		ehci
device		usb


Full dmesg:
Copyright (c) 1992-2008 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
	The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 7.0-STABLE #5: Thu May 15 21:13:01 SAST 2008
    root@igor.geek.sh:/usr/obj/usr/src/sys/IGOR
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Core(TM)2 Duo CPU     E8500  @ 3.16GHz (3185.32-MHz K8-class CPU)
  Origin = "GenuineIntel"  Id = 0x10676  Stepping = 6
  Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
  Features2=0x8e3fd<SSE3,RSVD2,MON,DS_CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,<b19>>
  AMD Features=0x20100800<SYSCALL,NX,LM>
  AMD Features2=0x1<LAHF>
  Cores per package: 2
usable memory = 8509808640 (8115 MB)
avail memory  = 8225095680 (7844 MB)
ACPI APIC Table: <INTEL  DG33BU  >
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
 cpu0 (BSP): APIC ID:  0
 cpu1 (AP): APIC ID:  1
ioapic0: Changing APIC ID to 2
ioapic0 <Version 2.0> irqs 0-23 on motherboard
kbd1 at kbdmux0
acpi0: <INTEL DG33BU> on motherboard
acpi0: [ITHREAD]
acpi0: Power Button (fixed)
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0
acpi_hpet0: <High Precision Event Timer> iomem 0xfed00000-0xfed003ff on acpi0
Timecounter "HPET" frequency 14318180 Hz quality 900
cpu0: <ACPI CPU> on acpi0
est0: <Enhanced SpeedStep Frequency Control> on cpu0
est0: Setting 3163 MHz
p4tcc0: <CPU Frequency Thermal Control> on cpu0
cpu1: <ACPI CPU> on acpi0
est1: <Enhanced SpeedStep Frequency Control> on cpu1
est1: Setting 3163 MHz
p4tcc1: <CPU Frequency Thermal Control> on cpu1
acpi_button0: <Sleep Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
pcib1: <ACPI PCI-PCI bridge> at device 1.0 on pci0
pci1: <ACPI PCI bus> on pcib1
vgapci0: <VGA-compatible display> port 0x3000-0x30ff mem 0xd0000000-0xdfffffff,0xe4200000-0xe420ffff irq 16 at device 0.0 on pci1
pci1: <multimedia> at device 0.1 (no driver attached)
pci0: <simple comms> at device 3.0 (no driver attached)
em0: <Intel(R) PRO/1000 Network Connection Version - 6.7.3> port 0x4400-0x441f mem 0xe4300000-0xe431ffff,0xe4324000-0xe4324fff irq 20 at device 25.0 on pci0
em0: Using MSI interrupt
em0: Ethernet address: 00:1c:c0:30:9b:91
em0: [FILTER]
uhci0: <UHCI (generic) USB controller> port 0x40e0-0x40ff irq 18 at device 26.0 on pci0
uhci0: [GIANT-LOCKED]
uhci0: [ITHREAD]
usb0: <UHCI (generic) USB controller> on uhci0
usb0: USB revision 1.0
uhub0: <Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1> on usb0
uhub0: 2 ports with 2 removable, self powered
uhci1: <UHCI (generic) USB controller> port 0x40c0-0x40df irq 21 at device 26.1 on pci0
uhci1: [GIANT-LOCKED]
uhci1: [ITHREAD]
usb1: <UHCI (generic) USB controller> on uhci1
usb1: USB revision 1.0
uhub1: <Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1> on usb1
uhub1: 2 ports with 2 removable, self powered
uhci2: <UHCI (generic) USB controller> port 0x40a0-0x40bf irq 17 at device 26.2 on pci0
uhci2: [GIANT-LOCKED]
uhci2: [ITHREAD]
usb2: <UHCI (generic) USB controller> on uhci2
usb2: USB revision 1.0
uhub2: <Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1> on usb2
uhub2: 2 ports with 2 removable, self powered
ehci0: <EHCI (generic) USB 2.0 controller> mem 0xe4325c00-0xe4325fff irq 17 at device 26.7 on pci0
ehci0: [GIANT-LOCKED]
ehci0: [ITHREAD]
usb3: EHCI version 1.0
usb3: companion controllers, 2 ports each: usb0 usb1 usb2
usb3: <EHCI (generic) USB 2.0 controller> on ehci0
usb3: USB revision 2.0
uhub3: <Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1> on usb3
uhub3: 6 ports with 6 removable, self powered
umass0: <OnSpec USB2 CF Device, class 0/0, rev 2.00/2.22, addr 2> on uhub3
pci0: <multimedia> at device 27.0 (no driver attached)
pcib2: <ACPI PCI-PCI bridge> at device 28.0 on pci0
pci2: <ACPI PCI bus> on pcib2
pcib3: <ACPI PCI-PCI bridge> at device 28.1 on pci0
pci3: <ACPI PCI bus> on pcib3
atapci0: <Marvell 88SX6101 UDMA133 controller> port 0x2018-0x201f,0x2024-0x2027,0x2010-0x2017,0x2020-0x2023,0x2000-0x200f mem 0xe4100000-0xe41001ff irq 17 at device 0.0 on pci3
atapci0: [ITHREAD]
ata2: <ATA channel 0> on atapci0
ata2: [ITHREAD]
pcib4: <ACPI PCI-PCI bridge> at device 28.2 on pci0
pci4: <ACPI PCI bus> on pcib4
pcib5: <ACPI PCI-PCI bridge> at device 28.3 on pci0
pci5: <ACPI PCI bus> on pcib5
pcib6: <ACPI PCI-PCI bridge> at device 28.4 on pci0
pci6: <ACPI PCI bus> on pcib6
uhci3: <UHCI (generic) USB controller> port 0x4080-0x409f irq 23 at device 29.0 on pci0
uhci3: [GIANT-LOCKED]
uhci3: [ITHREAD]
usb4: <UHCI (generic) USB controller> on uhci3
usb4: USB revision 1.0
uhub4: <Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1> on usb4
uhub4: 2 ports with 2 removable, self powered
uhci4: <UHCI (generic) USB controller> port 0x4060-0x407f irq 19 at device 29.1 on pci0
uhci4: [GIANT-LOCKED]
uhci4: [ITHREAD]
usb5: <UHCI (generic) USB controller> on uhci4
usb5: USB revision 1.0
uhub5: <Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1> on usb5
uhub5: 2 ports with 2 removable, self powered
uhci5: <UHCI (generic) USB controller> port 0x4040-0x405f irq 18 at device 29.2 on pci0
uhci5: [GIANT-LOCKED]
uhci5: [ITHREAD]
usb6: <UHCI (generic) USB controller> on uhci5
usb6: USB revision 1.0
uhub6: <Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1> on usb6
uhub6: 2 ports with 2 removable, self powered
ehci1: <EHCI (generic) USB 2.0 controller> mem 0xe4325800-0xe4325bff irq 23 at device 29.7 on pci0
ehci1: [GIANT-LOCKED]
ehci1: [ITHREAD]
usb7: EHCI version 1.0
usb7: companion controllers, 2 ports each: usb4 usb5 usb6
usb7: <EHCI (generic) USB 2.0 controller> on ehci1
usb7: USB revision 2.0
uhub7: <Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1> on usb7
uhub7: 6 ports with 6 removable, self powered
pcib7: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci7: <ACPI PCI bus> on pcib7
pci7: <multimedia, video> at device 0.0 (no driver attached)
pci7: <network, ethernet> at device 1.0 (no driver attached)
pci7: <serial bus, FireWire> at device 3.0 (no driver attached)
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
atapci1: <Intel AHCI controller> port 0x4428-0x442f,0x4434-0x4437,0x4420-0x4427,0x4430-0x4433,0x4020-0x403f mem 0xe4325000-0xe43257ff irq 21 at device 31.2 on pci0
atapci1: [ITHREAD]
atapci1: AHCI Version 01.20 controller with 6 ports detected
ata3: <ATA channel 0> on atapci1
ata3: [ITHREAD]
ata4: <ATA channel 1> on atapci1
ata4: [ITHREAD]
ata5: <ATA channel 2> on atapci1
ata5: [ITHREAD]
ata6: <ATA channel 3> on atapci1
ata6: [ITHREAD]
ata7: <ATA channel 4> on atapci1
ata7: [ITHREAD]
ata8: <ATA channel 5> on atapci1
ata8: [ITHREAD]
pci0: <serial bus, SMBus> at device 31.3 (no driver attached)
orm0: <ISA Option ROM> at iomem 0xd2800-0xd3fff on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
atkbd0: [ITHREAD]
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
ukbd0: <Logitech USB Multimedia Keyboard, class 0/0, rev 1.10/0.70, addr 2> on uhub0
kbd2 at ukbd0
ums0: <Microsoft SideWinder? Mouse, class 0/0, rev 2.00/2.25, addr 2> on uhub2
ums0: 5 buttons and Z dir.
ugen0: <vendor 0x0aa8 product 0x8001, class 0/0, rev 1.10/2.02, addr 2> on uhub6
Timecounters tick every 1.000 msec
acd0: DMA limited to UDMA33, device found non-ATA66 cable
acd0: DVDR <LITE-ON DVDRW SOHW-1653S/CS0T> at ata2-master UDMA33
ad6: 715404MB <Seagate ST3750330AS SD15> at ata3-master SATA300
ad8: 715404MB <Seagate ST3750330AS SD15> at ata4-master SATA300
GEOM_MIRROR: Device mirror/gm0 launched (1/2).
GEOM_MIRROR: Device gm0: rebuilding provider ad8s2.
SMP: AP CPU #1 Launched!
da0 at umass-sim0 bus 0 target 0 lun 0
da0: <OEI-USB2 CompactFlash 2.22> Removable Direct Access SCSI-0 device 
da0: 40.000MB/s transfers
da0: 15631MB (32014080 512 byte sectors: 255H 63S/T 1992C)
Trying to mount root from ufs:/dev/mirror/gm0a

>How-To-Repeat:
Enable USB, install hald and its dependencies, boot up with a umass device inserted before kernel load and start hald.  I have found this crash to be reproducible on my i386 machines too.

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: