Date: Mon, 19 Jan 2009 12:12:54 GMT From: Theo van Klaveren <theo.van.klaveren@ats-global.com> To: freebsd-gnats-submit@FreeBSD.org Subject: usb/130736: Page fault unplugging USB stick Message-ID: <200901191212.n0JCCs8J020274@www.freebsd.org> Resent-Message-ID: <200901191220.n0JCK1a4019178@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 130736
>Category: usb
>Synopsis: Page fault unplugging USB stick
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-usb
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Jan 19 12:20:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Theo van Klaveren
>Release: 7.1-RELEASE
>Organization:
ATS Applied Tech Systems BV
>Environment:
FreeBSD beheerbox.beheerbox.org 7.1-RELEASE FreeBSD 7.1-RELEASE #0: Thu Jan 1 14:37:25 UTC 2009 root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
Unplugging any USB mass storage device while it is being initialized leads to a kernel page fault. This is 100% reproducible and as the machine is being used by many people, it panics often because of this bug.
The relevant bits from dmesg:
usb3: EHCI version 1.0
usb3: companion controllers, 2 ports each: usb0 usb1 usb2
usb3: <Intel 82801DB/L/M (ICH4) USB 2.0 controller> on ehci0
usb3: USB revision 2.0
uhub3: <Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1> on usb3
uhub3: 6 ports with 6 removable, self powered
This is the device (but any USB mass storage device will work):
umass0: <P Technology USB Mass Storage Device, class 0/0, rev 2.00/1.00, addr 2> on uhub3
da0 at umass-sim0 bus 0 target 0 lun 0
da0: <UT163 USB Flash Disk 0.00> Removable Direct Access SCSI-2 device
da0: 40.000MB/s transfers
da0: 480MB (983040 512 byte sectors: 64H 32S/T 480C)
The following crash log information is typed in by hand, so please excuse any errors:
umass0: BBB reset failed, IOERROR
umass0: at uhub3 port 6 (addr 2) disconnected
(da0: umass-sim0:0:0:0): lost device
Fatal trap 12: page fault while in kernel mode
cpuid=0; apic id=00
fault virtual address = 0x0
fault code = supervisor write, page not present
instruction pointer = 0x20: 0xc046ae6b
stack pointer = 0x28: 0xe3f87b0c
frame pointer = 0x28: 0xe3f87b28
code segment = base 0x0, limit 0xffffff, type 0x1b
= DPL 0, pres 0, def32 1, gran 1
processor eflags = int enabled, resume, IOPL=0
current process = 2 (g_event)
trap number = 12
panic: page fault
cpuid=0
The instruction pointer points to the xpt_done() function. From disassembly, it looks like the crash is around here (from http://svn.freebsd.org/viewvc/base/release/7.1.0/sys/cam/cam_xpt.c?revision=186660&view=markup):
switch (done_ccb->ccb_h.path->periph->type) {
case CAM_PERIPH_BIO:
TAILQ_INSERT_TAIL(&sim->sim_doneq, &done_ccb->ccb_h,
sim_links.tqe);
done_ccb->ccb_h.pinfo.index = CAM_DONEQ_INDEX;
If more information is required, please let me know. I'm not familiar enough with this code to really dive in. I have one or two vmcores lying around which I could send to anyone investigating this issue.
>How-To-Repeat:
- Insert USB mass storage device (a memory stick will do).
- Remove it during initialisation (within two seconds or so).
- Page fault.
>Fix:
- Educate users (right...)
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200901191212.n0JCCs8J020274>