From owner-freebsd-usb@FreeBSD.ORG Mon Jan 19 12:20:01 2009 Return-Path: Delivered-To: freebsd-usb@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5C521065676 for ; Mon, 19 Jan 2009 12:20:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A18438FC14 for ; Mon, 19 Jan 2009 12:20:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n0JCK1v0019179 for ; Mon, 19 Jan 2009 12:20:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n0JCK1a4019178; Mon, 19 Jan 2009 12:20:01 GMT (envelope-from gnats) Resent-Date: Mon, 19 Jan 2009 12:20:01 GMT Resent-Message-Id: <200901191220.n0JCK1a4019178@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-usb@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Theo van Klaveren Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5025106572A for ; Mon, 19 Jan 2009 12:12:54 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id B22738FC08 for ; Mon, 19 Jan 2009 12:12:54 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n0JCCsCY020275 for ; Mon, 19 Jan 2009 12:12:54 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id n0JCCs8J020274; Mon, 19 Jan 2009 12:12:54 GMT (envelope-from nobody) Message-Id: <200901191212.n0JCCs8J020274@www.freebsd.org> Date: Mon, 19 Jan 2009 12:12:54 GMT From: Theo van Klaveren To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: usb/130736: Page fault unplugging USB stick X-BeenThere: freebsd-usb@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: FreeBSD support for USB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jan 2009 12:20:02 -0000 >Number: 130736 >Category: usb >Synopsis: Page fault unplugging USB stick >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-usb >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jan 19 12:20:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Theo van Klaveren >Release: 7.1-RELEASE >Organization: ATS Applied Tech Systems BV >Environment: FreeBSD beheerbox.beheerbox.org 7.1-RELEASE FreeBSD 7.1-RELEASE #0: Thu Jan 1 14:37:25 UTC 2009 root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: Unplugging any USB mass storage device while it is being initialized leads to a kernel page fault. This is 100% reproducible and as the machine is being used by many people, it panics often because of this bug. The relevant bits from dmesg: usb3: EHCI version 1.0 usb3: companion controllers, 2 ports each: usb0 usb1 usb2 usb3: on ehci0 usb3: USB revision 2.0 uhub3: on usb3 uhub3: 6 ports with 6 removable, self powered This is the device (but any USB mass storage device will work): umass0:

on uhub3 da0 at umass-sim0 bus 0 target 0 lun 0 da0: Removable Direct Access SCSI-2 device da0: 40.000MB/s transfers da0: 480MB (983040 512 byte sectors: 64H 32S/T 480C) The following crash log information is typed in by hand, so please excuse any errors: umass0: BBB reset failed, IOERROR umass0: at uhub3 port 6 (addr 2) disconnected (da0: umass-sim0:0:0:0): lost device Fatal trap 12: page fault while in kernel mode cpuid=0; apic id=00 fault virtual address = 0x0 fault code = supervisor write, page not present instruction pointer = 0x20: 0xc046ae6b stack pointer = 0x28: 0xe3f87b0c frame pointer = 0x28: 0xe3f87b28 code segment = base 0x0, limit 0xffffff, type 0x1b = DPL 0, pres 0, def32 1, gran 1 processor eflags = int enabled, resume, IOPL=0 current process = 2 (g_event) trap number = 12 panic: page fault cpuid=0 The instruction pointer points to the xpt_done() function. From disassembly, it looks like the crash is around here (from http://svn.freebsd.org/viewvc/base/release/7.1.0/sys/cam/cam_xpt.c?revision=186660&view=markup): switch (done_ccb->ccb_h.path->periph->type) { case CAM_PERIPH_BIO: TAILQ_INSERT_TAIL(&sim->sim_doneq, &done_ccb->ccb_h, sim_links.tqe); done_ccb->ccb_h.pinfo.index = CAM_DONEQ_INDEX; If more information is required, please let me know. I'm not familiar enough with this code to really dive in. I have one or two vmcores lying around which I could send to anyone investigating this issue. >How-To-Repeat: - Insert USB mass storage device (a memory stick will do). - Remove it during initialisation (within two seconds or so). - Page fault. >Fix: - Educate users (right...) >Release-Note: >Audit-Trail: >Unformatted: