From owner-freebsd-bugs@FreeBSD.ORG Fri Jun 17 05:50:27 2005 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CEC9716A41C for ; Fri, 17 Jun 2005 05:50:27 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 99DF343D1F for ; Fri, 17 Jun 2005 05:50:27 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j5H5oRRH029379 for ; Fri, 17 Jun 2005 05:50:27 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j5H5oRpH029378; Fri, 17 Jun 2005 05:50:27 GMT (envelope-from gnats) Resent-Date: Fri, 17 Jun 2005 05:50:27 GMT Resent-Message-Id: <200506170550.j5H5oRpH029378@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Artemiev Igor Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85D2616A41C for ; Fri, 17 Jun 2005 05:48:27 +0000 (GMT) (envelope-from ai@bmc.brk.ru) Received: from stalker.bmc.brk.ru (stalker.bmc.brk.ru [217.150.59.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC20443D1F for ; Fri, 17 Jun 2005 05:48:26 +0000 (GMT) (envelope-from ai@bmc.brk.ru) Message-Id: <200506170548.j5H5mNKA004008@bmc-gw.bmc.brk.ru> Date: Fri, 17 Jun 2005 09:48:23 +0400 (MSD) From: Artemiev Igor To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/82350: null pointer dereference in USB stack X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Artemiev Igor List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jun 2005 05:50:27 -0000 >Number: 82350 >Category: kern >Synopsis: null pointer dereference in USB stack >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jun 17 05:50:26 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Artemiev Igor >Release: FreeBSD 5.4-STABLE i386 >Organization: Bryansk Medical Center >Environment: System: FreeBSD bmc-gw.bmc.brk.ru 5.4-STABLE FreeBSD 5.4-STABLE #7: Sat Jun 4 12:22:45 MSD 2005 root@bmc-gw.bmc.brk.ru:/usr/obj/usr/src/sys/bmc-gw.kernel i386 Copyright (c) 1992-2005 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 5.4-STABLE #7: Sat Jun 4 12:22:45 MSD 2005 root@bmc-gw.bmc.brk.ru:/usr/obj/usr/src/sys/bmc-gw.kernel Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Pentium(R) 4 CPU 2.80GHz (2793.01-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0xf29 Stepping = 9 Features=0xbfebfbff Hyperthreading: 2 logical CPUs real memory = 535691264 (510 MB) avail memory = 518729728 (494 MB) ACPI APIC Table: ioapic0: Changing APIC ID to 2 ioapic0 irqs 0-23 on motherboard ioapic1 irqs 24-47 on motherboard npx0: on motherboard npx0: INT 16 interface acpi0: on motherboard acpi0: Power Button (fixed) Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0 cpu0: on acpi0 acpi_button0: on acpi0 pcib0: port 0xcf8-0xcff on acpi0 pci0: on pcib0 pcib1: at device 3.0 on pci0 pci1: on pcib1 em0: port 0x9000-0x901f mem 0xf1000000-0xf101ffff,0xf1020000-0xf103ffff irq 18 at device 1.0 on pci1 em0: Ethernet address: 00:11:2f:2c:7b:0c em0: Speed:N/A Duplex:N/A pcib2: at device 28.0 on pci0 pci2: on pcib2 fxp0: port 0xa000-0xa03f mem 0xf5000000-0xf50fffff,0xf5100000-0xf5100fff irq 24 at device 2.0 on pci2 miibus0: on fxp0 inphy0: on miibus0 inphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto fxp0: Ethernet address: 00:a9:40:0f:88:15 uhci0: port 0xc400-0xc41f irq 16 at device 29.0 on pci0 usb0: on uhci0 usb0: USB revision 1.0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1: port 0xc000-0xc01f irq 19 at device 29.1 on pci0 usb1: on uhci1 usb1: USB revision 1.0 uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered pci0: at device 29.4 (no driver attached) pci0: at device 29.5 (no driver attached) ehci0: mem 0xf5200000-0xf52003ff irq 23 at device 29.7 on pci0 usb2: EHCI version 1.0 usb2: companion controllers, 2 ports each: usb0 usb1 usb2: on ehci0 usb2: USB revision 2.0 uhub2: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub2: 4 ports with 4 removable, self powered pcib3: at device 30.0 on pci0 pci3: on pcib3 fxp1: port 0xb000-0xb03f mem 0xf4000000-0xf40fffff,0xf4140000-0xf4140fff irq 20 at device 2.0 on pci3 miibus1: on fxp1 inphy1: on miibus1 inphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto fxp1: Ethernet address: 00:90:27:99:0b:e6 em1: port 0xb400-0xb43f mem 0xf4120000-0xf413ffff,0xf4100000-0xf411ffff irq 18 at device 8.0 on pci3 em1: Ethernet address: 00:11:2f:2c:7b:0d em1: Speed:N/A Duplex:N/A pci3: at device 9.0 (no driver attached) isab0: at device 31.0 on pci0 isa0: on isab0 atapci0: port 0xf000-0xf00f,0x376,0x170-0x177,0x3f6,0x1f0-0x1f7 at device 31.1 on pci0 ata0: channel #0 on atapci0 ata1: channel #1 on atapci0 atapci1: port 0xd800-0xd80f,0xd400-0xd403,0xd000-0xd007,0xcc00-0xcc03,0xc800-0xc807 irq 18 at device 31.2 on pci0 ata2: channel #0 on atapci1 ata3: channel #1 on atapci1 pci0: at device 31.3 (no driver attached) acpi_tz0: on acpi0 sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 sio0: type 16550A sio1: <16550A-compatible COM port> port 0x2f8-0x2ff irq 3 on acpi0 sio1: type 16550A ppc0: port 0x778-0x77b,0x378-0x37f irq 7 on acpi0 ppc0: Generic chipset (EPP/NIBBLE) in COMPATIBLE mode ppbus0: on ppc0 lpt0: on ppbus0 lpt0: Interrupt-driven port atkbdc0: port 0x64,0x60 irq 1 on acpi0 atkbd0: irq 1 on atkbdc0 kbd0 at atkbd0 orm0: at iomem 0xc0000-0xc7fff on isa0 pmtimer0 on isa0 sc0: at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 ucom0: Prolific Technology Inc. USB-Serial Controller, rev 1.10/3.00, addr 2 Timecounter "TSC" frequency 2793009972 Hz quality 800 Timecounters tick every 10.000 msec ad0: 38166MB [77545/16/63] at ata0-master UDMA100 em0: Link is up 100 Mbps Full Duplex ad4: 114473MB [232581/16/63] at ata2-master SATA150 ad6: 114473MB [232581/16/63] at ata3-master SATA150 ar0: 114473MB [14593/255/63] status: READY subdisks: disk0 READY on ad4 at ata2-master disk1 READY on ad6 at ata3-master hostb0@pci0:0:0: class=0x060000 card=0x81161043 chip=0x25788086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' device = '82875P/E7210 DRAM Controller / Host-Hub Interface' class = bridge subclass = HOST-PCI pcib1@pci0:3:0: class=0x060400 card=0x00000000 chip=0x257b8086 rev=0x02 hdr=0x01 vendor = 'Intel Corporation' device = '82875P/E7210 PCI to CSA Bridge' class = bridge subclass = PCI-PCI pcib2@pci0:28:0: class=0x060400 card=0x00000050 chip=0x25ae8086 rev=0x02 hdr=0x01 vendor = 'Intel Corporation' device = '6300ESB Hub Interface to PCI-X Bridge' class = bridge subclass = PCI-PCI uhci0@pci0:29:0: class=0x0c0300 card=0x81171043 chip=0x25a98086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' device = '6300ESB USB 1.1 UHCI Controller #1' class = serial bus subclass = USB uhci1@pci0:29:1: class=0x0c0300 card=0x81171043 chip=0x25aa8086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' device = '5300ESB USB 1.1 UHCI Controller #2' class = serial bus subclass = USB none0@pci0:29:4: class=0x088000 card=0x81171043 chip=0x25ab8086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' device = '6300ESB Watchdog Timer' class = base peripheral none1@pci0:29:5: class=0x080020 card=0x81171043 chip=0x25ac8086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' device = '6300ESB APIC1' class = base peripheral subclass = interrupt controller ehci0@pci0:29:7: class=0x0c0320 card=0x81171043 chip=0x25ad8086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' device = '6300ESB USB 2.0 EHCI Controller' class = serial bus subclass = USB pcib3@pci0:30:0: class=0x060400 card=0x00000000 chip=0x244e8086 rev=0x0a hdr=0x01 vendor = 'Intel Corporation' device = '82801BA/CA/DB/DBL/EB/ER/FB (ICH2/3/4/4/5/5/6), 6300ESB Hub Interface to PCI Bridge' class = bridge subclass = PCI-PCI isab0@pci0:31:0: class=0x060100 card=0x00000000 chip=0x25a18086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' device = '6300ESB LPC Interface Bridge' class = bridge subclass = PCI-ISA atapci0@pci0:31:1: class=0x01018a card=0x81171043 chip=0x25a28086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' device = '6300ESB IDE Controller' class = mass storage subclass = ATA atapci1@pci0:31:2: class=0x01018f card=0x81171043 chip=0x25a38086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' device = '6300ESB Serial ATA Controller' class = mass storage subclass = ATA none2@pci0:31:3: class=0x0c0500 card=0x81171043 chip=0x25a48086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' device = '6300ESB SMBus Controller' class = serial bus subclass = SMBus em0@pci1:1:0: class=0x020000 card=0x81151043 chip=0x10758086 rev=0x00 hdr=0x00 vendor = 'Intel Corporation' device = '82547EI Gigabit Ethernet Controller' class = network subclass = ethernet fxp0@pci2:2:0: class=0x020000 card=0x000c8086 chip=0x12298086 rev=0x08 hdr=0x00 vendor = 'Intel Corporation' device = '82550/1/7/8/9 EtherExpress PRO/100(B) Ethernet Adapter' class = network subclass = ethernet fxp1@pci3:2:0: class=0x020000 card=0x000b8086 chip=0x12298086 rev=0x08 hdr=0x00 vendor = 'Intel Corporation' device = '82550/1/7/8/9 EtherExpress PRO/100(B) Ethernet Adapter' class = network subclass = ethernet em1@pci3:8:0: class=0x020000 card=0x811d1043 chip=0x10768086 rev=0x00 hdr=0x00 vendor = 'Intel Corporation' device = '82547EI Gigabit Ethernet Controller' class = network subclass = ethernet none3@pci3:9:0: class=0x030000 card=0x80081002 chip=0x47521002 rev=0x27 hdr=0x00 vendor = 'ATI Technologies Inc' device = 'Rage XL PCI' class = display subclass = VGA Controller /dev/usb0: addr 1: full speed, self powered, config 1, UHCI root hub(0x0000), Intel(0x0000), rev 1.00 port 1 powered port 2 powered Controller /dev/usb1: addr 1: full speed, self powered, config 1, UHCI root hub(0x0000), Intel(0x0000), rev 1.00 port 1 powered port 2 addr 2: full speed, power 100 mA, config 1, USB-Serial Controller(0x2303), Prolific Technology Inc.(0x067b), rev 3.00 Controller /dev/usb2: addr 1: high speed, self powered, config 1, EHCI root hub(0x0000), Intel(0x0000), rev 1.00 port 1 powered port 2 powered port 3 powered port 4 powered >Description: With a recurring switching from DATA to FAX mode of a modem, attached through USB-COM connector, the kernel panics. Panic occures with a period of about 5 days: putc to a clist with no reserved cblocks putc to a clist with no reserved cblocks putc to a clist with no reserved cblocks putc to a clist with no reserved cblocks putc to a clist with no reserved cblocks putc to a clist with no reserved cblocks putc to a clist with no reserved cblocks putc to a clist with no reserved cblocks putc to a clist with no reserved cblocks putc to a clist with no reserved cblocks putc to a clist with no reserved cblocks putc to a clist with no reserved cblocks ucom0: read start failed Fatal trap 12: page fault while in kernel mode fault virtual address = 0x4c fault code = supervisor read, page not present instruction pointer = 0x8:0xc048170d stack pointer = 0x10:0xd69649f4 frame pointer = 0x10:0xd6964a1c code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 33074 (chat) trap number = 12 panic: page fault Uptime: 5d3h1m35s Dumping 510 MB 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 256 272 288 304 320 336 352 368 384 400 416 432 448 464 480 496 kernel backtrace: #0 doadump () at pcpu.h:160 160 __asm __volatile("movl %%fs:0,%0" : "=r" (td)); (kgdb) bt #0 doadump () at pcpu.h:160 During symbol reading, Incomplete CFI data; unspecified registers at 0xc04c64f0. #1 0xc04c6bae in boot (howto=0x104) at /usr/src/sys/kern/kern_shutdown.c:410 #2 0xc04c6eb5 in panic (fmt=0xc0616267 "%s") at /usr/src/sys/kern/kern_shutdown.c:566 #3 0xc05efc38 in trap_fatal (frame=0xd69649b4, eva=0x0) at /usr/src/sys/i386/i386/trap.c:817 #4 0xc05ef95b in trap_pfault (frame=0xd69649b4, usermode=0x0, eva=0x4c) at /usr/src/sys/i386/i386/trap.c:735 #5 0xc05ef544 in trap (frame= {tf_fs = 0xc1a40018, tf_es = 0xd6960010, tf_ds = 0xc0470010, tf_edi = 0x0, tf_esi = 0xc2464280, tf_ebp = 0xd6964a1c, tf_isp = 0xd69649e0, tf_ebx = 0xc1a4c000, tf_edx = 0x0, tf_ecx = 0xc16e9f80, tf_eax = 0x0, tf_trapno = 0xc, tf_err = 0x0, tf_eip = 0xc048170d, tf_cs = 0x8, tf_eflags = 0x10246, tf_esp = 0xc16e7000, tf_ss = 0xd6964a10}) at /usr/src/sys/i386/i386/trap.c:425 #6 0xc05de8ca in calltrap () at /usr/src/sys/i386/i386/exception.s:140 #7 0xc1a40018 in ?? () #8 0xd6960010 in ?? () #9 0xc0470010 in ugen_do_read (sc=0xc2464280, endpt=0x0, uio=0xc04727b3, flag=0xc34bd100) at /usr/src/sys/dev/usb/ugen.c:824 #10 0xc0472ad4 in uhci_abort_xfer (xfer=0xc1a4c000, status=USBD_NORMAL_COMPLETION) at /usr/src/sys/dev/usb/uhci.c:2022 #11 0xc0472937 in uhci_device_bulk_abort (xfer=0x0) at /usr/src/sys/dev/usb/uhci.c:1921 #12 0xc0481625 in usbd_ar_pipe (pipe=0xc2464280) at /usr/src/sys/dev/usb/usbdi.c:762 #13 0xc048134b in usbd_abort_pipe (pipe=0x0) at /usr/src/sys/dev/usb/usbdi.c:556 #14 0xc0744134 in ?? () #15 0xc2464280 in ?? () #16 0xd6964aa4 in ?? () #17 0xc0743956 in ?? () #18 0xc1742700 in ?? () #19 0x00000000 in ?? () #20 0xc04fcf19 in ttyioctl (dev=0x0, cmd=0x0, data=0xc04fcf19 "\203ûý¸\031", flag=0xc1743a00, td=0x0) at /usr/src/sys/kern/tty.c:2918 Previous frame inner to this frame (corrupt stack?) >How-To-Repeat: Attach modem through USB-COM connector, and execute AT-commands in cycle with chat(8). After some time, kernel will panic. >Fix: Unknown >Release-Note: >Audit-Trail: >Unformatted: