From owner-freebsd-current@FreeBSD.ORG  Wed Jan 26 14:30:53 2005
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3E4EF16A4CE
	for <current@freebsd.org>; Wed, 26 Jan 2005 14:30:53 +0000 (GMT)
Received: from castle.jp.FreeBSD.org (castle.jp.FreeBSD.org [210.226.20.15])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 953A643D39
	for <current@freebsd.org>; Wed, 26 Jan 2005 14:30:52 +0000 (GMT)
	(envelope-from akiyama@jp.FreeBSD.org)
Received: from localhost (castle.jp.FreeBSD.org [2001:218:422:1::15])
	j0QEUP864793;	Wed, 26 Jan 2005 23:30:27 +0900 (JST)
	(envelope-from akiyama@jp.FreeBSD.org)
Date: Wed, 26 Jan 2005 23:30:22 +0900
From: Shunsuke Akiyama <akiyama@jp.FreeBSD.org>
To: Sean McNeil <sean@mcneil.com>
In-Reply-To: <1106727949.8449.3.camel@server.mcneil.com>
References: <1106727949.8449.3.camel@server.mcneil.com>
User-Agent: Wanderlust/2.12.0 (Your Wildest Dreams) SEMI/1.14.6 (Maruoka)
 FLIM/1.14.7 (=?ISO-8859-4?Q?Sanj=F2?=) APEL/10.6 Emacs/21.3 (i386--freebsd)
 MULE/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: multipart/mixed;
 boundary="Multipart_Wed_Jan_26_23:30:22_2005-1"
Message-Id: <20050126233022O.akiyama@jp.FreeBSD.org>
X-Dispatcher: imput version 20040704(IM147)
Lines: 148
cc: current@freebsd.org
Subject: Re: panic 01/25/04 kernel in uhci uplcom
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jan 2005 14:30:53 -0000

--Multipart_Wed_Jan_26_23:30:22_2005-1
Content-Type: text/plain; charset=US-ASCII

At Wed, 26 Jan 2005 00:25:49 -0800,
Sean McNeil wrote:

> I got a panic on a recent kernel:
> 
> FreeBSD server.mcneil.com 6.0-CURRENT FreeBSD 6.0-CURRENT #2: Fri Jan  7
> 18:21:53 PST 2005     root@server.mcneil.com:/usr/obj/usr/src/sys/AMD64
> amd64
> 
> Jan 25 23:50:39 server syslogd: kernel boot file
> is /boot/kernel.old/kernel
> Jan 25 23:50:39 server kernel: panic: uhci_abort_xfer: not in process
> context
> Jan 25 23:50:39 server kernel: Uptime: 1m39s
> Jan 25 23:50:39 server kernel: interrupt                   total
> Jan 25 23:50:39 server kernel: irq1: atkbd0                           2
> Jan 25 23:50:39 server kernel: irq0: clk                         323813
> Jan 25 23:50:39 server kernel: irq4: sio0                             5
> Jan 25 23:50:39 server kernel: irq8: rtc                          20738
> Jan 25 23:50:39 server kernel: irq14: ata0                          722
> Jan 25 23:50:39 server kernel: irq15: ata1                          186
> Jan 25 23:50:39 server kernel: irq16: re0                            62
> Jan 25 23:50:39 server kernel: irq17: fwohci0                         1
> Jan 25 23:50:39 server kernel: irq19: dc0                             2
> Jan 25 23:50:39 server kernel: irq20: atapci0                      6006
> Jan 25 23:50:39 server kernel: irq21: uhci0 uhci1+                  136
> Jan 25 23:50:39 server kernel: Total                      351673
> Jan 25 23:50:39 server kernel: KDB: stack backtrace:
> Jan 25 23:50:39 server kernel: hardclock() at hardclock+0x1eb
> Jan 25 23:50:39 server kernel: intr_execute_handlers() at
> intr_execute_handlers+0x102
> Jan 25 23:50:39 server kernel: lapic_handle_intr() at lapic_handle_intr
> +0x21
> Jan 25 23:50:39 server kernel: Xapic_isr1() at Xapic_isr1+0x7d
> Jan 25 23:50:39 server kernel: --- interrupt, rip = 0xffffffff802eb1e1,
> rsp = 0xffffffffb19187e0, rbp = 0xffffffffb1918810 ---
> Jan 25 23:50:39 server kernel: cv_wait() at cv_wait+0x1
> Jan 25 23:50:39 server kernel: ata_queue_request() at ata_queue_request
> +0x1e8
> Jan 25 23:50:39 server kernel: ata_controlcmd() at ata_controlcmd+0x8b
> Jan 25 23:50:39 server kernel: ata_shutdown() at ata_shutdown+0xb8
> Jan 25 23:50:39 server kernel: boot() at boot+0x25c
> Jan 25 23:50:39 server kernel: panic() at panic+0x167
> Jan 25 23:50:39 server kernel: uhci_abort_xfer() at uhci_abort_xfer+0x68
> Jan 25 23:50:39 server kernel: usbd_abort_pipe() at usbd_abort_pipe+0x27
> Jan 25 23:50:39 server kernel: ucomstopread() at ucomstopread+0x27
> Jan 25 23:50:39 server kernel: ucomstop() at ucomstop+0x2f
> Jan 25 23:50:39 server kernel: ttyflush() at ttyflush+0x34
> Jan 25 23:50:39 server kernel: ttymodem() at ttymodem+0x9e
> Jan 25 23:50:39 server kernel: ucom_status_change() at
> ucom_status_change+0x93
> Jan 25 23:50:39 server kernel: uplcom_intr() at uplcom_intr+0x94
> Jan 25 23:50:39 server kernel: usb_transfer_complete() at
> usb_transfer_complete+0x201
> Jan 25 23:50:39 server kernel: uhci_softintr() at uhci_softintr+0x100
> Jan 25 23:50:39 server kernel: uhci_intr1() at uhci_intr1+0xd5
> Jan 25 23:50:39 server kernel: ithread_loop() at ithread_loop+0xd3
> Jan 25 23:50:39 server kernel: fork_exit() at fork_exit+0x8f
> Jan 25 23:50:39 server kernel: fork_trampoline() at fork_trampoline+0xe
> Jan 25 23:50:39 server kernel: --- trap 0, rip = 0, rsp =
> 0xffffffffb1918d00, rbp = 0 ---

Oh, usbd_abort_pipe() and underlaying uhci_abort_xfer() should be
called from non interrupt context only.  uhci_abort_xfer() checks this
condition and make a panic.

This is not a problem only for uplcom(4).  Both umodem(4) and
uvscom(4) potentially have a same problem.

Please try attached patch and let me know the result.

Regards,
-- 
Shunsuke Akiyama
akiyama@jp.FreeBSD.org
akiyama@FreeBSD.org


--Multipart_Wed_Jan_26_23:30:22_2005-1
Content-Type: application/octet-stream
Content-Disposition: attachment; filename="uplcom.c-diff"
Content-Transfer-Encoding: 7bit

Index: uplcom.c
===================================================================
RCS file: /home/ncvs/src/sys/dev/usb/uplcom.c,v
retrieving revision 1.26
diff -u -r1.26 uplcom.c
--- uplcom.c	25 Jan 2005 14:38:21 -0000	1.26
+++ uplcom.c	26 Jan 2005 13:24:07 -0000
@@ -107,6 +107,7 @@
 #include <sys/poll.h>
 #include <sys/sysctl.h>
 #include <sys/uio.h>
+#include <sys/taskqueue.h>
 
 #include <machine/bus.h>
 
@@ -176,6 +177,8 @@
 	u_char			sc_msr;		/* uplcom status register */
 
 	int			sc_chiptype;	/* Type of chip */
+
+	struct task		sc_task;
 };
 
 /*
@@ -203,6 +206,7 @@
 Static	int  uplcom_param(void *, int, struct termios *);
 Static	int  uplcom_open(void *, int);
 Static	void uplcom_close(void *, int);
+Static	void uplcom_notify(void *, int);
 
 struct ucom_callback uplcom_callback = {
 	uplcom_get_status,
@@ -530,6 +534,7 @@
 	DPRINTF(("uplcom: in = 0x%x, out = 0x%x, intr = 0x%x\n",
 		 ucom->sc_bulkin_no, ucom->sc_bulkout_no, sc->sc_intr_number));
 
+	TASK_INIT(&sc->sc_task, 0, uplcom_notify, sc);
 	ucom_attach(&sc->sc_ucom);
 
 	free(devinfo, M_USBDEV);
@@ -950,6 +955,19 @@
 		sc->sc_msr |= SER_DCD;
 	else
 		sc->sc_msr &= ~SER_DCD;
+
+	/* Deferred notifying to the ucom layer */
+	taskqueue_enqueue(taskqueue_swi_giant, &sc->sc_task);
+}
+
+Static void
+uplcom_notify(void *arg, int count)
+{
+	struct uplcom_softc *sc;
+
+	sc = (struct uplcom_softc *)arg;
+	if (sc->sc_ucom.sc_dying)
+		return;
 	ucom_status_change(&sc->sc_ucom);
 }
 

--Multipart_Wed_Jan_26_23:30:22_2005-1--