From owner-freebsd-bugs@FreeBSD.ORG  Wed Sep  8 11:50:24 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C32B416A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Wed,  8 Sep 2004 11:50:24 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A3E3243D48
	for <freebsd-bugs@hub.freebsd.org>;
	Wed,  8 Sep 2004 11:50:24 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i88BoOUY079609
	for <freebsd-bugs@freefall.freebsd.org>; Wed, 8 Sep 2004 11:50:24 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i88BoOIr079608;
	Wed, 8 Sep 2004 11:50:24 GMT
	(envelope-from gnats)
Resent-Date: Wed, 8 Sep 2004 11:50:24 GMT
Resent-Message-Id: <200409081150.i88BoOIr079608@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Amir@active.ath.cx, "Shalem <amir"@boom.org.il
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4994116A4CE
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed,  8 Sep 2004 11:40:44 +0000 (GMT)
Received: from napo.bezeqint.net (napo.bezeqint.net [192.115.104.9])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9BD2643D46
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed,  8 Sep 2004 11:40:43 +0000 (GMT)
	(envelope-from amir@active.ath.cx)
Received: from napo.bezeqint.net (localhost [127.0.0.1])
	SMTP id 9C0DA17000E	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed,  8 Sep 2004 14:40:41 +0300 (IDT)
Received: from active.ath.cx ([IP=82.80.212.164]) by eSafe SMTP Relay
	1094643388; Wed Sep  8 14:40:40 2004
Received: from localhost (localhost.active.ath.cx [127.0.0.1]) by
	active.ath.cx (Postfix) with ESMTP id 7206E5CE7 for
	<FreeBSD-gnats-submit@freebsd.org>;
	Wed,  8 Sep 2004 14:40:40 +0300 (IDT)
Received: from active.ath.cx ([127.0.0.1]) by localhost (active.ath.cx
	[127.0.0.1]) (amavisd-new, port 10024) with ESMTP
	id 13588-03 for <FreeBSD-gnats-submit@freebsd.org>;
	Wed,  8 Sep 2004 14:40:26 +0300 (IDT)
Received: by active.ath.cx (Postfix, from userid 1000) id 4029B5CE6;
	Wed,  8 Sep 2004 14:40:24 +0300 (IDT)
Message-Id: <20040908114024.4029B5CE6@active.ath.cx>
Date: Wed,  8 Sep 2004 14:40:24 +0300 (IDT)
From: Amir Shalem <amir@boom.org.il>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: kern/71491: printing under usb printer causes a kernel panic
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Amir@active.ath.cx, "Shalem <amir"@boom.org.il
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Sep 2004 11:50:24 -0000


>Number:         71491
>Category:       kern
>Synopsis:       printing under usb printer causes a kernel panic
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 08 11:50:23 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Amir Shalem
>Release:        FreeBSD 5.3-BETA3 i386
>Organization:
>Environment:
System: FreeBSD vmware.active.ath.cx 5.3-BETA3 FreeBSD 5.3-BETA3 #2: Wed Sep 8 13:37:55 IDT 2004 root@vmware.active.ath.cx:/usr/src/sys/i386/compile/VMWARE i386

	I have set test machine, under vmware, where I installed 5.3-beta3
	The printer is HP DeskJet 3650
	I use it under cups + hpijs-cups (not in ports)

>Description:
	This bug also happens with 6-current.

	I have tried this under with:
		offical 5.3-beta3 kernel
		5.3-beta3 + ule  + usb_debug (at level 10)
		5.3-beta3 + 4bsd + usb_debug (at level 10)
	in all conditions I got the crash,
	where using the usb_debug I got it _right away_
	where as, in the offical I had to do multiply printing in cups.

	The problem is printing via cups, printing test page for example,
	causes the bug.

	if I turn DIAGNOSTIC on the bug does appear.

	I have kernel dump + kernel.debug for all kind of kernels (at request),
	here goes the dmesg and backtrace of 4bsd+usbdebug:

TD(0xc12e3f60) at 04c77f60 = link=0x04c77f84 status=0x388003ff token=0x07e90269
  4c77f84<VF> 388003ff<ACTIVE,SPD>,errcnt=3,actlen=0 pid=69,addr=2,endpt=2,D=1,m
TD(0xc12e3f80) at 04c77f80 = link=0x00000005 status=0x398003ff token=0x07e10269
  5<T,VF> 398003ff<ACTIVE,IOC,SPD>,errcnt=3,actlen=0 pid=69,addr=2,endpt=2,D=0,m
uhci_start_loop: add
ulpt_tick: err=1
uhci_timeout: uxfer=0xc16a8a00
usb_add_task: task=0xc16a8a84
usb_transfer_complete: pipe=0xc16a6a00 xfer=0xc16a8a00 status=0 actlen=0
usb_transfer_complete: repeat=0 new head=0
ulpt_read_cb: start sc=0xc13ae880, err=0 n=0
uhci_device_bulk_done: xfer=0xc16a8a00 ii=0xc16a8a6c sc=0xc12e1000 upipe=0xc16a6
uhci_end_loop: remove
uhci_device_bulk_done: length=0
usbd_start_next: pipe=0xc16a6a00, xfer=0
usb_task_thread: woke up task=0xc16a8a84
uhci_timeout_task: xfer=0xc16a8a00
uhci_abort_xfer: xfer=0xc16a8a00, status=15
uhci_abort_xfer: stop ii=0xc16a8a6c
uhci_abort_xfer: callback
usb_transfer_complete: pipe=0xc16a6a00 xfer=0xc16a8a00 status=15 actlen=0

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x4c
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc05b398d
stack pointer           = 0x10:0xc636ccbc
frame pointer           = 0x10:0xc636ccd8
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 46 (usbtask)
panic: from debugger

	and backtrace:
#25 0xc05b398d in usb_transfer_complete (xfer=0xc16a8a00)
    at ../../../dev/usb/usbdi.c:819
#26 0xc05a390a in uhci_abort_xfer (xfer=0xc16a8a00, status=USBD_TIMEOUT)
    at ../../../dev/usb/uhci.c:1994
#27 0xc05a2f08 in uhci_timeout_task (addr=0xc16a8a00)
    at ../../../dev/usb/uhci.c:1533
#28 0xc05afd45 in usb_task_thread (arg=0x0) at ../../../dev/usb/usb.c:464
#29 0xc05f29dc in fork_exit (callout=0xc05afc98 <usb_task_thread>, arg=0x0,
    frame=0xc636cd48) at ../../../kern/kern_fork.c:820
#30 0xc077ae6c in fork_trampoline () at ../../../i386/i386/exception.s:209
(kgdb) frame 25
#25 0xc05b398d in usb_transfer_complete (xfer=0xc16a8a00)
    at ../../../dev/usb/usbdi.c:819
819                     SIMPLEQ_REMOVE_HEAD(&pipe->queue, next);
(kgdb) print pipe->queue
$1 = {stqh_first = 0x0, stqh_last = 0xc16a6a14}
(kgdb) print *pipe->queue->stqh_last
$2 = (struct usbd_xfer *) 0x0
(kgdb) q


	Basicly the pipe queue is empty when reaching the code,
	and it expects to have something in queue.

>How-To-Repeat:
	Boot kernel with USB_DEBUG, and set:
		hw.usb.debug=10
		hw.usb.ulpt.debug=10
		hw.usb.uhci.debug=10
	and try to print to your usb printer.

>Fix:
	Unknown.
	Maybe to add a check to see if queue is already empty ?

>Release-Note:
>Audit-Trail:
>Unformatted: