From owner-freebsd-bugs@FreeBSD.ORG Tue Apr 17 05:50:02 2007 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D350916A416 for ; Tue, 17 Apr 2007 05:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id A5B8913C465 for ; Tue, 17 Apr 2007 05:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l3H5o2t0033460 for ; Tue, 17 Apr 2007 05:50:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l3H5o2Gw033459; Tue, 17 Apr 2007 05:50:02 GMT (envelope-from gnats) Resent-Date: Tue, 17 Apr 2007 05:50:02 GMT Resent-Message-Id: <200704170550.l3H5o2Gw033459@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Jamie Jones Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4724016A400 for ; Tue, 17 Apr 2007 05:45:02 +0000 (UTC) (envelope-from jamie@thompson.bishopston.net) Received: from pacha.mail.bishopston.net (pacha.mail.bishopston.net [66.221.209.133]) by mx1.freebsd.org (Postfix) with ESMTP id 04ABF13C43E for ; Tue, 17 Apr 2007 05:45:01 +0000 (UTC) (envelope-from jamie@thompson.bishopston.net) Received: from tiffany.bishopston.net (tiffany.bishopston.net [IPv6:2001:618:400:1bd5::1] (may be forged)) by catflap.bishopston.net (8.14.1/8.14.1) with ESMTP id l3H5Jfkg046375 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 17 Apr 2007 06:19:42 +0100 (BST) (envelope-from jamie@thompson.bishopston.net) Received: from thompson.bishopston.net (thompson.bishopston.net [IPv6:2001:618:400:1bd5::100]) by tiffany.bishopston.net (8.14.0/8.12.3) with ESMTP id l3H5Jeck035789 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 17 Apr 2007 06:19:40 +0100 (BST) (envelope-from jamie@thompson.bishopston.net) Received: from thompson.bishopston.net (localhost [IPv6:::1]) by thompson.bishopston.net (8.14.1/8.12.3) with ESMTP id l3H5JeJv023812 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 17 Apr 2007 06:19:40 +0100 (BST) (envelope-from jamie@thompson.bishopston.net) Received: (from jamie@localhost) by thompson.bishopston.net (8.14.1/8.12.9/Submit) id l3H5JesQ023811; Tue, 17 Apr 2007 06:19:40 +0100 (BST) (envelope-from jamie) Message-Id: <200704170519.l3H5JesQ023811@thompson.bishopston.net> Date: Tue, 17 Apr 2007 06:19:40 +0100 (BST) From: Jamie Jones To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/111753: Replicable system panic involving UHID driver X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jamie Jones List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Apr 2007 05:50:02 -0000 >Number: 111753 >Category: kern >Synopsis: Replicable system panic involving UHID driver >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Apr 17 05:50:02 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Jamie Jones >Release: FreeBSD 6.2-STABLE i386 >Organization: >Environment: System: FreeBSD thompson.bishopston.net 6.2-STABLE FreeBSD 6.2-STABLE #0: Fri Apr 13 13:45:47 BST 2007 root@thompson.bishopston.net:/usr/obj/usr/src/sys/THOMPSON i386 >Description: I have found a replicable kernel panic with FreeBSD 6-STABLE whenever anything that uses sdl_mixer runs, and something is plugged into the usb port with the UHID driver. This has been around for most (all?) of 6.X but I've only just managed to isolate the cause somewhat. Basically, I have a Samsung monitor which has a USB lead for controlling its settings: uhid0: Samsung Electronics Sam Sung Electronics, rev 1.10/2.00, addr 2, iclass 3/0 If I DISCONNECT this lead, the panic doesn't occur. I see little point in the lead in the first place - not only do i not have a working driver for this controller, all the settings are on the front of the screen control anyway! So... I now leave the lead disconnected, so problem gone. However, in the true spirit of trying to get all bugs fixed, rather than sweeping them under the carpet, I include the kernel panic dump, and backtrace, and other information, as the simple fact I (as a non-root user) am able to panic the machine is obviously not correct :-) This isn't therefore a high priority from my point of view, but thought you'd want this information. Anything else I can provide, please let me know! Cheers, Jamie 6:06 (51) "tmp" jamie@thompson% uname -a FreeBSD thompson.bishopston.net 6.2-STABLE FreeBSD 6.2-STABLE #0: Fri Apr 13 13:45:47 BST 2007 root@thompson.bishopston.net:/usr/obj/usr/src/sys/THOMPSON i386 6:06 (52) "tmp" jamie@thompson% pciconf -vl agp0@pci0:0:0: class=0x060000 card=0x08240000 chip=0x30991106 rev=0x00 hdr=0x00 vendor = 'VIA Technologies Inc' device = 'VT8366/A,VT8367 Apollo KT266/A,KT333 CPU to PCI Bridge' class = bridge subclass = HOST-PCI pcib1@pci0:1:0: class=0x060400 card=0x00000000 chip=0xb0991106 rev=0x00 hdr=0x01 vendor = 'VIA Technologies Inc' device = 'VT8366/A,VT8367 Apollo KT266/A,KT333 PCI to AGP Bridge' class = bridge subclass = PCI-PCI rl0@pci0:8:0: class=0x020000 card=0x813910ec chip=0x813910ec rev=0x10 hdr=0x00 vendor = 'Realtek Semiconductor' device = 'RT8139 (A/B/C/810x/813x/C+) Fast Ethernet Adapter' class = network subclass = ethernet pcm0@pci0:9:0: class=0x040100 card=0x00211102 chip=0x00021102 rev=0x04 hdr=0x00 vendor = 'Creative Labs' device = 'EMU10000 Sound Blaster Live! (Also Live! 5.1) - OEM from DELL - CT4780' class = multimedia subclass = audio emujoy0@pci0:9:1: class=0x098000 card=0x00201102 chip=0x70021102 rev=0x01 hdr=0x00 vendor = 'Creative Labs' device = 'EMU10000 Game Port' class = input device viapropm0@pci0:17:0: class=0x060100 card=0x31471106 chip=0x31471106 rev=0x00 hdr=0x00 vendor = 'VIA Technologies Inc' device = 'VT8233A PCI to ISA Bridge' class = bridge subclass = PCI-ISA atapci0@pci0:17:1: class=0x01018a card=0x05711106 chip=0x05711106 rev=0x06 hdr=0x00 vendor = 'VIA Technologies Inc' device = 'VT82xxxx EIDE Controller (All VIA Chipsets)' class = mass storage subclass = ATA uhci0@pci0:17:2: class=0x0c0300 card=0x12340925 chip=0x30381106 rev=0x23 hdr=0x00 vendor = 'VIA Technologies Inc' device = 'VT82xxxxx UHCI USB 1.1 Controller (All VIA Chipsets)' class = serial bus subclass = USB uhci1@pci0:17:3: class=0x0c0300 card=0x12340925 chip=0x30381106 rev=0x23 hdr=0x00 vendor = 'VIA Technologies Inc' device = 'VT82xxxxx UHCI USB 1.1 Controller (All VIA Chipsets)' class = serial bus subclass = USB nvidia0@pci1:0:0: class=0x030000 card=0x20341682 chip=0x032610de rev=0xa1 hdr=0x00 vendor = 'NVIDIA Corporation' device = 'GeForce FX 5500 [NV34.6]' class = display subclass = VGA 6:06 (53) "tmp" jamie@thompson% cat /var/run/dmesg.boot Copyright (c) 1992-2007 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 6.2-STABLE #0: Fri Apr 13 13:45:47 BST 2007 root@thompson.bishopston.net:/usr/obj/usr/src/sys/THOMPSON mptable_probe: MP Config Table has bad signature: \^H\M^?\M^?\^A Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: AMD Athlon(tm) XP 2100+ (1734.11-MHz 686-class CPU) Origin = "AuthenticAMD" Id = 0x662 Stepping = 2 Features=0x383fbff AMD Features=0xc0400800 real memory = 1073676288 (1023 MB) avail memory = 1033318400 (985 MB) netsmb_dev: loaded acpi0: on motherboard acpi0: Power Button (fixed) Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x4008-0x400b on acpi0 cpu0: on acpi0 acpi_throttle0: on cpu0 acpi_button0: on acpi0 acpi_button1: on acpi0 pcib0: port 0xcf8-0xcff,0x4000-0x407f,0x4080-0x40ff,0x5000-0x500f on acpi0 pci0: on pcib0 agp0: mem 0xe0000000-0xe7ffffff at device 0.0 on pci0 pcib1: at device 1.0 on pci0 pci1: on pcib1 nvidia0: mem 0xe8000000-0xe8ffffff,0xd0000000-0xdfffffff irq 11 at device 0.0 on pci1 nvidia0: [GIANT-LOCKED] rl0: port 0xd000-0xd0ff mem 0xea000000-0xea0000ff irq 10 at device 8.0 on pci0 miibus0: on rl0 rlphy0: on miibus0 rlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto rl0: Ethernet address: 00:c0:df:13:2a:df pcm0: port 0xd400-0xd41f irq 5 at device 9.0 on pci0 pcm0: viapropm0: SMBus I/O base at 0x5000 viapropm0: SMBus I/O base at 0x5000 viapropm0: port 0x5000-0x500f at device 17.0 on pci0 viapropm0: SMBus revision code 0x0 smbus0: on viapropm0 smb0: on smbus0 isa0: on viapropm0 atapci0: port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xdc00-0xdc0f at device 17.1 on pci0 ata0: on atapci0 ata1: on atapci0 uhci0: port 0xe000-0xe01f irq 10 at device 17.2 on pci0 uhci0: [GIANT-LOCKED] usb0: on uhci0 usb0: USB revision 1.0 uhub0: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1: port 0xe400-0xe41f irq 10 at device 17.3 on pci0 uhci1: [GIANT-LOCKED] usb1: on uhci1 usb1: USB revision 1.0 uhub1: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered acpi_tz0: on acpi0 speaker0: port 0x61 on acpi0 fdc0: port 0x3f2-0x3f5,0x3f7 irq 6 drq 2 on acpi0 fdc0: [FAST] fd0: <1440-KB 3.5" drive> on fdc0 drive 0 sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 sio0: type 16550A sio1: <16550A-compatible COM port> port 0x2f8-0x2ff irq 3 on acpi0 sio1: type 16550A ppc0: port 0x378-0x37f,0x778-0x77b irq 7 drq 3 on acpi0 ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/16 bytes threshold ppbus0: on ppc0 lpt0: on ppbus0 lpt0: Interrupt-driven port ppi0: on ppbus0 atkbdc0: port 0x60,0x64 irq 1 on acpi0 atkbd0: irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] psm0: flags 0x44 irq 12 on atkbdc0 psm0: [GIANT-LOCKED] psm0: model IntelliMouse, device ID 3 pmtimer0 on isa0 orm0: at iomem 0xc0000-0xcf7ff on isa0 sc0: at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 uhid0: Samsung Electronics Sam Sung Electronics, rev 1.10/2.00, addr 2, iclass 3/0 ucom0: Prolific Technology Inc. USB-Serial Controller C, rev 1.10/4.00, addr 2 Timecounter "TSC" frequency 1734105104 Hz quality 800 Timecounters tick every 1.000 msec ad0: 305245MB at ata0-master UDMA100 ad1: 286168MB at ata0-slave UDMA100 ad2: 305245MB at ata1-master UDMA100 acd0: DVDR at ata1-slave UDMA33 GEOM_MIRROR: Device gm0s1 created (id=3761227597). GEOM_MIRROR: Device gm0s1: provider ad0s3 detected. GEOM_MIRROR: Device gm1s1 created (id=2286332101). GEOM_MIRROR: Device gm1s1: provider ad0s4 detected. GEOM_MIRROR: Device gm1s1: provider ad1s1 detected. GEOM_MIRROR: Device gm1s1: provider ad1s1 activated. GEOM_MIRROR: Device gm1s1: provider ad0s4 activated. GEOM_MIRROR: Device gm1s1: provider mirror/gm1s1 launched. GEOM_MIRROR: Device gm2s1 created (id=1544363515). GEOM_MIRROR: Device gm2s1: provider ad1s2 detected. GEOM_MIRROR: Device gm0s1: provider ad2s3 detected. GEOM_MIRROR: Device gm0s1: provider ad2s3 activated. GEOM_MIRROR: Device gm0s1: provider ad0s3 activated. GEOM_MIRROR: Device gm0s1: provider mirror/gm0s1 launched. GEOM_MIRROR: Device gm2s1: provider ad2s4 detected. GEOM_MIRROR: Device gm2s1: provider ad2s4 activated. GEOM_MIRROR: Device gm2s1: provider ad1s2 activated. GEOM_MIRROR: Device gm2s1: provider mirror/gm2s1 launched. Trying to mount root from ufs:/dev/mirror/gm0s1a WARNING: / was not properly dismounted acd0: FAILURE - INQUIRY ILLEGAL REQUEST asc=0x24 ascq=0x00 sks=0x40 0x00 0x01 cd0 at ata1 bus 0 target 1 lun 0 cd0: Removable CD-ROM SCSI-0 device cd0: 33.000MB/s transfers cd0: cd present [36235 x 2048 byte records] bridge0: Ethernet address: 76:20:7e:95:84:02 6:06 (54) "tmp" jamie@thompson% usbdevs -l Controller /dev/usb0: addr 1: full speed, self powered, config 1, UHCI root hub(0x0000), VIA(0x0000), rev 1.00 port 1 powered port 2 addr 2: low speed, self powered, config 1, Sam Sung Electronics(0x8002), Samsung Electronics(0x0419), rev 2.00 Controller /dev/usb1: addr 1: full speed, self powered, config 1, UHCI root hub(0x0000), VIA(0x0000), rev 1.00 port 1 powered port 2 addr 2: full speed, power 100 mA, config 1, USB-Serial Controller C(0x2303), Prolific Technology Inc.(0x067b), rev 4.00 "THOMPSON" root@thompson# kgdb kernel.debug /var/crash/vmcore.0 kgdb: kvm_nlist(_stopped_cpus): kgdb: kvm_nlist(_stoppcbs): [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"] GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd". Unread portion of the kernel message buffer: Fatal trap 12: page fault while in kernel mode fault virtual address = 0x4 fault code = supervisor write, page not present instruction pointer = 0x20:0xc04aca9e stack pointer = 0x28:0xe686f8d4 frame pointer = 0x28:0xe686f90c code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 1452 (tuxracer) trap number = 12 panic: page fault Uptime: 1m24s Dumping 1023 MB (2 chunks) chunk 0: 1MB (159 pages) ... ok chunk 1: 1023MB (261872 pages) 1007 991 975 959 943 927 911 895 879 863 847 831 815 799 783 767 751 735 719 703 687 671 655 639 623 607 591 575 559 543 527 511 495 479 463 447 431 415 399 383 367 351 335 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15 #0 doadump () at pcpu.h:165 165 __asm __volatile("movl %%fs:0,%0" : "=r" (td)); (kgdb) list *0xc04aca9e 0xc04aca9e is in uhci_device_intr_start (/usr/src/sys/dev/usb/uhci.c:2129). 2124 err = uhci_alloc_std_chain(upipe, sc, xfer->length, isread, 2125 xfer->flags, &xfer->dmabuf, &data, 2126 &dataend); 2127 if (err) 2128 return (err); 2129 dataend->td.td_status |= htole32(UHCI_TD_IOC); 2130 2131 #ifdef USB_DEBUG 2132 if (uhcidebug > 10) { 2133 DPRINTF(("uhci_device_intr_transfer: data(1)\n")); (kgdb) backtrace #0 doadump () at pcpu.h:165 #1 0xc05399c4 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409 #2 0xc0539cf6 in panic (fmt=0xc0738c69 "%s") at /usr/src/sys/kern/kern_shutdown.c:565 #3 0xc070f34c in trap_fatal (frame=0xe686f894, eva=0) at /usr/src/sys/i386/i386/trap.c:837 #4 0xc070f052 in trap_pfault (frame=0xe686f894, usermode=0, eva=4) at /usr/src/sys/i386/i386/trap.c:745 #5 0xc070ec1d in trap (frame= {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = -985657856, tf_esi = -985657744, tf_ebp = -427362036, tf_isp = -427362112, tf_ebx = -977865856, tf_edx = 0, tf_ecx = -977865856, tf_eax = 0, tf_trapno = 12, tf_err = 2, tf_eip = -1068840290, tf_cs = 32, tf_eflags = 66118, tf_esp = -977865856, tf_ss = -985714688}) at /usr/src/sys/i386/i386/trap.c:435 #6 0xc06fa2ea in calltrap () at /usr/src/sys/i386/i386/exception.s:139 #7 0xc04aca9e in uhci_device_intr_start (xfer=0xc5400e00) at /usr/src/sys/dev/usb/uhci.c:2129 #8 0xc04aca15 in uhci_device_intr_transfer (xfer=0xc5400e00) at /usr/src/sys/dev/usb/uhci.c:2091 #9 0xc04b90e1 in usbd_transfer (xfer=0xc5400e00) at /usr/src/sys/dev/usb/usbdi.c:322 #10 0xc04b8f3c in usbd_open_pipe_intr (iface=0xc5400e00, address=129 '\201', flags=4 '\004', pipe=0x0, priv=0x0, buffer=0x0, len=0, cb=0, ival=0) at /usr/src/sys/dev/usb/usbdi.c:244 #11 0xc04afacf in uhidopen (dev=0x0, flag=1, mode=8192, p=0xc6045300) at /usr/src/sys/dev/usb/uhid.c:461 #12 0xc0506401 in giant_open (dev=0xc542fc00, oflags=0, devtype=0, td=0x0) at /usr/src/sys/kern/kern_conf.c:260 #13 0xc04be832 in devfs_open (ap=0xe686fa50) at /usr/src/sys/fs/devfs/devfs_vnops.c:772 #14 0xc0726043 in VOP_OPEN_APV (vop=0x0, a=0x0) at vnode_if.c:372 #15 0xc05b429d in vn_open_cred (ndp=0xe686fbc0, flagp=0xe686fcc0, cmode=0, cred=0xc5d9d380, fdidx=11) at vnode_if.h:198 #16 0xc05b3df3 in vn_open (ndp=0xc5b6f380, flagp=0x0, cmode=0, fdidx=0) at /usr/src/sys/kern/vfs_vnops.c:91 #17 0xc05aaf58 in kern_open (td=0xc6045300, path=0x0, pathseg=UIO_USERSPACE, flags=1, mode=0) at /usr/src/sys/kern/vfs_syscalls.c:1007 #18 0xc05aae56 in open (td=0x0, uap=0xe686fd04) at /usr/src/sys/kern/vfs_syscalls.c:971 #19 0xc070f722 in syscall (frame= {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 137068544, tf_esi = 0, tf_ebp = -1077943288, tf_isp = -427360924, tf_ebx = 1213965492, tf_edx = 0, tf_ecx = 0, tf_eax = 5, tf_trapno = 22, tf_err = 2, tf_eip = 1214787399, tf_cs = 51, tf_eflags = 582, tf_esp = -1077943316, tf_ss = 59}) at /usr/src/sys/i386/i386/trap.c:983 #20 0xc06fa33f in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200 #21 0x00000033 in ?? () Previous frame inner to this frame (corrupt stack?) (kgdb) quit >How-To-Repeat: MAke sure UHID is in the kernel, and a usb device that operates under uhid is installed (well, if not ALL uhid devices, at least: uhid0: Samsung Electronics Sam Sung Electronics, rev 1.10/2.00, addr 2, iclass 3/0 >Fix: -- -=-=-=- Virus Scanned by "pacha.mail.bishopston.net" using ClamAv -=-=-=- Database Last Checked: Tue Apr 17 05:38:00 BST 2007 - http://www.clamav.net/ Database Updated : Tue Apr 17 05:38:00 BST 2007 - 110201 viruses scanned >Release-Note: >Audit-Trail: >Unformatted: