Bug #193

panic in usb_transfer_complete in vmware

Added by corecode over 8 years ago. Updated almost 6 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-

Description

Hey,

just tried booting 1.4 (snaphot) in vmware. it works normally, but if
I have my usb stick passed through to dragonfly, it panics like below
(I think that's the same panic sascha is seeing).

A little bit playing with ddb showed that pipe->queue is empty.

cheers
simon

Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x4c
fault code = supervisor read, page not present
instruction pointer = 0x8:0xc043c0bf
stack pointer = 0x10:0xc9a6ec90
frame pointer = 0x10:0xc9a6ecb0
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, IOPL = 0
current process = Idle
current thread = pri 92 (CRIT)

kernel: type 12 trap, code=0
Stopped at usb_transfer_complete+0xab: movl 0x4c(%eax),%eax
db> trace
usb_transfer_complete(c1189f38,c9a72fc0,0,0,e333fc0) at
usb_transfer_complete+0xab
ohci_softintr(c99fb0c0,c9a6ed10,c0436da2,c99fb0c0,e333f90) at
ohci_softintr+0x11c
usb_schedsoftintr(c99fb0c0,e333f90,0,0,0) at usb_schedsoftintr+0x12
ohci_intr1(c99fb0c0,c9a6ed84,c029054b,c99fb0c0,0) at ohci_intr1+0x16f
ohci_intr(c99fb0c0,0,0,0,1) at ohci_intr+0x33
ithread_handler(9,0,0,0,0) at ithread_handler+0xa0
lwkt_exit() at lwkt_exit

History

#1 Updated by swildner over 8 years ago

Simon 'corecode' Schubert wrote:
> Hey,
>
> just tried booting 1.4 (snaphot) in vmware. it works normally, but if I
> have my usb stick passed through to dragonfly, it panics like below (I
> think that's the same panic sascha is seeing).
>
> A little bit playing with ddb showed that pipe->queue is empty.

Dump is in ~swildner/crash on leaf.

Sascha

#2 Updated by dillon over 8 years ago

:...
:> just tried booting 1.4 (snaphot) in vmware. it works normally, but if I
:> have my usb stick passed through to dragonfly, it panics like below (I
:> think that's the same panic sascha is seeing).
:>
:> A little bit playing with ddb showed that pipe->queue is empty.
:
:Dump is in ~swildner/crash on leaf.
:
:Sascha

There is some sort of recursion happening but I'm not sure whether
the recursion is valid or whether it is itself a bug. The crash is
occuring while usb_transfer_complete() is operating on the wrong 'xfer'
structure.

I'm going to make a semi-wild guess. Look at the LIST_FOREACH() on
line 1274 in /usr/src/sys/bus/usb/uhci.c ... I think the 'ii' structure
could be getting ripped out from under the list scanner.

I've included a bad hack for you to try to see if it solves the problem.

-Matt
Matthew Dillon
<>

Index: bus/usb/uhci.c
===================================================================
RCS file: /cvs/src/sys/bus/usb/uhci.c,v
retrieving revision 1.13
diff -u -r1.13 uhci.c
--- bus/usb/uhci.c 29 Apr 2006 22:05:21 -0000 1.13
+++ bus/usb/uhci.c 27 Jun 2006 21:14:27 -0000
@@ -386,6 +386,7 @@
LIST_INSERT_HEAD(&(sc)->sc_intrhead, (ii), list)
#define uhci_del_intr_info(ii) \
do { \
+ ++ii->sc->sc_intrhead_deletion_counter; \
LIST_REMOVE((ii), list); \
(ii)->list.le_prev = NULL; \
} while (0)
@@ -1254,6 +1255,7 @@
{
uhci_softc_t *sc = v;
uhci_intr_info_t *ii;
+ int last_deletion_counter;

DPRINTFN(10,("%s: uhci_softintr (%d)\n", USBDEVNAME(sc->sc_bus.bdev),
sc->sc_bus.intr_context));
@@ -1270,9 +1272,17 @@
* output on a slow console).
* We scan all interrupt descriptors to see if any have
* completed.
+ *
+ * XXX horrible hack - use a counter to detect if the list is
+ * modified out from under us and rescan if it is.
*/
- LIST_FOREACH(ii, &sc->sc_intrhead, list)
+again:
+ last_deletion_counter = sc->sc_intrhead_deletion_counter;
+ LIST_FOREACH(ii, &sc->sc_intrhead, list) {
uhci_check_intr(sc, ii);
+ if (sc->sc_intrhead_deletion_counter != last_deletion_counter)
+ goto again;
+ }

#ifdef USB_USE_SOFTINTR
if (sc->sc_softwake) {
Index: bus/usb/uhcivar.h
===================================================================
RCS file: /cvs/src/sys/bus/usb/uhcivar.h,v
retrieving revision 1.4
diff -u -r1.4 uhcivar.h
--- bus/usb/uhcivar.h 11 Feb 2004 15:17:26 -0000 1.4
+++ bus/usb/uhcivar.h 27 Jun 2006 21:10:30 -0000
@@ -179,6 +179,7 @@
char sc_dying;

LIST_HEAD(, uhci_intr_info) sc_intrhead;
+ int sc_intrhead_deletion_counter;

/* Info for the root hub interrupt channel. */
int sc_ival; /* time between root hub intrs */

#3 Updated by swildner over 8 years ago

Matthew Dillon wrote:
> :...
> :> just tried booting 1.4 (snaphot) in vmware. it works normally, but if I
> :> have my usb stick passed through to dragonfly, it panics like below (I
> :> think that's the same panic sascha is seeing).
> :>
> :> A little bit playing with ddb showed that pipe->queue is empty.
> :
> :Dump is in ~swildner/crash on leaf.
> :
> :Sascha
>
> There is some sort of recursion happening but I'm not sure whether
> the recursion is valid or whether it is itself a bug. The crash is
> occuring while usb_transfer_complete() is operating on the wrong 'xfer'
> structure.
>
> I'm going to make a semi-wild guess. Look at the LIST_FOREACH() on
> line 1274 in /usr/src/sys/bus/usb/uhci.c ... I think the 'ii' structure
> could be getting ripped out from under the list scanner.
>
> I've included a bad hack for you to try to see if it solves the problem.

Unfortunately, it doesn't. I still get the same or a similar panic upon
shutdown. Backtrace attached, see ~swildner/crash/usb_patched.tbz on
leaf for a new dump.

Sascha

Unread portion of the kernel message buffer:
<118>Terminated
<118>.
<118>Jun 29 23:58:43 <syslog.err> mob syslogd: exiting on signal 15
Waiting (max 60 seconds) for system thread vnlru to stop...stopped
Waiting (max 60 seconds) for system thread bufdaemon to stop...stopped
Waiting (max 60 seconds) for system thread syncer to stop...stopped

syncing disks... 6
done
Uptime: 59s
kthread 0xc4324500 cbb0 has exited

Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x4c
fault code = supervisor read, page not present
instruction pointer = 0x8:0xc044e08b
stack pointer = 0x10:0xc4327254
frame pointer = 0x10:0xc4327274
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 1 (init)
current thread = pri 63 (CRIT)

dumping to dev #ad/0x20001, offset 4063232
dump ata0: resetting devices .. done
64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41
40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17
16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1

GNU gdb 6.2.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.

Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-dragonfly".
(kgdb) bt
#0 dumpsys () at thread.h:83
#1 0xc0163dc5 in db_fncall (dummy1=4736, dummy2=0, dummy3=-1003327352,
dummy4=0xc4327084 "\277\022") at /usr/src/sys/ddb/db_command.c:541
#2 0xc0163b7f in db_command (last_cmdp=0xc05c8350, cmd_table=0x0,
aux_cmd_tablep=0xc056bfe0, aux_cmd_tablep_end=0xc056bff8)
at /usr/src/sys/ddb/db_command.c:343
#3 0xc0163c5f in db_command_loop () at /usr/src/sys/ddb/db_command.c:469
#4 0xc01667dc in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_trap.c:71
#5 0xc04b17f8 in kdb_trap (type=12, code=0, regs=0xc4327214) at
/usr/src/sys/i386/i386/db_interface.c:150
#6 0xc04c5ea2 in trap_fatal (frame=0xc4327214, eva=0) at
/usr/src/sys/i386/i386/trap.c:1178
#7 0xc04c5b71 in trap_pfault (frame=0xc4327214, usermode=0, eva=76) at
/usr/src/sys/i386/i386/trap.c:1083
#8 0xc04c57bf in trap (frame=
{tf_fs = -1003356136, tf_es = -1069285360, tf_ds = -964820976,
tf_edi = 0, tf_esi = -1062086208, tf_ebp = -1003326860, tf_isp =
-1003326912, tf_ebx = -1061964144, tf_edx = 0, tf_ecx = 0, tf_eax = 0,
tf_trapno = 12, tf_err = 0, tf_eip = -1069227893, tf_cs = 8, tf_eflags =
66118, tf_esp = -964514304, tf_ss = -1003324796}) at
/usr/src/sys/i386/i386/trap.c:654
#9 0xc04b2acf in calltrap () at /usr/src/sys/i386/i386/exception.s:774
#10 0xc044e08b in usb_transfer_complete (xfer=0xc0b3b690) at
/usr/src/sys/bus/usb/usbdi.c:812
#11 0xc044464e in uhci_idone (ii=0x0) at /usr/src/sys/bus/usb/uhci.c:1480
#12 0xc0444530 in uhci_check_intr (sc=0xc67eb4b8, ii=0xc0b3b700) at
/usr/src/sys/bus/usb/uhci.c:1355
#13 0xc044448a in uhci_softintr (v=0xc67eb4b8) at
/usr/src/sys/bus/usb/uhci.c:1282
#14 0xc044d5c8 in usb_schedsoftintr (bus=0x0) at
/usr/src/sys/bus/usb/usb.c:837
#15 0xc0444448 in uhci_intr1 (sc=0xc67eb4b8) at
/usr/src/sys/bus/usb/uhci.c:1246
#16 0xc0444767 in uhci_waitintr (sc=0xc67eb4b8, xfer=0xc0b3b7d0) at
/usr/src/sys/bus/usb/uhci.c:1538
#17 0xc0444ed4 in uhci_device_bulk_start (xfer=0xc0b3b7d0) at
/usr/src/sys/bus/usb/uhci.c:1890
#18 0xc0444d31 in uhci_device_bulk_transfer (xfer=0xc0b3b7d0) at
/usr/src/sys/bus/usb/uhci.c:1810
#19 0xc044d917 in usbd_transfer (xfer=0xc0b3b7d0) at
/usr/src/sys/bus/usb/usbdi.c:321
#20 0xc045a6ce in umass_setup_transfer (sc=0x0, pipe=0x0, buffer=0x0,
buflen=0, flags=0, xfer=0xc0b3b7d0) at
/usr/src/sys/dev/usbmisc/umass/umass.c:1169
#21 0xc045ad53 in umass_bbb_state (xfer=0x0, priv=0xc0b76068,
err=USBD_NORMAL_COMPLETION) at /usr/src/sys/dev/usbmisc/umass/umass.c:1532
#22 0xc044e0ec in usb_transfer_complete (xfer=0xc0b3b690) at
/usr/src/sys/bus/usb/usbdi.c:830
#23 0xc044464e in uhci_idone (ii=0x0) at /usr/src/sys/bus/usb/uhci.c:1480
#24 0xc0444530 in uhci_check_intr (sc=0xc67eb4b8, ii=0xc0b3b700) at
/usr/src/sys/bus/usb/uhci.c:1355
#25 0xc044448a in uhci_softintr (v=0xc67eb4b8) at
/usr/src/sys/bus/usb/uhci.c:1282
#26 0xc044d5c8 in usb_schedsoftintr (bus=0x0) at
/usr/src/sys/bus/usb/usb.c:837
#27 0xc0444448 in uhci_intr1 (sc=0xc67eb4b8) at
/usr/src/sys/bus/usb/uhci.c:1246
#28 0xc0444767 in uhci_waitintr (sc=0xc67eb4b8, xfer=0xc0b3b690) at
/usr/src/sys/bus/usb/uhci.c:1538
#29 0xc0444ed4 in uhci_device_bulk_start (xfer=0xc0b3b690) at
/usr/src/sys/bus/usb/uhci.c:1890
#30 0xc0444d31 in uhci_device_bulk_transfer (xfer=0xc0b3b690) at
/usr/src/sys/bus/usb/uhci.c:1810
#31 0xc044d917 in usbd_transfer (xfer=0xc0b3b690) at
/usr/src/sys/bus/usb/usbdi.c:321
#32 0xc045a6ce in umass_setup_transfer (sc=0x0, pipe=0x0, buffer=0x0,
buflen=0, flags=4, xfer=0xc0b3b690) at
/usr/src/sys/dev/usbmisc/umass/umass.c:1169
#33 0xc045abc5 in umass_bbb_state (xfer=0x0, priv=0xc0b76068,
err=USBD_NORMAL_COMPLETION) at /usr/src/sys/dev/usbmisc/umass/umass.c:1437
#34 0xc044e0ec in usb_transfer_complete (xfer=0xc0b3b5f0) at
/usr/src/sys/bus/usb/usbdi.c:830
#35 0xc044464e in uhci_idone (ii=0x0) at /usr/src/sys/bus/usb/uhci.c:1480
#36 0xc0444530 in uhci_check_intr (sc=0xc67eb4b8, ii=0xc0b3b660) at
/usr/src/sys/bus/usb/uhci.c:1355
#37 0xc044448a in uhci_softintr (v=0xc67eb4b8) at
/usr/src/sys/bus/usb/uhci.c:1282
#38 0xc044d5c8 in usb_schedsoftintr (bus=0x0) at
/usr/src/sys/bus/usb/usb.c:837
#39 0xc0444448 in uhci_intr1 (sc=0xc67eb4b8) at
/usr/src/sys/bus/usb/uhci.c:1246
#40 0xc0444767 in uhci_waitintr (sc=0xc67eb4b8, xfer=0xc0b3b5f0) at
/usr/src/sys/bus/usb/uhci.c:1538
#41 0xc0444ed4 in uhci_device_bulk_start (xfer=0xc0b3b5f0) at
/usr/src/sys/bus/usb/uhci.c:1890
#42 0xc0444d31 in uhci_device_bulk_transfer (xfer=0xc0b3b5f0) at
/usr/src/sys/bus/usb/uhci.c:1810
#43 0xc044d917 in usbd_transfer (xfer=0xc0b3b5f0) at
/usr/src/sys/bus/usb/usbdi.c:321
#44 0xc045a6ce in umass_setup_transfer (sc=0x0, pipe=0x0, buffer=0x0,
buflen=0, flags=0, xfer=0xc0b3b5f0) at
/usr/src/sys/dev/usbmisc/umass/umass.c:1169
#45 0xc045aaf8 in umass_bbb_transfer (sc=0xc0b76068, lun=0, cmd=0x0,
cmdlen=6, data=0xc4327a84, datalen=32, dir=1, cb=0, priv=0x0)
at /usr/src/sys/dev/usbmisc/umass/umass.c:1384
#46 0xc045c343 in umass_cam_cb (sc=0xc0b76068, priv=0xc43279fc,
residue=0, status=2) at /usr/src/sys/dev/usbmisc/umass/umass.c:2615
#47 0xc045b055 in umass_bbb_state (xfer=0x0, priv=0xc0b76068,
err=USBD_NORMAL_COMPLETION) at /usr/src/sys/dev/usbmisc/umass/umass.c:1628
#48 0xc044e0ec in usb_transfer_complete (xfer=0xc0b3b7d0) at
/usr/src/sys/bus/usb/usbdi.c:830
#49 0xc044464e in uhci_idone (ii=0x0) at /usr/src/sys/bus/usb/uhci.c:1480
#50 0xc0444530 in uhci_check_intr (sc=0xc67eb4b8, ii=0xc0b3b840) at
/usr/src/sys/bus/usb/uhci.c:1355
#51 0xc044448a in uhci_softintr (v=0xc67eb4b8) at
/usr/src/sys/bus/usb/uhci.c:1282
#52 0xc044d5c8 in usb_schedsoftintr (bus=0x0) at
/usr/src/sys/bus/usb/usb.c:837
#53 0xc0444448 in uhci_intr1 (sc=0xc67eb4b8) at
/usr/src/sys/bus/usb/uhci.c:1246
#54 0xc0444767 in uhci_waitintr (sc=0xc67eb4b8, xfer=0xc0b3b7d0) at
/usr/src/sys/bus/usb/uhci.c:1538
#55 0xc0444ed4 in uhci_device_bulk_start (xfer=0xc0b3b7d0) at
/usr/src/sys/bus/usb/uhci.c:1890
#56 0xc0444d31 in uhci_device_bulk_transfer (xfer=0xc0b3b7d0) at
/usr/src/sys/bus/usb/uhci.c:1810
#57 0xc044d917 in usbd_transfer (xfer=0xc0b3b7d0) at
/usr/src/sys/bus/usb/usbdi.c:321
#58 0xc045a6ce in umass_setup_transfer (sc=0x0, pipe=0x0, buffer=0x0,
buflen=0, flags=0, xfer=0xc0b3b7d0) at
/usr/src/sys/dev/usbmisc/umass/umass.c:1169
#59 0xc045ad53 in umass_bbb_state (xfer=0x0, priv=0xc0b76068,
err=USBD_NORMAL_COMPLETION) at /usr/src/sys/dev/usbmisc/umass/umass.c:1532
#60 0xc044e0ec in usb_transfer_complete (xfer=0xc0b3b5f0) at
/usr/src/sys/bus/usb/usbdi.c:830
#61 0xc044464e in uhci_idone (ii=0x0) at /usr/src/sys/bus/usb/uhci.c:1480
#62 0xc0444530 in uhci_check_intr (sc=0xc67eb4b8, ii=0xc0b3b660) at
/usr/src/sys/bus/usb/uhci.c:1355
#63 0xc044448a in uhci_softintr (v=0xc67eb4b8) at
/usr/src/sys/bus/usb/uhci.c:1282
#64 0xc044e51b in usbd_set_polling (dev=0x0, on=1) at
/usr/src/sys/bus/usb/usbdi.c:1087
#65 0xc045c205 in umass_cam_poll (sim=0x0) at
/usr/src/sys/dev/usbmisc/umass/umass.c:2566
#66 0xc01493ca in xpt_polled_action (start_ccb=0xc43279fc) at
/usr/src/sys/bus/cam/cam_xpt.c:3352
#67 0xc01530d1 in dashutdown (arg=0x0, howto=0) at
/usr/src/sys/bus/cam/scsi/scsi_da.c:1932
#68 0xc02b90e2 in boot (howto=0) at /usr/src/sys/kern/kern_shutdown.c:332
#69 0xc02b8d11 in sys_reboot (uap=0x0) at
/usr/src/sys/kern/kern_shutdown.c:174
#70 0xc04c61ab in syscall2 (frame=
{tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = 2, tf_esi =
-1077936596, tf_ebp = -1077936984, tf_isp = -1003324044, tf_ebx =
-1077936728, tf_edx = -1, tf_ecx = 134962784, tf_eax = 55, tf_trapno =
12, tf_err = 2, tf_eip = 134547284, tf_cs = 31, tf_eflags = 646, tf_esp
= -1077937204, tf_ss = 47})
at /usr/src/sys/i386/i386/trap.c:1399
#71 0xc04b2b5a in Xint0x80_syscall () at
/usr/src/sys/i386/i386/exception.s:852
#72 0x0000001f in ?? ()
#73 0x0000002f in ?? ()
#74 0x00000000 in ?? ()
#75 0x00000000 in ?? ()
#76 0x00000000 in ?? ()
#77 0x00000000 in ?? ()
#78 0x03e47000 in ?? ()
#79 0xc4324f00 in ?? ()
#80 0xc05ec294 in softclock_pcpu_ary ()
#81 0xc4327a58 in ?? ()
#82 0xc4327a38 in ?? ()
#83 0xff800000 in ?? ()
#84 0xc02bf443 in lwkt_switch () at /usr/src/sys/kern/lwkt_thread.c:740
Previous frame inner to this frame (corrupt stack?)

#4 Updated by swildner about 8 years ago

Sephe's USB upgrade fixed the panic for me which I had when shutting
down a system that was running from a USB disk.

However, now dashutdown() (sys/bus/cam/scsi/scsi_da.c) hangs for 5
minutes at line 1931 in the xpt_polled_action() after
scsi_synchronize_cache().

After 5 minutes, the shutdown continues normally. Does anyone have an
idea what's wrong here?

Sascha

#5 Updated by corecode almost 6 years ago

possibly fixed

Also available in: Atom PDF