Bug #666

usb stick removal panics

Added by corecode almost 10 years ago. Updated almost 8 years ago.

Target version:
Start date:
Due date:
% Done:




repeatable panic here when removing my usb stick (when I didn't load umass.ko before):

Unread portion of the kernel message buffer:
uhub1: at uhub0 port 4 (addr 3) disconnected
kernel trap 12 with interrupts disabled

Fatal trap 12: page fault while in kernel mode
fault virtual address = 0xdeadc0de
fault code = supervisor read, page not present
instruction pointer = 0x8:0xc0264ce0
stack pointer = 0x10:0xd2465b20
frame pointer = 0x10:0xd2465b20
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = resume, IOPL = 0
current process = Idle
current thread = pri 76 (CRIT)

trap number = 12
panic: page fault
(kgdb) bt
#0 dumpsys () at thread.h:83
#1 0xc017c8a7 in boot (howto=256) at /usr/build/src/sys/kern/kern_shutdown.c:373
#2 0xc017c9d1 in panic (fmt=Variable "fmt" is not available.
) at /usr/build/src/sys/kern/kern_shutdown.c:792
#3 0xc029185a in trap_fatal (frame=0xd2465ad8, eva=Variable "eva" is not available.
at /usr/build/src/sys/platform/pc32/i386/trap.c:1097
#4 0xc02919ad in trap_pfault (frame=0xd2465ad8, usermode=0, eva=3735929054)
at /usr/build/src/sys/platform/pc32/i386/trap.c:998
#5 0xc02922dc in trap (frame=0xd2465ad8) at /usr/build/src/sys/platform/pc32/i386/trap.c:681
#6 0xc02830d6 in calltrap () at /usr/build/src/sys/platform/pc32/i386/exception.s:783
#7 0xc0264ce0 in strlen (str=0xdeadc0de <Address 0xdeadc0de out of bounds>)
at /usr/build/src/sys/libkern/strlen.c:44
#8 0xc0194fc8 in kvcprintf (fmt=0xc02c566d ": at %s", func=0xc01959de <kputchar>, arg=0xd2465c50,
radix=10, ap=0xd2465c78 "�u\036�) at /usr/build/src/sys/kern/subr_prf.c:655
#9 0xc01959b0 in kprintf (fmt=0xc02c566b "%s: at %s") at /usr/build/src/sys/kern/subr_prf.c:304
#10 0xc025c561 in usb_disconnect_port (up=0xd53d9c68, parent=0xd53d98d8)
at /usr/build/src/sys/bus/usb/usb_subr.c:1382
#11 0xc025f3d2 in uhub_detach (self=0xd53d98d8) at /usr/build/src/sys/bus/usb/uhub.c:610
#12 0xc018e850 in device_detach (dev=0xd53d98d8) at device_if.h:49
#13 0xc018e943 in device_delete_child (dev=0xcfaea500, child=0xd53d98d8)
at /usr/build/src/sys/kern/subr_bus.c:600
#14 0xc025c5b0 in usb_disconnect_port (up=0xd24a5c74, parent=0xcfaea500)
at /usr/build/src/sys/bus/usb/usb_subr.c:1387
#15 0xc025f119 in uhub_explore (dev=0xcfa8a8b8) at /usr/build/src/sys/bus/usb/uhub.c:460
#16 0xc025985f in usb_discover (v=Variable "v" is not available.
) at /usr/build/src/sys/bus/usb/usb.c:784
#17 0xc0259bf6 in usb_event_thread (arg=0xc22491c0) at /usr/build/src/sys/bus/usb/usb.c:473
#18 0xc017181a in suspend_kproc (td=Variable "td" is not available.
) at /usr/build/src/sys/kern/kern_kthread.c:158

seems either some variable isn't being initialized correctly, or something is freed prematurely. no time to investigate, though.

The USB stick I'm using has an integrated USB hub (why is beyond my imagination).



#1 Updated by sepherosa almost 10 years ago

Since ugen(4) is not loaded at all, the USB device's structure is only
partially initialized, i.e. nameunit is not initialized at all.
Please test following patch:

Best Regards,

#2 Updated by corecode almost 10 years ago

sorry, doesn't fix it. panics at the same place.


#3 Updated by corecode over 9 years ago

Fresh trace:

Unread portion of the kernel message buffer:
: at uhub4 port 1 (addr 3) disconnected

Fatal trap 12: page fault while in kernel mode
mp_lock = 00000000; cpuid = 0; = 00000000
fault virtual address = 0x0
fault code = supervisor write, page not present
#6 0xc027f136 in calltrap () at /usr/src/sys/platform/pc32/i386/exception.s:783
#7 0xc01984f3 in device_delete_child (dev=0xd700c048, child=0xdeadc0de)
at /usr/src/sys/kern/subr_bus.c:604
#8 0xc01984ac in device_delete_child (dev=0xdeadc0de, child=0xd700c048)
at /usr/src/sys/kern/subr_bus.c:595
#9 0xde56a231 in usb_disconnect_port (up=0xd700c348, parent=0xd700c2d0)
at /usr/src/sys/bus/usb/usb/../../../bus/usb/usb_subr.c:1251
#10 0xde56829a in uhub_detach (self=0xd700c2d0)
at /usr/src/sys/bus/usb/usb/../../../bus/usb/uhub.c:571
#11 0xc01983cd in device_detach (dev=0xd700c2d0) at device_if.h:49
#12 0xc01984c1 in device_delete_child (dev=0xd700ac50, child=0xd700c2d0)
at /usr/src/sys/kern/subr_bus.c:600
#13 0xde56a231 in usb_disconnect_port (up=0xda02da88, parent=0xd700ac50)
at /usr/src/sys/bus/usb/usb/../../../bus/usb/usb_subr.c:1251
#14 0xde567ffd in uhub_explore (dev=0xd6f69948)
at /usr/src/sys/bus/usb/usb/../../../bus/usb/uhub.c:454
#15 0xde569534 in usb_discover (v=Variable "v" is not available.
) at /usr/src/sys/bus/usb/usb/../../../bus/usb/usb.c:735
#16 0xde5698d5 in usb_event_thread (arg=0xc3b8b448)
at /usr/src/sys/bus/usb/usb/../../../bus/usb/usb.c:446

(kgdb) p *dev->subdevs[0]
$6 = {ops = 0x0, link = {tqe_next = 0xdeadc0de, tqe_prev = 0xdeadc0de}, parent =
children = {tqh_first = 0xdeadc0de, tqh_last = 0x0}, driver = 0xdeadc0de,
devclass = 0xdeadc0de,
unit = -559038242, nameunit = 0xdeadc0de "", desc = 0xdeadc0de "", busy =
state = 3735929054, devflags = 3735929054, flags = 49374, order = 173 '�', pad
= 222 '�,
ivars = 0xdeadc0de, softc = 0x0}

Who free()d the subdev structure?

#4 Updated by tuxillo almost 8 years ago

Recently Matt did some work on USB devices. Could it be fixed already?

#5 Updated by corecode almost 8 years ago

I seem to have lost this particular USB stick. Until it reappears we can close
it, since I don't have any means to reproduce it.

Also available in: Atom PDF