kern/89954: USB Disk driver race condition?

David Gilbert dgilbert at daveg.ca
Mon Dec 5 00:40:04 GMT 2005 

>Number:         89954
>Category:       kern
>Synopsis:       USB Disk driver race condition?
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 05 00:40:02 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     David Gilbert
>Release:        FreeBSD 6.0-STABLE i386
>Organization:
>Environment:
System: FreeBSD canoe.dclg.ca 6.0-STABLE FreeBSD 6.0-STABLE #1: Thu Nov 24 14:20:52 EST 2005 dgilbert at canoe.dclg.ca:/usr/src/sys/i386/compile/CANOE i386


This has been happening to me in 5.x and in 6.x.  I don't think it's
terribly version dependant.

>Description:
Firstly, flash card readers --- especially the ones that handle multiple
types of media seem to "fight" with FreeBSD.  FreeBSD will detect multiple
"0" sized disks along the way to finding the desired media.

But this isn't the current problem (although it may be, in some way,
related).

The current problem is that ocaisionally, plugging in the usb flash
reader (and I think sometimes a usb hard drive, but I hot plug
that so much less that I can't remember) causes a kernel panic.

I have the core files, if anyone's interested, but here's the stack
dump from kgdb:

Unread portion of the kernel message buffer:
umass0: at uhub3 port 4 (addr 2) disconnected
(da0:umass-sim0:0:0:0): lost device
(da1:umass-sim0:0:0:1): lost device


Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x8
fault code              = supervisor write, page not present
instruction pointer     = 0x20:0xc0435793
stack pointer           = 0x28:0xe3964ae8
frame pointer           = 0x28:0xe3964af0
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 2 (g_event)
trap number             = 12
panic: page fault
Uptime: 16h14m49s
(da0:umass-sim0:0:0:0): Synchronize cache failed, status == 0x39, scsi status == 0x0
Dumping 1023 MB (2 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 1023MB (261806 pages) 1007 991 975 (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to abort)  959 943 927 911 895 879 863 847 831 815 799 783 767 751 735 719 703 687 671 655 639 623 607 591 575 559 543 527 511 495 479 463 447 431 415 399 383 367 351 335 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15

#0  doadump () at pcpu.h:165
165     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:165
#1  0xc0503cfe in boot (howto=260) at ../../../kern/kern_shutdown.c:399
#2  0xc0503f2a in panic (fmt=0xc06626d7 "%s")
    at ../../../kern/kern_shutdown.c:555
#3  0xc0638968 in trap_fatal (frame=0xe3964aa8, eva=8)
    at ../../../i386/i386/trap.c:831
#4  0xc06386d3 in trap_pfault (frame=0xe3964aa8, usermode=0, eva=8)
    at ../../../i386/i386/trap.c:742
#5  0xc063839d in trap (frame=
      {tf_fs = -476708856, tf_es = -1068433368, tf_ds = -476708824, tf_edi = -1030561792, tf_esi = 0, tf_ebp = -476689680, tf_isp = -476689708, tf_ebx = -1012047232, tf_edx = 1, tf_ecx = -1016955888, tf_eax = -1014922688, tf_trapno = 12, tf_err = 2, tf_eip = -1069328493, tf_cs = 32, tf_eflags = 590406, tf_esp = -990339584, tf_ss = -1012047232}) at ../../../i386/i386/trap.c:432
#6  0xc062c1fa in calltrap () at ../../../i386/i386/exception.s:139
#7  0xc0435793 in camq_remove (queue=0xc3ad6280, index=1)
    at ../../../cam/cam_queue.c:187
#8  0xc0438244 in xpt_run_dev_allocq (bus=0xc3acfd00)
    at ../../../cam/cam_xpt.c:3798
#9  0xc0438ae6 in xpt_release_ccb (free_ccb=0x1) at ../../../cam/cam_xpt.c:4349
#10 0xc044289c in dagetcapacity (periph=0xc2b5fc80)
    at ../../../cam/scsi/scsi_da.c:1743
#11 0xc0440fe5 in daopen (dp=0xc3818240) at ../../../cam/scsi/scsi_da.c:463
#12 0xc04d5f9b in g_disk_access (pp=0xc37b3e80, r=1, w=0, e=0)
    at ../../../geom/geom_disk.c:135
#13 0xc04d9ce6 in g_access (cp=0xc3acf540, dcr=1, dcw=0, dce=0)
    at ../../../geom/geom_subr.c:730
#14 0xc04d8fc9 in g_slice_new (mp=0xc06a25a0, slices=128, pp=0xc37b3e80, 
    cpp=0xc3818240, extrap=0xe3964c6c, extra=512, start=0xc3818240)
    at ../../../geom/geom_slice.c:476
#15 0xc04d754c in g_gpt_taste (mp=0xc06a25a0, pp=0xc37b3e80, insist=0)
    at ../../../geom/geom_gpt.c:151
#16 0xc04d9866 in g_new_provider_event (arg=0xc37b3e80, flag=0)
    at ../../../geom/geom_subr.c:459
#17 0xc04d6f99 in one_event () at ../../../geom/geom_event.c:206
#18 0xc04d7041 in g_run_events () at ../../../geom/geom_event.c:226
#19 0xc04d831d in g_event_procbody () at ../../../geom/geom_kern.c:141
#20 0xc04f255d in fork_exit (callout=0xc04d82cc <g_event_procbody>, arg=0x0, 
    frame=0xe3964d38) at ../../../kern/kern_fork.c:789
#21 0xc062c25c in fork_trampoline () at ../../../i386/i386/exception.s:208

>How-To-Repeat:
I don't know how often this happens --- but maybe 1 in 10 or 1 in 20 times
I use flash memory.  Enough to be annoying, but not enough to make
me submit a bug (until now)
>Fix:

None known at the momment.


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list