kern/103258: "umount -f" of detached USB device causes panic
clemens fischer
ino-news at spotteswoode.dnsalias.org
Thu Sep 14 04:50:28 PDT 2006
>Number: 103258
>Category: kern
>Synopsis: "umount -f" of detached USB device causes panic
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Sep 14 11:50:17 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Charlie &
>Release: FreeBSD 6.1-STABLE i386
>Organization:
>Environment:
System: FreeBSD spotteswoode.dnsalias.org 6.1-STABLE
FreeBSD 6.1-STABLE #10: Wed Aug 30 21:36:35 CEST 2006
root at spotteswoode.dnsalias.org:/usr/obj/usr/src/sys/spott i386
>Description:
i have an USB card-reader. the entry in /etc/usbd.conf is:
device "usb cardReaderWriter"
#devname "umass0"
vendor 0x058f
product 0x6362
release 0x0127
#attach "/sbin/mount -v -t msdosfs -o sync /dev/da0s1 /mnt/usb-rdr"
attach "/l/sbin/mount-usb-rdr.sh"
detach "/sbin/umount -v -t msdosfs /mnt/usb-rdr"
the script mount-usb-rdr.sh beeing the following hack:
#!/bin/sh
sleep 11
dev="$(find /dev/ -name 'da[01234567]s[01234567]' -print)"
logger -s /sbin/mount -v -t msdosfs -o sync "${dev:-/dev/da0s1}" /mnt/usb-rdr
/sbin/mount -v -t msdosfs -o sync "${dev:-/dev/da0s1}" /mnt/usb-rdr
i can plug it in and it works: "/dev/da0s1 on /mnt/usb-rdr (msdosfs,
local, synchronous)". the detach-command doesn't work, because by the
time the umount(8) is executed, the USB subsystem has already
unconfigured the device.
# umount -v /mnt/usb-rdr/
umount: unmount of /mnt/usb-rdr failed: Device not configured
the log shows:
<kern.crit> spott kernel: umass0: at uhub0 port 1 (addr 2) disconnected
<kern.crit> spott kernel: (da0:umass-sim0:0:0:0): lost device
<kern.crit> spott kernel: (da1:umass-sim0:0:0:1): lost device
<kern.crit> spott kernel: (da1:umass-sim0:0:0:1): removing device entry
<kern.crit> spott kernel: (da2:umass-sim0:0:0:2): lost device
<kern.crit> spott kernel: (da2:umass-sim0:0:0:2): removing device entry
<kern.crit> spott kernel: (da3:umass-sim0:0:0:3): lost device
<kern.crit> spott kernel: (da3:umass-sim0:0:0:3): removing device entry
<kern.crit> spott kernel: umass0: detached
<kern.crit> spott kernel: g_vfs_done():da0s1[WRITE(offset=11264, length=4096)]error = 6
however, the device still seems to be mounted to the kernel as the
output of "mount" doesn't change. re-plugging the reader allocates a
new pseudo-scsi-device and messes up the the mounts: i get two msdos
filesystems on a single mount-point. this and a waiting period needed
before actually issueing "mount(8)" was the reason to make an extra
script for mounting (see above). so i try to force-unmount:
# umount -f /mnt/usb-rdr
which causes a kernel panic:
/usr/obj/usr/src/sys/spott
0 # kgdb kernel.debug /var/crash/vmcore.1
kgdb: kvm_nlist(_stopped_cpus):
kgdb: kvm_nlist(_stoppcbs):
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".
Unread portion of the kernel message buffer:
g_vfs_done():da0s1[READ(offset=11264, length=4096)]error = 6
(da0:dead_sim0:0:0:0): Synchronize cache failed, status == 0x8, scsi status == 0x0
(da0:dead_sim0:0:0:0): removing device entry
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x0
fault code = supervisor read, page not present
instruction pointer = 0x20:0xc2988e0f
stack pointer = 0x28:0xd4eb5bf4
frame pointer = 0x28:0xd4eb5c44
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 2144 (umount)
trap number = 12
panic: page fault
Uptime: 3h11m22s
Dumping 383 MB (2 chunks)
chunk 0: 1MB (159 pages) ... ok
chunk 1: 383MB (98048 pages) 368 352 336 320 304 288 272 256 240 224 208 192 176 160 144 128 112 96 80 64 48 32 16
#0 doadump () at pcpu.h:165
165 __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) list *0xc2988e0f
No source file for address 0xc2988e0f.
(kgdb) list *0xc2988e0f
No source file for address 0xc2988e0f.
(kgdb) bt
#0 doadump () at pcpu.h:165
#1 0xc052d27c in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
#2 0xc052d589 in panic (fmt=0xc06b7072 "%s") at /usr/src/sys/kern/kern_shutdown.c:565
#3 0xc069283c in trap_fatal (frame=0xd4eb5bb4, eva=0) at /usr/src/sys/i386/i386/trap.c:836
#4 0xc0692512 in trap_pfault (frame=0xd4eb5bb4, usermode=0, eva=0) at /usr/src/sys/i386/i386/trap.c:744
#5 0xc06920cf in trap (frame=
{tf_fs = 8, tf_es = -722796504, tf_ds = -1067188184, tf_edi = 0, tf_esi = -1030528480, tf_ebp = -722772924, tf_isp = -722773024, tf_ebx = 6, tf_edx = 0, tf_ecx = -1030150656, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1030189553, tf_cs = 32, tf_eflags = 66178, tf_esp = -1061026112, tf_ss = -1030144000})
at /usr/src/sys/i386/i386/trap.c:434
#6 0xc067dfea in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#7 0xc2988e0f in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) bt full
#0 doadump () at pcpu.h:165
No locals.
#1 0xc052d27c in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
first_buf_printf = 1
#2 0xc052d589 in panic (fmt=0xc06b7072 "%s") at /usr/src/sys/kern/kern_shutdown.c:565
td = (struct thread *) 0xc26d7000
bootopt = 260
newpanic = 0
ap = 0xc26d7000 ""
buf = "page fault", '\0' <repeats 245 times>
#3 0xc069283c in trap_fatal (frame=0xd4eb5bb4, eva=0) at /usr/src/sys/i386/i386/trap.c:836
code = 40
type = 12
ss = 40
esp = 0
softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27, ssd_dpl = 0, ssd_p = 1, ssd_xx = 11,
ssd_xx1 = 1, ssd_def32 = 1, ssd_gran = 1}
msg = 0x0
#4 0xc0692512 in trap_pfault (frame=0xd4eb5bb4, usermode=0, eva=0) at /usr/src/sys/i386/i386/trap.c:744
va = 0
vm = (struct vmspace *) 0x0
map = 0x1
rv = 1
ftype = 1 '\001'
td = (struct thread *) 0xc26d7000
p = (struct proc *) 0xc2798000
#5 0xc06920cf in trap (frame=
{tf_fs = 8, tf_es = -722796504, tf_ds = -1067188184, tf_edi = 0, tf_esi = -1030528480, tf_ebp = -722772924, tf_isp = -722773024, tf_ebx = 6, tf_edx = 0, tf_ecx = -1030150656, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1030189553, tf_cs = 32, tf_eflags = 66178, tf_esp = -1061026112, tf_ss = -1030144000})
at /usr/src/sys/i386/i386/trap.c:434
td = (struct thread *) 0xc26d7000
p = (struct proc *) 0xc2798000
sticks = 3234083008
i = 0
ucode = 0
type = 12
code = 0
eva = 0
#6 0xc067dfea in calltrap () at /usr/src/sys/i386/i386/exception.s:139
No locals.
#7 0xc2988e0f in ?? ()
No symbol table info available.
(kgdb) list
139 call trap
140
141 /*
142 * Return via doreti to handle ASTs.
143 */
144 MEXITCOUNT
145 jmp doreti
146
147 /*
148 * SYSCALL CALL GATE (old entry point for a.out binaries)
(kgdb)
btw, preparing this PR and checking everything, another panic happened
which i have no details for:
<console.info> spott kernel: savecore: reboot after panic: vinvalbuf: dirty bufs
<daemon.alert> spott savecore: reboot after panic: vinvalbuf: dirty bufs
<console.info> spott kernel: savecore: no dump, not enough free space on device ...
<console.info> spott kernel: savecore: unsaved dumps found but not saved
>How-To-Repeat:
i can reproduce the panic every time by plugging in the reader,
unplugging it and issueing:
# umount -f /mnt/usb-rdr
>Fix:
i don't know how to fix this, but to work around it one must avoid the
`-f' (force) flag to umount(8). even without the flag, unmounting seems
to make my system unstable. better leave things plugged and not mess
with it until after shutdown and before rebooting ... ;)
regards,
clemens
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list