usb/78208: ulpt page fault

Jan-Espen Pettersen sigsegv at leakingmemory.org
Mon Feb 28 18:30:16 GMT 2005


>Number:         78208
>Category:       usb
>Synopsis:       ulpt page fault
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-usb
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 28 18:30:15 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Signal11
>Release:        FreeBSD 5.3-STABLE i386
>Organization:
>Environment:
System: FreeBSD endeavour.localnet.radiotube.org 5.3-STABLE FreeBSD 5.3-STABLE #10: Mon Feb 28 18:45:10 CET 2005 root at endeavour.localnet.radiotube.org:/usr/obj/usr/src/FreeBSD-5/sys/ENDEAVOUR i386

	
>Description:
I got this page fault trap just after printing via ulpt. The pages came out just fine, which is why I think this problem is about handling EOF or close of transaction with /dev/ulpt0. To me this looks like a timer (as the name *_tick) which probably was not stopped in time, and therefore didn't have a valid xfer pointer to pass to the setup routine. These crashes has been going on for a while, but I haven't been able to get crashdumps before recently when I started to press Ctrl+Alt+F1 shortly after starting the print jobs.

gdb analysis of crash dump:
endeavour.root# gdb53 -k ./kernel.24 -c vmcore.24
GNU gdb 5.3 (FreeBSD)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-portbld-freebsd5.3"...
panic messages:
---
Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x0
fault code              = supervisor write, page not present
instruction pointer     = 0x8:0xc04dad19
stack pointer           = 0x10:0xe2495c6c
frame pointer           = 0x10:0xe2495c6c
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 27 (swi5: clock sio)
Dumping 959 MB
 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 256 272 288 304 320 336 3
52 368 384 400 416 432 448 464 480 496 512 528 544 560 576 592 608 624 640 656 6
72 688 704 720 736 752 768 784 800 816 832 848 864 880 896 912 928 944
---
#0  doadump () at pcpu.h:159
159     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:159
#1  0xc0464075 in db_fncall (dummy1=0, dummy2=0, dummy3=1999,
    dummy4=0xe2495a78 " \024uÀ\f")
    at /usr/src/FreeBSD-5/sys/ddb/db_command.c:531
#2  0xc0463df2 in db_command (last_cmdp=0xc0750b24, cmd_table=0x0,
    aux_cmd_tablep=0xc071cd24, aux_cmd_tablep_end=0xc071cd28)
    at /usr/src/FreeBSD-5/sys/ddb/db_command.c:349
#3  0xc0463efa in db_command_loop ()
    at /usr/src/FreeBSD-5/sys/ddb/db_command.c:455
#4  0xc0465f45 in db_trap (type=12, code=0)
    at /usr/src/FreeBSD-5/sys/ddb/db_main.c:221
#5  0xc0553297 in kdb_trap (type=0, code=0, tf=0xe2495c2c)
    at /usr/src/FreeBSD-5/sys/kern/subr_kdb.c:418
#6  0xc06d0d98 in trap_fatal (frame=0xe2495c2c, eva=0)
    at /usr/src/FreeBSD-5/sys/i386/i386/trap.c:804
#7  0xc06d0ac3 in trap_pfault (frame=0xe2495c2c, usermode=0, eva=0)
    at /usr/src/FreeBSD-5/sys/i386/i386/trap.c:727
#8  0xc06d064d in trap (frame=
      {tf_fs = 24, tf_es = 16, tf_ds = 16, tf_edi = -1034175360, tf_esi = 4, tf_
ebp = -498508692, tf_isp = -498508712, tf_ebx = -1034175360, tf_edx = 0, tf_ecx
= -1034175312, tf_eax = 0, tf_trapno = 12, tf_err = 2, tf_eip = -1068651239, tf_
cs = 8, tf_eflags = 66118, tf_esp = -498508648, tf_ss = -1068687391})
    at /usr/src/FreeBSD-5/sys/i386/i386/trap.c:417
#9  0xc04dad19 in usbd_setup_xfer (xfer=0x0, pipe=0x0, priv=0x0, buffer=0x0,
---Type <return> to continue, or q <return> to quit---
    length=0, flags=5, timeout=0, callback=0)
    at /usr/src/FreeBSD-5/sys/dev/usb/usbdi.c:430
#10 0xc04d1fe1 in ulpt_tick (xsc=0xc25bbc80)
    at /usr/src/FreeBSD-5/sys/dev/usb/ulpt.c:835
#11 0xc05456ce in softclock (dummy=0x0)
    at /usr/src/FreeBSD-5/sys/kern/kern_timeout.c:259
#12 0xc051d670 in ithread_loop (arg=0xc2559500)
    at /usr/src/FreeBSD-5/sys/kern/kern_intr.c:547
#13 0xc051c44f in fork_exit (callout=0xc051d4d0 <ithread_loop>, arg=0x0,
    frame=0x0) at /usr/src/FreeBSD-5/sys/kern/kern_fork.c:807
(kgdb) up 9
#9  0xc04dad19 in usbd_setup_xfer (xfer=0x0, pipe=0x0, priv=0x0, buffer=0x0,
    length=0, flags=5, timeout=0, callback=0)
    at /usr/src/FreeBSD-5/sys/dev/usb/usbdi.c:430
430             xfer->pipe = pipe;
(kgdb) print xfer
$1 = 0x0
(kgdb) up
#10 0xc04d1fe1 in ulpt_tick (xsc=0xc25bbc80)
    at /usr/src/FreeBSD-5/sys/dev/usb/ulpt.c:835
warning: Source file is more recent than executable.

835             if (sc->sc_in_xfer != NULL)
(kgdb) print xsc
$2 = (void *) 0xc25bbc80
(kgdb) print ((struct ulpt_softc *) xsc)->sc_in_xfer
$3 = 0x0
(kgdb) print ((struct ulpt_softc *) xsc)->sc_has_callout
$5 = 0


full dmesg:
Copyright (c) 1992-2005 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD 5.3-STABLE #10: Mon Feb 28 18:45:10 CET 2005
    root at endeavour.localnet.radiotube.org:/usr/obj/usr/src/FreeBSD-5/sys/ENDEAVO
UR
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: AMD Athlon(tm) XP (2018.87-MHz 686-class CPU)
  Origin = "AuthenticAMD"  Id = 0x681  Stepping = 1
  Features=0x383fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CM
OV,PAT,PSE36,MMX,FXSR,SSE>
  AMD Features=0xc0400000<AMIE,DSP,3DNow!>
real memory  = 1006567424 (959 MB)
avail memory = 971202560 (926 MB)
ACPI: overriding DSDT/SSDT with custom table
    ACPI-0377: *** Info: Table [DSDT] replaced by host OS
acpi0: <Nvidia AWRDACPI> on motherboard
acpi0: Power Button (fixed)
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x4008-0x400b on acpi0
cpu0: <ACPI CPU> on acpi0
acpi_tz0: <Thermal Zone> on acpi0
acpi_button0: <Power Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
pci0: <memory, RAM> at device 0.1 (no driver attached)
pci0: <memory, RAM> at device 0.2 (no driver attached)
pci0: <memory, RAM> at device 0.3 (no driver attached)
pci0: <memory, RAM> at device 0.4 (no driver attached)
pci0: <memory, RAM> at device 0.5 (no driver attached)
isab0: <PCI-ISA bridge> at device 1.0 on pci0
isa0: <ISA bus> on isab0
pci0: <serial bus, SMBus> at device 1.1 (no driver attached)
ohci0: <OHCI (generic) USB controller> mem 0xef003000-0xef003fff irq 12 at devic
e 2.0 on pci0
ohci0: [GIANT-LOCKED]
usb0: OHCI version 1.0, legacy support
usb0: <OHCI (generic) USB controller> on ohci0
usb0: USB revision 1.0
uhub0: nVidia OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 3 ports with 3 removable, self powered
ums0: Logitech USB Receiver, rev 1.10/23.02, addr 2, iclass 3/1
ums0: 7 buttons and Z dir.
uhid0: THRUSTMASTER Top Gun Fox 2  Pro, rev 1.10/1.00, addr 3, iclass 3/0
ulpt0: Samsung Electronics Co., Ltd. Samsung ML-1710, rev 1.10/1.00, addr 4, icl
ass 7/1
ulpt0: using bi-directional mode
ohci1: <OHCI (generic) USB controller> mem 0xef004000-0xef004fff irq 5 at device
 2.1 on pci0
ohci1: [GIANT-LOCKED]
usb1: OHCI version 1.0, legacy support
usb1: <OHCI (generic) USB controller> on ohci1
usb1: USB revision 1.0
uhub1: nVidia OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 3 ports with 3 removable, self powered
umass0: ICSI USB2.0 Card Reader, rev 2.00/1.6b, addr 2
xpt_release_device: xpt_release_target: .
done.
xpt_release_target: done.
pci0: <serial bus, USB> at device 2.2 (no driver attached)
pci0: <network, ethernet> at device 4.0 (no driver attached)
pcm0: <nVidia nForce2> port 0xd800-0xd87f,0xd400-0xd4ff mem 0xef001000-0xef001ff
f irq 5 at device 6.0 on pci0
pcm0: [GIANT-LOCKED]
pcm0: <Avance Logic ALC650 AC97 Codec>
pcib1: <ACPI PCI-PCI bridge> at device 8.0 on pci0
pci1: <ACPI PCI bus> on pcib1
rl0: <RealTek 8139 10/100BaseTX> port 0xc000-0xc0ff mem 0xee000000-0xee0000ff ir
q 5 at device 10.0 on pci1
miibus0: <MII bus> on rl0
rlphy0: <RealTek internal media interface> on miibus0
rlphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
rl0: Ethernet address: 00:0a:cd:05:58:21
atapci0: <nVidia nForce2 UDMA133 controller> port 0xf000-0xf00f,0x376,0x170-0x17
7,0x3f6,0x1f0-0x1f7 at device 9.0 on pci0
ata0: channel #0 on atapci0
ata1: channel #1 on atapci0
pcib2: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci2: <ACPI PCI bus> on pcib2
nvidia0: <GeForce4 MX Integrated GPU> mem 0xe8000000-0xe807ffff,0xe4000000-0xe7f
fffff,0xec000000-0xecffffff irq 12 at device 0.0 on pci2
nvidia0: [GIANT-LOCKED]
fdc0: <floppy drive controller> port 0x3f7,0x3f0-0x3f5 irq 6 drq 2 on acpi0
fdc0: [FAST]
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
sio0: type 16550A
sio1: <Generic IRDA-compatible device> port 0x2f8-0x2ff irq 3 on acpi0
sio1: type 16550A
ppc0: <ECP parallel printer port> port 0x778-0x77b,0x378-0x37f irq 7 drq 3 on ac
pi0
ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/9 bytes threshold
ppbus0: <Parallel port bus> on ppc0
lpt0: <Printer> on ppbus0
lpt0: Interrupt-driven port
atkbdc0: <Keyboard controller (i8042)> port 0x64,0x60 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
npx0: [FAST]
npx0: <math processor> on motherboard
npx0: INT 16 interface
orm0: <ISA Option ROM> at iomem 0xc0000-0xcafff on isa0
pmtimer0 on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
Timecounter "TSC" frequency 2018871828 Hz quality 800
Timecounters tick every 10.000 msec
ad0: 152627MB <ST3160021A/3.06> [310101/16/63] at ata0-master UDMA100
acd0: CDROM <CD-ROM 56X/AKH/A8E> at ata1-master PIO4
acd1: CDRW <SONY CD-RW CRX225E/QYB2> at ata1-slave UDMA33
(da0:umass-sim0:0:0:0): READ CAPACITY. CDB: 25 0 0 0 0 0 0 0 0 0
(da0:umass-sim0:0:0:0): ILLEGAL REQUEST asc:25,0
(da0:umass-sim0:0:0:0): Logical unit not supported
(da0:umass-sim0:0:0:0): fatal error, failed to attach to device
(da0:umass-sim0:0:0:0): lost device
(da1:umass-sim0:0:0:1): READ CAPACITY. CDB: 25 20 0 0 0 0 0 0 0 0
(da1:umass-sim0:0:0:1): ILLEGAL REQUEST asc:25,0
(da1:umass-sim0:0:0:1): Logical unit not supported
(da1:umass-sim0:0:0:1): fatal error, failed to attach to device
(da1:umass-sim0:0:0:1): lost device
(da2:umass-sim0:0:0:2): READ CAPACITY. CDB: 25 40 0 0 0 0 0 0 0 0
(da2:umass-sim0:0:0:2): ILLEGAL REQUEST asc:25,0
(da2:umass-sim0:0:0:2): Logical unit not supported
(da2:umass-sim0:0:0:2): fatal error, failed to attach to device
(da2:umass-sim0:0:0:2): lost device
(da3:umass-sim0:0:0:3): READ CAPACITY. CDB: 25 60 0 0 0 0 0 0 0 0
(da3:umass-sim0:0:0:3): ILLEGAL REQUEST asc:25,0
(da3:umass-sim0:0:0:3): Logical unit not supported
(da3:umass-sim0:0:0:3): fatal error, failed to attach to device
(da3:umass-sim0:0:0:3): lost device
(da0:umass-sim0:0:0:0): READ CAPACITY. CDB: 25 0 0 0 0 0 0 0 0 0
(da0:umass-sim0:0:0:0): CAM Status: SCSI Status Error
(da0:umass-sim0:0:0:0): SCSI Status: Check Condition
(da0:umass-sim0:0:0:0): ILLEGAL REQUEST asc:25,0
(da0:umass-sim0:0:0:0): Logical unit not supported
(da0:umass-sim0:0:0:0): Unretryable error
Opened disk da0 -> 6
Mounting root from ufs:/dev/ad0s1a


>How-To-Repeat:
I have had some random panics with ulpt. It doesn't panic every time I print something, but at random fairly often.
>Fix:
I suggest something like this. Which at least prevents a page fault (NULL-ptr):

Index: sys/dev/usb/ulpt.c
===================================================================
RCS file: /usr/ncvs/src/sys/dev/usb/ulpt.c,v
retrieving revision 1.65
diff -u -r1.65 ulpt.c
--- sys/dev/usb/ulpt.c  15 Aug 2004 23:39:18 -0000      1.65
+++ sys/dev/usb/ulpt.c  28 Feb 2005 18:24:08 -0000
@@ -832,10 +832,13 @@

        DPRINTFN(1,("ulpt_tick: start sc=%p\n", sc));

-       usbd_setup_xfer(sc->sc_in_xfer, sc->sc_in_pipe, sc, sc->sc_in_buf,
-                       ULPT_BSIZE, USBD_NO_COPY | USBD_SHORT_XFER_OK,
-                       ULPT_READ_TIMO, ulpt_read_cb);
-       err = usbd_transfer(sc->sc_in_xfer);
+       if (sc->sc_in_xfer != NULL) {
+               usbd_setup_xfer(sc->sc_in_xfer, sc->sc_in_pipe,
+                               sc, sc->sc_in_buf, ULPT_BSIZE,
+                               USBD_NO_COPY | USBD_SHORT_XFER_OK,
+                               ULPT_READ_TIMO, ulpt_read_cb);
+               err = usbd_transfer(sc->sc_in_xfer);
+       }
        DPRINTFN(1,("ulpt_tick: err=%d\n", err));
 }

>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-usb mailing list