usb/113964: [patch] ucom(4): kernel panic when dropping a connection

Kazuaki ODA kazuaki at aliceblue.jp
Sat Jun 23 11:50:04 UTC 2007 

>Number:         113964
>Category:       usb
>Synopsis:       [patch] ucom(4): kernel panic when dropping a connection
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-usb
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 23 11:50:03 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Kazuaki ODA
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD eyes.aliceblue.jp 7.0-CURRENT FreeBSD 7.0-CURRENT #1: Sat Jun 23 17:59:18 JST 2007 kazuaki at eyes.aliceblue.jp:/usr/obj/usr/src/sys/EYES i386


>Description:
	# kgdb kernel.debug /var/crash/vmcore.0
	[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
	GNU gdb 6.1.1 [FreeBSD]
	Copyright 2004 Free Software Foundation, Inc.
	GDB is free software, covered by the GNU General Public License, and you are
	welcome to change it and/or distribute copies of it under certain conditions.
	Type "show copying" to see the conditions.
	There is absolutely no warranty for GDB.  Type "show warranty" for details.
	This GDB was configured as "i386-marcel-freebsd".
	
	Unread portion of the kernel message buffer:
	
	
	Fatal trap 12: page fault while in kernel mode
	cpuid = 1; apic id = 01
	fault virtual address   = 0x0
	fault code              = supervisor write, page not present
	instruction pointer     = 0x20:0xc06cabf9
	stack pointer           = 0x28:0xe671c970
	frame pointer           = 0x28:0xe671c970
	code segment            = base 0x0, limit 0xfffff, type 0x1b
	                        = DPL 0, pres 1, def32 1, gran 1
	processor eflags        = interrupt enabled, resume, IOPL = 0
	current process         = 858 (cu)
	trap number             = 12
	panic: page fault
	cpuid = 1
	Uptime: 2m58s
	Physical memory: 1001 MB
	Dumping 55 MB: 40 24 8
	
	#0  doadump () at pcpu.h:195
	195             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
	(kgdb) bt
	#0  doadump () at pcpu.h:195
	#1  0xc074b6d7 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
	#2  0xc074b999 in panic (fmt=Variable "fmt" is not available.
	) at /usr/src/sys/kern/kern_shutdown.c:563
	#3  0xc0a0411e in trap_fatal (frame=0xe671c930, eva=0)
	    at /usr/src/sys/i386/i386/trap.c:870
	#4  0xc0a043a0 in trap_pfault (frame=0xe671c930, usermode=0, eva=0)
	    at /usr/src/sys/i386/i386/trap.c:784
	#5  0xc0a04d02 in trap (frame=0xe671c930) at /usr/src/sys/i386/i386/trap.c:462
	#6  0xc09eacab in calltrap () at /usr/src/sys/i386/i386/exception.s:139
	#7  0xc06cabf9 in usbd_setup_xfer (xfer=0x0, pipe=0x0, priv=0xc4618600,
	    buffer=0xc45f9d00, length=1, flags=1, timeout=0, callback=0xc0d9f860)
	    at /usr/src/sys/dev/usb/usbdi.c:545
	#8  0xc0d9f45d in ?? ()
	#9  0x00000000 in ?? ()
	#10 0x00000000 in ?? ()
	#11 0xc4618600 in ?? ()
	#12 0xc45f9d00 in ?? ()
	#13 0x00000001 in ?? ()
	#14 0x00000001 in ?? ()
	#15 0x00000000 in ?? ()
	#16 0xc0d9f860 in ?? ()
	#17 0x00000001 in ?? ()
	#18 0xc4098800 in ?? ()
	#19 0x00000003 in ?? ()
	#20 0xe671c9b0 in ?? ()
	#21 0xc078c9b8 in ttstart (tp=0xc4098800) at tty.h:393
	Previous frame identical to this frame (corrupt stack?)
	(kgdb) frame 7
	#7  0xc06cabf9 in usbd_setup_xfer (xfer=0x0, pipe=0x0, priv=0xc4618600,
	    buffer=0xc45f9d00, length=1, flags=1, timeout=0, callback=0xc0d9f860)
	    at /usr/src/sys/dev/usb/usbdi.c:545
	545             xfer->pipe = pipe;
	(kgdb) p xfer
	$1 = 0x0
	(kgdb) quit
>How-To-Repeat:
	1) Login to serial console on a remote machine via USB-serial converter.
	   For example:
	   # cu -l /dev/cuaU0 -s 115200

	2) And run the following command on the remote machine.
	   # sh -c "while true; do echo 'Hello, world!'; done"

	3) Type ~. to drop the connection while running above command.
	   So you will get a kernel panic.
>Fix:

	I don't know the proper fix but the following patch is workaround for
	me.

--- ucom.c.patch begins here ---
--- sys/dev/usb/ucom.c.orig	2007-06-22 23:45:37.000000000 +0900
+++ sys/dev/usb/ucom.c	2007-06-23 17:47:18.000000000 +0900
@@ -532,6 +532,9 @@
 	if (sc->sc_dying)
 		return;
 
+	if (sc->sc_oxfer == NULL)
+		return;
+
 	s = spltty();
 
 	if (tp->t_state & TS_TBLOCK) {
--- ucom.c.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-usb mailing list