usb/130736: Page fault unplugging USB stick

Theo van Klaveren theo.van.klaveren at ats-global.com
Mon Jan 19 04:20:02 PST 2009 

>Number:         130736
>Category:       usb
>Synopsis:       Page fault unplugging USB stick
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-usb
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 19 12:20:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Theo van Klaveren
>Release:        7.1-RELEASE
>Organization:
ATS Applied Tech Systems BV
>Environment:
FreeBSD beheerbox.beheerbox.org 7.1-RELEASE FreeBSD 7.1-RELEASE #0: Thu Jan  1 14:37:25 UTC 2009     root at logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
Unplugging any USB mass storage device while it is being initialized leads to a kernel page fault. This is 100% reproducible and as the machine is being used by many people, it panics often because of this bug. 

The relevant bits from dmesg:

usb3: EHCI version 1.0
usb3: companion controllers, 2 ports each: usb0 usb1 usb2
usb3: <Intel 82801DB/L/M (ICH4) USB 2.0 controller> on ehci0
usb3: USB revision 2.0
uhub3: <Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1> on usb3
uhub3: 6 ports with 6 removable, self powered

This is the device (but any USB mass storage device will work):

umass0: <P Technology USB Mass Storage Device, class 0/0, rev 2.00/1.00, addr 2> on uhub3
da0 at umass-sim0 bus 0 target 0 lun 0
da0: <UT163 USB Flash Disk 0.00> Removable Direct Access SCSI-2 device
da0: 40.000MB/s transfers
da0: 480MB (983040 512 byte sectors: 64H 32S/T 480C)

The following crash log information is typed in by hand, so please excuse any errors:

umass0: BBB reset failed, IOERROR
umass0: at uhub3 port 6 (addr 2) disconnected
(da0: umass-sim0:0:0:0): lost device

Fatal trap 12: page fault while in kernel mode
cpuid=0; apic id=00

fault virtual address     = 0x0
fault code                = supervisor write, page not present
instruction pointer       = 0x20: 0xc046ae6b
stack pointer             = 0x28: 0xe3f87b0c
frame pointer             = 0x28: 0xe3f87b28
code segment              = base 0x0, limit 0xffffff, type 0x1b
                          = DPL 0, pres 0, def32 1, gran 1
processor eflags          = int enabled, resume, IOPL=0
current process           = 2 (g_event)
trap number               = 12

panic: page fault
cpuid=0

The instruction pointer points to the xpt_done() function. From disassembly, it looks like the crash is around here (from http://svn.freebsd.org/viewvc/base/release/7.1.0/sys/cam/cam_xpt.c?revision=186660&view=markup):

		switch (done_ccb->ccb_h.path->periph->type) {
		case CAM_PERIPH_BIO:
			TAILQ_INSERT_TAIL(&sim->sim_doneq, &done_ccb->ccb_h,
					  sim_links.tqe);
			done_ccb->ccb_h.pinfo.index = CAM_DONEQ_INDEX;

If more information is required, please let me know. I'm not familiar enough with this code to really dive in. I have one or two vmcores lying around which I could send to anyone investigating this issue.

>How-To-Repeat:

 - Insert USB mass storage device (a memory stick will do).
 - Remove it during initialisation (within two seconds or so).
 - Page fault.

>Fix:
 
 - Educate users (right...)


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-usb mailing list