kern/111753: Replicable system panic involving UHID driver
Jamie Jones
jamie at bishopston.net
Tue Apr 17 05:50:02 UTC 2007
>Number: 111753
>Category: kern
>Synopsis: Replicable system panic involving UHID driver
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Apr 17 05:50:02 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Jamie Jones
>Release: FreeBSD 6.2-STABLE i386
>Organization:
>Environment:
System: FreeBSD thompson.bishopston.net 6.2-STABLE FreeBSD 6.2-STABLE #0: Fri Apr 13 13:45:47 BST 2007 root at thompson.bishopston.net:/usr/obj/usr/src/sys/THOMPSON i386
>Description:
I have found a replicable kernel panic with FreeBSD 6-STABLE whenever anything that uses sdl_mixer runs, and
something is plugged into the usb port with the UHID driver.
This has been around for most (all?) of 6.X but I've only just managed to isolate the cause somewhat.
Basically, I have a Samsung monitor which has a USB lead for controlling its settings:
uhid0: Samsung Electronics Sam Sung Electronics, rev 1.10/2.00, addr 2, iclass 3/0
If I DISCONNECT this lead, the panic doesn't occur.
I see little point in the lead in the first place - not only do i not have a working driver for this
controller, all the settings are on the front of the screen control anyway!
So... I now leave the lead disconnected, so problem gone. However, in the true spirit of trying to get
all bugs fixed, rather than sweeping them under the carpet, I include the kernel panic dump, and backtrace,
and other information, as the simple fact I (as a non-root user) am able to panic the machine is obviously
not correct :-)
This isn't therefore a high priority from my point of view, but thought you'd want this information.
Anything else I can provide, please let me know!
Cheers, Jamie
6:06 (51) "tmp" jamie at thompson% uname -a
FreeBSD thompson.bishopston.net 6.2-STABLE FreeBSD 6.2-STABLE #0: Fri Apr 13 13:45:47 BST 2007 root at thompson.bishopston.net:/usr/obj/usr/src/sys/THOMPSON i386
6:06 (52) "tmp" jamie at thompson% pciconf -vl
agp0 at pci0:0:0: class=0x060000 card=0x08240000 chip=0x30991106 rev=0x00 hdr=0x00
vendor = 'VIA Technologies Inc'
device = 'VT8366/A,VT8367 Apollo KT266/A,KT333 CPU to PCI Bridge'
class = bridge
subclass = HOST-PCI
pcib1 at pci0:1:0: class=0x060400 card=0x00000000 chip=0xb0991106 rev=0x00 hdr=0x01
vendor = 'VIA Technologies Inc'
device = 'VT8366/A,VT8367 Apollo KT266/A,KT333 PCI to AGP Bridge'
class = bridge
subclass = PCI-PCI
rl0 at pci0:8:0: class=0x020000 card=0x813910ec chip=0x813910ec rev=0x10 hdr=0x00
vendor = 'Realtek Semiconductor'
device = 'RT8139 (A/B/C/810x/813x/C+) Fast Ethernet Adapter'
class = network
subclass = ethernet
pcm0 at pci0:9:0: class=0x040100 card=0x00211102 chip=0x00021102 rev=0x04 hdr=0x00
vendor = 'Creative Labs'
device = 'EMU10000 Sound Blaster Live! (Also Live! 5.1) - OEM from DELL - CT4780'
class = multimedia
subclass = audio
emujoy0 at pci0:9:1: class=0x098000 card=0x00201102 chip=0x70021102 rev=0x01 hdr=0x00
vendor = 'Creative Labs'
device = 'EMU10000 Game Port'
class = input device
viapropm0 at pci0:17:0: class=0x060100 card=0x31471106 chip=0x31471106 rev=0x00 hdr=0x00
vendor = 'VIA Technologies Inc'
device = 'VT8233A PCI to ISA Bridge'
class = bridge
subclass = PCI-ISA
atapci0 at pci0:17:1: class=0x01018a card=0x05711106 chip=0x05711106 rev=0x06 hdr=0x00
vendor = 'VIA Technologies Inc'
device = 'VT82xxxx EIDE Controller (All VIA Chipsets)'
class = mass storage
subclass = ATA
uhci0 at pci0:17:2: class=0x0c0300 card=0x12340925 chip=0x30381106 rev=0x23 hdr=0x00
vendor = 'VIA Technologies Inc'
device = 'VT82xxxxx UHCI USB 1.1 Controller (All VIA Chipsets)'
class = serial bus
subclass = USB
uhci1 at pci0:17:3: class=0x0c0300 card=0x12340925 chip=0x30381106 rev=0x23 hdr=0x00
vendor = 'VIA Technologies Inc'
device = 'VT82xxxxx UHCI USB 1.1 Controller (All VIA Chipsets)'
class = serial bus
subclass = USB
nvidia0 at pci1:0:0: class=0x030000 card=0x20341682 chip=0x032610de rev=0xa1 hdr=0x00
vendor = 'NVIDIA Corporation'
device = 'GeForce FX 5500 [NV34.6]'
class = display
subclass = VGA
6:06 (53) "tmp" jamie at thompson% cat /var/run/dmesg.boot
Copyright (c) 1992-2007 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 6.2-STABLE #0: Fri Apr 13 13:45:47 BST 2007
root at thompson.bishopston.net:/usr/obj/usr/src/sys/THOMPSON
mptable_probe: MP Config Table has bad signature: \^H\M^?\M^?\^A
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: AMD Athlon(tm) XP 2100+ (1734.11-MHz 686-class CPU)
Origin = "AuthenticAMD" Id = 0x662 Stepping = 2
Features=0x383fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE>
AMD Features=0xc0400800<SYSCALL,MMX+,3DNow+,3DNow>
real memory = 1073676288 (1023 MB)
avail memory = 1033318400 (985 MB)
netsmb_dev: loaded
acpi0: <VIA694 AWRDACPI> on motherboard
acpi0: Power Button (fixed)
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x4008-0x400b on acpi0
cpu0: <ACPI CPU> on acpi0
acpi_throttle0: <ACPI CPU Throttling> on cpu0
acpi_button0: <Power Button> on acpi0
acpi_button1: <Sleep Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff,0x4000-0x407f,0x4080-0x40ff,0x5000-0x500f on acpi0
pci0: <ACPI PCI bus> on pcib0
agp0: <VIA 8367 (KT266/KY266x/KT333) host to PCI bridge> mem 0xe0000000-0xe7ffffff at device 0.0 on pci0
pcib1: <PCI-PCI bridge> at device 1.0 on pci0
pci1: <PCI bus> on pcib1
nvidia0: <GeForce FX 5500> mem 0xe8000000-0xe8ffffff,0xd0000000-0xdfffffff irq 11 at device 0.0 on pci1
nvidia0: [GIANT-LOCKED]
rl0: <RealTek 8139 10/100BaseTX> port 0xd000-0xd0ff mem 0xea000000-0xea0000ff irq 10 at device 8.0 on pci0
miibus0: <MII bus> on rl0
rlphy0: <RealTek internal media interface> on miibus0
rlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
rl0: Ethernet address: 00:c0:df:13:2a:df
pcm0: <Creative EMU10K1> port 0xd400-0xd41f irq 5 at device 9.0 on pci0
pcm0: <TriTech TR28023 AC97 Codec>
viapropm0: SMBus I/O base at 0x5000
viapropm0: SMBus I/O base at 0x5000
viapropm0: <VIA VT8233 Power Management Unit> port 0x5000-0x500f at device 17.0 on pci0
viapropm0: SMBus revision code 0x0
smbus0: <System Management Bus> on viapropm0
smb0: <SMBus generic I/O> on smbus0
isa0: <ISA bus> on viapropm0
atapci0: <VIA 8233A UDMA133 controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xdc00-0xdc0f at device 17.1 on pci0
ata0: <ATA channel 0> on atapci0
ata1: <ATA channel 1> on atapci0
uhci0: <VIA 83C572 USB controller> port 0xe000-0xe01f irq 10 at device 17.2 on pci0
uhci0: [GIANT-LOCKED]
usb0: <VIA 83C572 USB controller> on uhci0
usb0: USB revision 1.0
uhub0: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1: <VIA 83C572 USB controller> port 0xe400-0xe41f irq 10 at device 17.3 on pci0
uhci1: [GIANT-LOCKED]
usb1: <VIA 83C572 USB controller> on uhci1
usb1: USB revision 1.0
uhub1: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
acpi_tz0: <Thermal Zone> on acpi0
speaker0: <PC speaker> port 0x61 on acpi0
fdc0: <floppy drive controller> port 0x3f2-0x3f5,0x3f7 irq 6 drq 2 on acpi0
fdc0: [FAST]
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
sio0: type 16550A
sio1: <16550A-compatible COM port> port 0x2f8-0x2ff irq 3 on acpi0
sio1: type 16550A
ppc0: <ECP parallel printer port> port 0x378-0x37f,0x778-0x77b irq 7 drq 3 on acpi0
ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/16 bytes threshold
ppbus0: <Parallel port bus> on ppc0
lpt0: <Printer> on ppbus0
lpt0: Interrupt-driven port
ppi0: <Parallel I/O> on ppbus0
atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
psm0: <PS/2 Mouse> flags 0x44 irq 12 on atkbdc0
psm0: [GIANT-LOCKED]
psm0: model IntelliMouse, device ID 3
pmtimer0 on isa0
orm0: <ISA Option ROM> at iomem 0xc0000-0xcf7ff on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
uhid0: Samsung Electronics Sam Sung Electronics, rev 1.10/2.00, addr 2, iclass 3/0
ucom0: Prolific Technology Inc. USB-Serial Controller C, rev 1.10/4.00, addr 2
Timecounter "TSC" frequency 1734105104 Hz quality 800
Timecounters tick every 1.000 msec
ad0: 305245MB <WDC WD3200JB-00KFA0 08.05J08> at ata0-master UDMA100
ad1: 286168MB <WDC WD3000JB-00KFA0 08.05J08> at ata0-slave UDMA100
ad2: 305245MB <WDC WD3200JB-00KFA0 08.05J08> at ata1-master UDMA100
acd0: DVDR <HL-DT-ST DVDRAM GSA-4163B/A104> at ata1-slave UDMA33
GEOM_MIRROR: Device gm0s1 created (id=3761227597).
GEOM_MIRROR: Device gm0s1: provider ad0s3 detected.
GEOM_MIRROR: Device gm1s1 created (id=2286332101).
GEOM_MIRROR: Device gm1s1: provider ad0s4 detected.
GEOM_MIRROR: Device gm1s1: provider ad1s1 detected.
GEOM_MIRROR: Device gm1s1: provider ad1s1 activated.
GEOM_MIRROR: Device gm1s1: provider ad0s4 activated.
GEOM_MIRROR: Device gm1s1: provider mirror/gm1s1 launched.
GEOM_MIRROR: Device gm2s1 created (id=1544363515).
GEOM_MIRROR: Device gm2s1: provider ad1s2 detected.
GEOM_MIRROR: Device gm0s1: provider ad2s3 detected.
GEOM_MIRROR: Device gm0s1: provider ad2s3 activated.
GEOM_MIRROR: Device gm0s1: provider ad0s3 activated.
GEOM_MIRROR: Device gm0s1: provider mirror/gm0s1 launched.
GEOM_MIRROR: Device gm2s1: provider ad2s4 detected.
GEOM_MIRROR: Device gm2s1: provider ad2s4 activated.
GEOM_MIRROR: Device gm2s1: provider ad1s2 activated.
GEOM_MIRROR: Device gm2s1: provider mirror/gm2s1 launched.
Trying to mount root from ufs:/dev/mirror/gm0s1a
WARNING: / was not properly dismounted
acd0: FAILURE - INQUIRY ILLEGAL REQUEST asc=0x24 ascq=0x00 sks=0x40 0x00 0x01
cd0 at ata1 bus 0 target 1 lun 0
cd0: <HL-DT-ST DVDRAM GSA-4163B A104> Removable CD-ROM SCSI-0 device
cd0: 33.000MB/s transfers
cd0: cd present [36235 x 2048 byte records]
bridge0: Ethernet address: 76:20:7e:95:84:02
6:06 (54) "tmp" jamie at thompson% usbdevs -l
Controller /dev/usb0:
addr 1: full speed, self powered, config 1, UHCI root hub(0x0000), VIA(0x0000), rev 1.00
port 1 powered
port 2 addr 2: low speed, self powered, config 1, Sam Sung Electronics(0x8002), Samsung Electronics(0x0419), rev 2.00
Controller /dev/usb1:
addr 1: full speed, self powered, config 1, UHCI root hub(0x0000), VIA(0x0000), rev 1.00
port 1 powered
port 2 addr 2: full speed, power 100 mA, config 1, USB-Serial Controller C(0x2303), Prolific Technology Inc.(0x067b), rev 4.00
"THOMPSON" root at thompson# kgdb kernel.debug /var/crash/vmcore.0
kgdb: kvm_nlist(_stopped_cpus):
kgdb: kvm_nlist(_stoppcbs):
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".
Unread portion of the kernel message buffer:
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x4
fault code = supervisor write, page not present
instruction pointer = 0x20:0xc04aca9e
stack pointer = 0x28:0xe686f8d4
frame pointer = 0x28:0xe686f90c
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 1452 (tuxracer)
trap number = 12
panic: page fault
Uptime: 1m24s
Dumping 1023 MB (2 chunks)
chunk 0: 1MB (159 pages) ... ok
chunk 1: 1023MB (261872 pages) 1007 991 975 959 943 927 911 895 879 863 847 831 815 799 783 767 751 735 719 703 687 671 655 639 623 607 591 575 559 543 527 511 495 479 463 447 431 415 399 383 367 351 335 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15
#0 doadump () at pcpu.h:165
165 __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) list *0xc04aca9e
0xc04aca9e is in uhci_device_intr_start (/usr/src/sys/dev/usb/uhci.c:2129).
2124 err = uhci_alloc_std_chain(upipe, sc, xfer->length, isread,
2125 xfer->flags, &xfer->dmabuf, &data,
2126 &dataend);
2127 if (err)
2128 return (err);
2129 dataend->td.td_status |= htole32(UHCI_TD_IOC);
2130
2131 #ifdef USB_DEBUG
2132 if (uhcidebug > 10) {
2133 DPRINTF(("uhci_device_intr_transfer: data(1)\n"));
(kgdb) backtrace
#0 doadump () at pcpu.h:165
#1 0xc05399c4 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
#2 0xc0539cf6 in panic (fmt=0xc0738c69 "%s") at /usr/src/sys/kern/kern_shutdown.c:565
#3 0xc070f34c in trap_fatal (frame=0xe686f894, eva=0) at /usr/src/sys/i386/i386/trap.c:837
#4 0xc070f052 in trap_pfault (frame=0xe686f894, usermode=0, eva=4) at /usr/src/sys/i386/i386/trap.c:745
#5 0xc070ec1d in trap (frame=
{tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = -985657856, tf_esi = -985657744, tf_ebp = -427362036, tf_isp = -427362112, tf_ebx = -977865856, tf_edx = 0, tf_ecx = -977865856, tf_eax = 0, tf_trapno = 12, tf_err = 2, tf_eip = -1068840290, tf_cs = 32, tf_eflags = 66118, tf_esp = -977865856, tf_ss = -985714688}) at /usr/src/sys/i386/i386/trap.c:435
#6 0xc06fa2ea in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#7 0xc04aca9e in uhci_device_intr_start (xfer=0xc5400e00) at /usr/src/sys/dev/usb/uhci.c:2129
#8 0xc04aca15 in uhci_device_intr_transfer (xfer=0xc5400e00) at /usr/src/sys/dev/usb/uhci.c:2091
#9 0xc04b90e1 in usbd_transfer (xfer=0xc5400e00) at /usr/src/sys/dev/usb/usbdi.c:322
#10 0xc04b8f3c in usbd_open_pipe_intr (iface=0xc5400e00, address=129 '\201', flags=4 '\004', pipe=0x0, priv=0x0, buffer=0x0, len=0, cb=0, ival=0) at /usr/src/sys/dev/usb/usbdi.c:244
#11 0xc04afacf in uhidopen (dev=0x0, flag=1, mode=8192, p=0xc6045300) at /usr/src/sys/dev/usb/uhid.c:461
#12 0xc0506401 in giant_open (dev=0xc542fc00, oflags=0, devtype=0, td=0x0) at /usr/src/sys/kern/kern_conf.c:260
#13 0xc04be832 in devfs_open (ap=0xe686fa50) at /usr/src/sys/fs/devfs/devfs_vnops.c:772
#14 0xc0726043 in VOP_OPEN_APV (vop=0x0, a=0x0) at vnode_if.c:372
#15 0xc05b429d in vn_open_cred (ndp=0xe686fbc0, flagp=0xe686fcc0, cmode=0, cred=0xc5d9d380, fdidx=11) at vnode_if.h:198
#16 0xc05b3df3 in vn_open (ndp=0xc5b6f380, flagp=0x0, cmode=0, fdidx=0) at /usr/src/sys/kern/vfs_vnops.c:91
#17 0xc05aaf58 in kern_open (td=0xc6045300, path=0x0, pathseg=UIO_USERSPACE, flags=1, mode=0) at /usr/src/sys/kern/vfs_syscalls.c:1007
#18 0xc05aae56 in open (td=0x0, uap=0xe686fd04) at /usr/src/sys/kern/vfs_syscalls.c:971
#19 0xc070f722 in syscall (frame=
{tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 137068544, tf_esi = 0, tf_ebp = -1077943288, tf_isp = -427360924, tf_ebx = 1213965492, tf_edx = 0, tf_ecx = 0, tf_eax = 5, tf_trapno = 22, tf_err = 2, tf_eip = 1214787399, tf_cs = 51, tf_eflags = 582, tf_esp = -1077943316, tf_ss = 59}) at /usr/src/sys/i386/i386/trap.c:983
#20 0xc06fa33f in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200
#21 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) quit
>How-To-Repeat:
MAke sure UHID is in the kernel, and a usb device that operates under uhid is installed (well, if
not ALL uhid devices, at least:
uhid0: Samsung Electronics Sam Sung Electronics, rev 1.10/2.00, addr 2, iclass 3/0
>Fix:
--
-=-=-=- Virus Scanned by "pacha.mail.bishopston.net" using ClamAv -=-=-=-
Database Last Checked: Tue Apr 17 05:38:00 BST 2007 - http://www.clamav.net/
Database Updated : Tue Apr 17 05:38:00 BST 2007 - 110201 viruses scanned
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list