panic in usb_transfer_complete in vmware

Sascha Wildner saw at online.de
Thu Jun 29 15:21:04 PDT 2006


Matthew Dillon wrote:
:...
:> just tried booting 1.4 (snaphot) in vmware.  it works normally, but if I 
:> have my usb stick passed through to dragonfly, it panics like below (I 
:> think that's the same panic sascha is seeing).
:> 
:> A little bit playing with ddb showed that pipe->queue is empty.
:
:Dump is in ~swildner/crash on leaf.
:
:Sascha

    There is some sort of recursion happening but I'm not sure whether
    the recursion is valid or whether it is itself a bug.  The crash is
    occuring while usb_transfer_complete() is operating on the wrong 'xfer'
    structure.
    I'm going to make a semi-wild guess.  Look at the LIST_FOREACH() on
    line 1274 in /usr/src/sys/bus/usb/uhci.c ... I think the 'ii' structure
    could be getting ripped out from under the list scanner.
    I've included a bad hack for you to try to see if it solves the problem.
Unfortunately, it doesn't. I still get the same or a similar panic upon 
shutdown. Backtrace attached, see ~swildner/crash/usb_patched.tbz on 
leaf for a new dump.

Sascha

Unread portion of the kernel message buffer:
<118>Terminated
<118>.
<118>Jun 29 23:58:43 <syslog.err> mob syslogd: exiting on signal 15
Waiting (max 60 seconds) for system thread vnlru to stop...stopped
Waiting (max 60 seconds) for system thread bufdaemon to stop...stopped
Waiting (max 60 seconds) for system thread syncer to stop...stopped
syncing disks... 6
done
Uptime: 59s
kthread 0xc4324500 cbb0 has exited
Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x4c
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc044e08b
stack pointer           = 0x10:0xc4327254
frame pointer           = 0x10:0xc4327274
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 1 (init)
current thread          = pri 63 (CRIT)
dumping to dev #ad/0x20001, offset 4063232
dump ata0: resetting devices .. done
64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 
40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 
16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1

GNU gdb 6.2.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain 
conditions.

Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-dragonfly".
(kgdb) bt
#0  dumpsys () at thread.h:83
#1  0xc0163dc5 in db_fncall (dummy1=4736, dummy2=0, dummy3=-1003327352, 
dummy4=0xc4327084 "\277\022") at /usr/src/sys/ddb/db_command.c:541
#2  0xc0163b7f in db_command (last_cmdp=0xc05c8350, cmd_table=0x0, 
aux_cmd_tablep=0xc056bfe0, aux_cmd_tablep_end=0xc056bff8)
    at /usr/src/sys/ddb/db_command.c:343
#3  0xc0163c5f in db_command_loop () at /usr/src/sys/ddb/db_command.c:469
#4  0xc01667dc in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_trap.c:71
#5  0xc04b17f8 in kdb_trap (type=12, code=0, regs=0xc4327214) at 
/usr/src/sys/i386/i386/db_interface.c:150
#6  0xc04c5ea2 in trap_fatal (frame=0xc4327214, eva=0) at 
/usr/src/sys/i386/i386/trap.c:1178
#7  0xc04c5b71 in trap_pfault (frame=0xc4327214, usermode=0, eva=76) at 
/usr/src/sys/i386/i386/trap.c:1083
#8  0xc04c57bf in trap (frame=
      {tf_fs = -1003356136, tf_es = -1069285360, tf_ds = -964820976, 
tf_edi = 0, tf_esi = -1062086208, tf_ebp = -1003326860, tf_isp = 
-1003326912, tf_ebx = -1061964144, tf_edx = 0, tf_ecx = 0, tf_eax = 0, 
tf_trapno = 12, tf_err = 0, tf_eip = -1069227893, tf_cs = 8, tf_eflags = 
66118, tf_esp = -964514304, tf_ss = -1003324796}) at 
/usr/src/sys/i386/i386/trap.c:654
#9  0xc04b2acf in calltrap () at /usr/src/sys/i386/i386/exception.s:774
#10 0xc044e08b in usb_transfer_complete (xfer=0xc0b3b690) at 
/usr/src/sys/bus/usb/usbdi.c:812
#11 0xc044464e in uhci_idone (ii=0x0) at /usr/src/sys/bus/usb/uhci.c:1480
#12 0xc0444530 in uhci_check_intr (sc=0xc67eb4b8, ii=0xc0b3b700) at 
/usr/src/sys/bus/usb/uhci.c:1355
#13 0xc044448a in uhci_softintr (v=0xc67eb4b8) at 
/usr/src/sys/bus/usb/uhci.c:1282
#14 0xc044d5c8 in usb_schedsoftintr (bus=0x0) at 
/usr/src/sys/bus/usb/usb.c:837
#15 0xc0444448 in uhci_intr1 (sc=0xc67eb4b8) at 
/usr/src/sys/bus/usb/uhci.c:1246
#16 0xc0444767 in uhci_waitintr (sc=0xc67eb4b8, xfer=0xc0b3b7d0) at 
/usr/src/sys/bus/usb/uhci.c:1538
#17 0xc0444ed4 in uhci_device_bulk_start (xfer=0xc0b3b7d0) at 
/usr/src/sys/bus/usb/uhci.c:1890
#18 0xc0444d31 in uhci_device_bulk_transfer (xfer=0xc0b3b7d0) at 
/usr/src/sys/bus/usb/uhci.c:1810
#19 0xc044d917 in usbd_transfer (xfer=0xc0b3b7d0) at 
/usr/src/sys/bus/usb/usbdi.c:321
#20 0xc045a6ce in umass_setup_transfer (sc=0x0, pipe=0x0, buffer=0x0, 
buflen=0, flags=0, xfer=0xc0b3b7d0) at 
/usr/src/sys/dev/usbmisc/umass/umass.c:1169
#21 0xc045ad53 in umass_bbb_state (xfer=0x0, priv=0xc0b76068, 
err=USBD_NORMAL_COMPLETION) at /usr/src/sys/dev/usbmisc/umass/umass.c:1532
#22 0xc044e0ec in usb_transfer_complete (xfer=0xc0b3b690) at 
/usr/src/sys/bus/usb/usbdi.c:830
#23 0xc044464e in uhci_idone (ii=0x0) at /usr/src/sys/bus/usb/uhci.c:1480
#24 0xc0444530 in uhci_check_intr (sc=0xc67eb4b8, ii=0xc0b3b700) at 
/usr/src/sys/bus/usb/uhci.c:1355
#25 0xc044448a in uhci_softintr (v=0xc67eb4b8) at 
/usr/src/sys/bus/usb/uhci.c:1282
#26 0xc044d5c8 in usb_schedsoftintr (bus=0x0) at 
/usr/src/sys/bus/usb/usb.c:837
#27 0xc0444448 in uhci_intr1 (sc=0xc67eb4b8) at 
/usr/src/sys/bus/usb/uhci.c:1246
#28 0xc0444767 in uhci_waitintr (sc=0xc67eb4b8, xfer=0xc0b3b690) at 
/usr/src/sys/bus/usb/uhci.c:1538
#29 0xc0444ed4 in uhci_device_bulk_start (xfer=0xc0b3b690) at 
/usr/src/sys/bus/usb/uhci.c:1890
#30 0xc0444d31 in uhci_device_bulk_transfer (xfer=0xc0b3b690) at 
/usr/src/sys/bus/usb/uhci.c:1810
#31 0xc044d917 in usbd_transfer (xfer=0xc0b3b690) at 
/usr/src/sys/bus/usb/usbdi.c:321
#32 0xc045a6ce in umass_setup_transfer (sc=0x0, pipe=0x0, buffer=0x0, 
buflen=0, flags=4, xfer=0xc0b3b690) at 
/usr/src/sys/dev/usbmisc/umass/umass.c:1169
#33 0xc045abc5 in umass_bbb_state (xfer=0x0, priv=0xc0b76068, 
err=USBD_NORMAL_COMPLETION) at /usr/src/sys/dev/usbmisc/umass/umass.c:1437
#34 0xc044e0ec in usb_transfer_complete (xfer=0xc0b3b5f0) at 
/usr/src/sys/bus/usb/usbdi.c:830
#35 0xc044464e in uhci_idone (ii=0x0) at /usr/src/sys/bus/usb/uhci.c:1480
#36 0xc0444530 in uhci_check_intr (sc=0xc67eb4b8, ii=0xc0b3b660) at 
/usr/src/sys/bus/usb/uhci.c:1355
#37 0xc044448a in uhci_softintr (v=0xc67eb4b8) at 
/usr/src/sys/bus/usb/uhci.c:1282
#38 0xc044d5c8 in usb_schedsoftintr (bus=0x0) at 
/usr/src/sys/bus/usb/usb.c:837
#39 0xc0444448 in uhci_intr1 (sc=0xc67eb4b8) at 
/usr/src/sys/bus/usb/uhci.c:1246
#40 0xc0444767 in uhci_waitintr (sc=0xc67eb4b8, xfer=0xc0b3b5f0) at 
/usr/src/sys/bus/usb/uhci.c:1538
#41 0xc0444ed4 in uhci_device_bulk_start (xfer=0xc0b3b5f0) at 
/usr/src/sys/bus/usb/uhci.c:1890
#42 0xc0444d31 in uhci_device_bulk_transfer (xfer=0xc0b3b5f0) at 
/usr/src/sys/bus/usb/uhci.c:1810
#43 0xc044d917 in usbd_transfer (xfer=0xc0b3b5f0) at 
/usr/src/sys/bus/usb/usbdi.c:321
#44 0xc045a6ce in umass_setup_transfer (sc=0x0, pipe=0x0, buffer=0x0, 
buflen=0, flags=0, xfer=0xc0b3b5f0) at 
/usr/src/sys/dev/usbmisc/umass/umass.c:1169
#45 0xc045aaf8 in umass_bbb_transfer (sc=0xc0b76068, lun=0, cmd=0x0, 
cmdlen=6, data=0xc4327a84, datalen=32, dir=1, cb=0, priv=0x0)
    at /usr/src/sys/dev/usbmisc/umass/umass.c:1384
#46 0xc045c343 in umass_cam_cb (sc=0xc0b76068, priv=0xc43279fc, 
residue=0, status=2) at /usr/src/sys/dev/usbmisc/umass/umass.c:2615
#47 0xc045b055 in umass_bbb_state (xfer=0x0, priv=0xc0b76068, 
err=USBD_NORMAL_COMPLETION) at /usr/src/sys/dev/usbmisc/umass/umass.c:1628
#48 0xc044e0ec in usb_transfer_complete (xfer=0xc0b3b7d0) at 
/usr/src/sys/bus/usb/usbdi.c:830
#49 0xc044464e in uhci_idone (ii=0x0) at /usr/src/sys/bus/usb/uhci.c:1480
#50 0xc0444530 in uhci_check_intr (sc=0xc67eb4b8, ii=0xc0b3b840) at 
/usr/src/sys/bus/usb/uhci.c:1355
#51 0xc044448a in uhci_softintr (v=0xc67eb4b8) at 
/usr/src/sys/bus/usb/uhci.c:1282
#52 0xc044d5c8 in usb_schedsoftintr (bus=0x0) at 
/usr/src/sys/bus/usb/usb.c:837
#53 0xc0444448 in uhci_intr1 (sc=0xc67eb4b8) at 
/usr/src/sys/bus/usb/uhci.c:1246
#54 0xc0444767 in uhci_waitintr (sc=0xc67eb4b8, xfer=0xc0b3b7d0) at 
/usr/src/sys/bus/usb/uhci.c:1538
#55 0xc0444ed4 in uhci_device_bulk_start (xfer=0xc0b3b7d0) at 
/usr/src/sys/bus/usb/uhci.c:1890
#56 0xc0444d31 in uhci_device_bulk_transfer (xfer=0xc0b3b7d0) at 
/usr/src/sys/bus/usb/uhci.c:1810
#57 0xc044d917 in usbd_transfer (xfer=0xc0b3b7d0) at 
/usr/src/sys/bus/usb/usbdi.c:321
#58 0xc045a6ce in umass_setup_transfer (sc=0x0, pipe=0x0, buffer=0x0, 
buflen=0, flags=0, xfer=0xc0b3b7d0) at 
/usr/src/sys/dev/usbmisc/umass/umass.c:1169
#59 0xc045ad53 in umass_bbb_state (xfer=0x0, priv=0xc0b76068, 
err=USBD_NORMAL_COMPLETION) at /usr/src/sys/dev/usbmisc/umass/umass.c:1532
#60 0xc044e0ec in usb_transfer_complete (xfer=0xc0b3b5f0) at 
/usr/src/sys/bus/usb/usbdi.c:830
#61 0xc044464e in uhci_idone (ii=0x0) at /usr/src/sys/bus/usb/uhci.c:1480
#62 0xc0444530 in uhci_check_intr (sc=0xc67eb4b8, ii=0xc0b3b660) at 
/usr/src/sys/bus/usb/uhci.c:1355
#63 0xc044448a in uhci_softintr (v=0xc67eb4b8) at 
/usr/src/sys/bus/usb/uhci.c:1282
#64 0xc044e51b in usbd_set_polling (dev=0x0, on=1) at 
/usr/src/sys/bus/usb/usbdi.c:1087
#65 0xc045c205 in umass_cam_poll (sim=0x0) at 
/usr/src/sys/dev/usbmisc/umass/umass.c:2566
#66 0xc01493ca in xpt_polled_action (start_ccb=0xc43279fc) at 
/usr/src/sys/bus/cam/cam_xpt.c:3352
#67 0xc01530d1 in dashutdown (arg=0x0, howto=0) at 
/usr/src/sys/bus/cam/scsi/scsi_da.c:1932
#68 0xc02b90e2 in boot (howto=0) at /usr/src/sys/kern/kern_shutdown.c:332
#69 0xc02b8d11 in sys_reboot (uap=0x0) at 
/usr/src/sys/kern/kern_shutdown.c:174
#70 0xc04c61ab in syscall2 (frame=
      {tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = 2, tf_esi = 
-1077936596, tf_ebp = -1077936984, tf_isp = -1003324044, tf_ebx = 
-1077936728, tf_edx = -1, tf_ecx = 134962784, tf_eax = 55, tf_trapno = 
12, tf_err = 2, tf_eip = 134547284, tf_cs = 31, tf_eflags = 646, tf_esp 
= -1077937204, tf_ss = 47})
    at /usr/src/sys/i386/i386/trap.c:1399
#71 0xc04b2b5a in Xint0x80_syscall () at 
/usr/src/sys/i386/i386/exception.s:852
#72 0x0000001f in ?? ()
#73 0x0000002f in ?? ()
#74 0x00000000 in ?? ()
#75 0x00000000 in ?? ()
#76 0x00000000 in ?? ()
#77 0x00000000 in ?? ()
#78 0x03e47000 in ?? ()
#79 0xc4324f00 in ?? ()
#80 0xc05ec294 in softclock_pcpu_ary ()
#81 0xc4327a58 in ?? ()
#82 0xc4327a38 in ?? ()
#83 0xff800000 in ?? ()
#84 0xc02bf443 in lwkt_switch () at /usr/src/sys/kern/lwkt_thread.c:740
Previous frame inner to this frame (corrupt stack?)





More information about the Bugs mailing list