Bug 120729

Summary: [panic] fault while in kernel mode with connecting USB memory stick
Product: Base System Reporter: tadokoro <tadokoro>
Component: usbAssignee: freebsd-usb (Nobody) <usb>
Status: Open ---    
Severity: Affects Only Me Keywords: crash
Priority: Normal    
Version: 6.2-RELEASE   
Hardware: Any   
OS: Any   

Description tadokoro 2008-02-16 11:50:01 UTC 
When I connected a USB memory, my machine freezed.
The machine responsed to "ping" and NumLock but I couldn't login from
console or over ssh (didn't display "password:").

So I disconnected the USB memory, and then kernel had paniced.

I send that crash dump.

eti# kgdb kernel.debug /var/crash/vmcore.0
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd".

Unread portion of the kernel message buffer:
umass0: at uhub1 port 7 (addr 2) disconnected
(da0:umass-sim0:0:0:0): lost device
(da1:umass-sim0:0:0:1): lost device


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x8
fault code              = supervisor write, page not present
instruction pointer     = 0x8:0xffffffff80171cb8
stack pointer           = 0x10:0xffffffffb1cb4ab0
frame pointer           = 0x10:0xffffff0039508800
code segment            = base rx0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 25 (usb1)
trap number             = 12
panic: page fault
cpuid = 0
Uptime: 22h15m6s
(da0:dead_sim0:0:0:0): Synchronize cache failed, status == 0x8, scsi status == 0x0
(da1:dead_sim0:0:0:1): Synchronize cache failed, status == 0x8, scsi status == 0x0
Dumping 2046 MB (2 chunks)
  chunk 0: 1MB (148 pages) ... ok
  chunk 1: 2046MB (523744 pages) 2030 2014 1998 1982 1966 1950 1934 1918 1902 1886 1870 1854 1838 1822 1806 1790 1774 1758 1742 1726 1710 1694 1678 1662 1646 1630 1614 1598 1582 1566 1550 1534 1518 1502 1486 1470 1454 1438 1422 1406 1390 1374 1358 1342 1326 1310 1294 1278 1262 1246 1230 1214 1198 1182 1166 1150 1134 1118 1102 1086 1070 1054 1038 1022 1006 990 974 958 942 926 910 894 878 862 846 830 814 798 782 766 750 734 718 702 686 670 654 638 622 606 590 574 558 542 526 510 494 478 462 446 430 414 398 382 366 350 334 318 302 286 270 254 238 222 206 190 174 158 142 126 110 94 78 62 46 30 14

#0  doadump () at pcpu.h:172
172             __asm __volatile("movq %%gs:0,%0" : "=r" (td));

(kgdb) bt full
#0  doadump () at pcpu.h:172
No locals.
#1  0x0000000000000004 in ?? ()
No symbol table info available.
#2  0xffffffff803f90b7 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
        first_buf_printf = 1
#3  0xffffffff803f9751 in panic (fmt=0xffffff007b8e4260 "\bz\216{") at /usr/src/sys/kern/kern_shutdown.c:565
        bootopt = 260
        newpanic = 0
        ap = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0xffffffffb1cb4920,
    reg_save_area = 0xffffffffb1cb4850}}
        buf = "page fault", '\0' <repeats 245 times>
#4  0xffffffff806197ef in trap_fatal (frame=0xffffff007b8e4260, eva=18446742976270858760)
    at /usr/src/sys/amd64/amd64/trap.c:660
        code = 2072920672
        type = 12
        ss = 1
        esp = 0
        softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27, ssd_dpl = 0, ssd_p = 1, ssd_long = 1,
  ssd_def32 = 0, ssd_gran = 1}
        msg = 0x0
#5  0xffffffff80619b0f in trap_pfault (frame=0xffffffffb1cb4a00, usermode=0) at /usr/src/sys/amd64/amd64/trap.c:573
        va = 0
        vm = (struct vmspace *) 0x0
        map = 0xffffffff808fde20
        rv = 1
        ftype = 1 '\001'
        p = (struct proc *) 0x0
        eva = 8
#6  0xffffffff80619dc3 in trap (frame=
      {tf_rdi = 0, tf_rsi = 4294967293, tf_rdx = -1097880692568, tf_rcx = -3, tf_r8 = -1099497233664, tf_r9 = -1099091354624, tf_rax = 0, tf_rbx = -1099091354520, tf_rbp = -1098550048768, tf_r10 = -1312077728, tf_r11 = 10, tf_r12 = -1099091354624, tf_r13 = -1099091354608, tf_r14 = -1098166853376, tf_r15 = -1098166853352, tf_trapno = 12, tf_addr = 8, tf_flags = -2145958034, tf_err = 2, tf_rip = -2145968968, tf_cs = 8, tf_rflags = 66071, tf_rsp = -1312077112, tf_ss = 16})
    at /usr/src/sys/amd64/amd64/trap.c:352
        p = (struct proc *) 0xffffff007b8e7a08
        sticks = 4294967040
        i = 0
        ucode = 0
        type = 3
        code = 2
#7  0xffffffff80604fab in calltrap () at /usr/src/sys/amd64/amd64/exception.S:168
No locals.
#8  0xffffffff80171cb8 in camq_remove (queue=0xffffff00190cdc68, index=-3) at /usr/src/sys/cam/cam_queue.c:186
        removed_entry = (cam_pinfo *) 0xffffff0039508800
#9  0xffffffff801781d6 in xpt_bus_deregister (pathid=0) at cam_queue.h:199
        bus_path = {periph = 0x0, bus = 0xffffff006a5ccc00, target = 0xffffff00291dc400, device = 0xffffff0026a4c200}
        device = (struct cam_ed *) 0xffffff00190cdc00
        qinfo = (struct cam_ed_qinfo *) 0xffffff00190cdc10
        devq = (struct cam_devq *) 0xffffff005027a100
        periph = (struct cam_periph *) 0xffffff00190cdc68
        ccbsim = (struct cam_sim *) 0x0
        work_ccb = (union ccb *) 0xffffff00010ae400
        status = CAM_REQ_INPROG
#10 0xffffffff803799fb in umass_cam_detach_sim (sc=0xffffff002466ac00) at cam_sim.h:106
No locals.
#11 0xffffffff80379ae8 in umass_detach (self=0x0) at /usr/src/sys/dev/usb/umass.c:1199
        sc = (struct umass_softc *) 0xffffff002466ac00
        err = 0
        i = 1570478336
#12 0xffffffff80412dd4 in device_detach (dev=0xffffff005d9b9900) at device_if.h:211
No locals.
#13 0xffffffff8037fdc5 in usb_disconnect_port (up=0xffffff007b8c30f8, parent=0x0)
    at /usr/src/sys/dev/usb/usb_subr.c:1425
        dev = 0xffffff0011404e00
        hubname = 0xffffff0000e2e940 "uhub1"
        i = 1
#14 0xffffffff80375a82 in uhub_explore (dev=0xffffff0000e12b00) at /usr/src/sys/dev/usb/uhub.c:465
        hd = (usb_hub_descriptor_t *) 0xffffff007b8c3010
        sc = (struct uhub_softc *) 0xffffff007b861800
        up = (struct usbd_port *) 0xffffff007b8c30f8
        err = USBD_NORMAL_COMPLETION
        speed = -3
        port = 7
        change = 1
        status = 1280
#15 0xffffffff8037c6bf in usb_discover (v=0x0) at /usr/src/sys/dev/usb/usb.c:747
        sc = (struct usb_softc *) 0xffffff007b89f480
#16 0xffffffff8037c738 in usb_event_thread (arg=0x0) at /usr/src/sys/dev/usb/usb.c:433
        sc = (struct usb_softc *) 0xffffff007b89f480
#17 0xffffffff803de087 in fork_exit (callout=0xffffffff8037c6e0 <usb_event_thread>, arg=0xffffff007b89f480,
    frame=0xffffffffb1cb4c50) at /usr/src/sys/kern/kern_fork.c:821
        p = (struct proc *) 0xffffff007b8e7a08
#18 0xffffffff8060530e in fork_trampoline () at /usr/src/sys/amd64/amd64/exception.S:394

How-To-Repeat: Sorry, I have no idea.
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2008-02-16 14:10:07 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-usb

Over to maintainer(s).
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 08:01:16 UTC 
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped
Comment 3 Graham Perrin freebsd_committer freebsd_triage 2022-10-17 12:17:28 UTC 
Keyword: 

    crash

– in lieu of summary line prefix: 

    [panic]

* bulk change for the keyword
* summary lines may be edited manually (not in bulk). 

Keyword descriptions and search interface: 

    <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>