Bug 33143

Summary:	Kernel panic in uhci_abort_xfer_end
Product:	Base System	Reporter:	Russell Vincent <rv>
Component:	kern	Assignee:	freebsd-bugs (Nobody) <bugs>
Status:	Closed FIXED
Severity:	Affects Only Me
Priority:	Normal
Version:	4.5-PRERELEASE
Hardware:	Any
OS:	Any

Description Russell Vincent 2001-12-24 12:40:00 UTC

	I am occasionally getting a kernel panic in uhci_abort_xfer_end.
	The only USB device I have is an Alcatel ADSL Speedtouch USB
	modem and am currently getting packet loss on my line which
	I suspect may be somehow causing the modem to cause the USB
	bus to lock up. Anyway, that is a different problem, but
	probably shouldn't cause a kernel panic, hence this report.

	The second (ffs related) panic may also be interesting.

	If you require any more information than what I have supplied
	here, please don't hesitate to ask.

GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
IdlePTD at phsyical address 0x0046a000
initial pcb at physical address 0x003b5c60
panicstr: page fault
panic messages:
---
Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x32001003
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0x32001003
stack pointer           = 0x10:0xc0372518
frame pointer           = 0x10:0xc0372538
code segment            = base rx0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = Idle
interrupt mask          = bio 
trap number             = 12
panic: page fault

syncing disks... 

Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x30
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc029ccc8
stack pointer           = 0x10:0xc0372304
frame pointer           = 0x10:0xc037230c
code segment            = base rx0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = Idle
interrupt mask          = bio 
trap number             = 12
panic: page fault
Uptime: 1h20m3s

dumping to dev #ad/1, offset 524448
dump ata0: resetting devices .. done
255 254 253 252 251 250 249 248 247 246 245 244 243 242 241 240 239 238 237 236 235 234 233 232 231 230 229 228 227 226 225 224 223 222 221 220 219 218 217 216 215 214 213 212 211 210 209 208 207 206 205 204 203 202 201 200 199 198 197 196 195 194 193 192 191 190 189 188 187 186 185 184 183 182 181 180 179 178 177 176 175 174 173 172 171 170 169 168 167 166 165 164 163 162 161 160 159 158 157 156 155 154 153 152 151 150 149 148 147 146 145 144 143 142 141 140 139 138 137 136 135 134 133 132 131 130 129 128 127 126 125 124 123 122 121 120 119 118 117 116 115 114 113 112 111 110 109 108 107 106 105 104 103 102 101 100 99 98 97 96 95 94 93 92 91 90 89 88 87 86 85 84 83 82 81 [CTRL-C to abort] [CTRL-C to abort] [CTRL-C to abort] 80 79 78 77 76 75 [CTRL-C to abort] 74 73 72 71 70 69 68 67 66 65 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 [CTRL-C to abort] [CTRL-C to abort] [CTRL-C to abort] 28 27 26 [CTRL-C to abort]!
  25 24 23 22 21 [CTRL-C to abort] 20 19 [CTRL-C to abort] 18 17 [CTRL-C to abort] 16 [CTRL-C to abort] 15 14 [CTRL-C to abort] 13 12 11 10 9 8 7 6 5 4 3 2 1 0 
---
#0  dumpsys () at /usr/src/sys/kern/kern_shutdown.c:473
473             if (dumping++) {
(kgdb) where
#0  dumpsys () at /usr/src/sys/kern/kern_shutdown.c:473
#1  0xc0193b1b in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:313
#2  0xc0193ef0 in poweroff_wait (junk=0xc036994c, howto=-1070164881)
    at /usr/src/sys/kern/kern_shutdown.c:581
#3  0xc030a016 in trap_fatal (frame=0xc03722c4, eva=48)
    at /usr/src/sys/i386/i386/trap.c:956
#4  0xc0309ce9 in trap_pfault (frame=0xc03722c4, usermode=0, eva=48)
    at /usr/src/sys/i386/i386/trap.c:849
#5  0xc03098a7 in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16, tf_edi = 0, 
      tf_esi = -1048494080, tf_ebp = -1070128372, tf_isp = -1070128400, 
      tf_ebx = -1069938500, tf_edx = 6832256, tf_ecx = -838711680, tf_eax = 0, 
      tf_trapno = 12, tf_err = 0, tf_eip = -1071002424, tf_cs = 8, 
      tf_eflags = 66050, tf_esp = -1048494080, tf_ss = -1048494080})
    at /usr/src/sys/i386/i386/trap.c:448
#6  0xc029ccc8 in acquire_lock (lk=0xc03a08bc)
    at /usr/src/sys/ufs/ffs/ffs_softdep.c:271
#7  0xc02a0d2c in softdep_update_inodeblock (ip=0xc1814000, bp=0xc68bd6d0, 
    waitfor=0) at /usr/src/sys/ufs/ffs/ffs_softdep.c:3775
#8  0xc029be11 in ffs_update (vp=0xce024680, waitfor=0)
    at /usr/src/sys/ufs/ffs/ffs_inode.c:106
#9  0xc02a5735 in ffs_fsync (ap=0xc03723b8)
    at /usr/src/sys/ufs/ffs/ffs_vnops.c:273
#10 0xc02a4067 in ffs_sync (mp=0xc1673400, waitfor=2, cred=0xc0e3c900, 
    p=0xc03d1e60) at vnode_if.h:558
#11 0xc01c336b in sync (p=0xc03d1e60, uap=0x0)
    at /usr/src/sys/kern/vfs_syscalls.c:547
#12 0xc01938ce in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:234
#13 0xc0193ef0 in poweroff_wait (junk=0xc036994c, howto=-1070164881)
    at /usr/src/sys/kern/kern_shutdown.c:581
#14 0xc030a016 in trap_fatal (frame=0xc03724d8, eva=838864899)
    at /usr/src/sys/i386/i386/trap.c:956
#15 0xc0309ce9 in trap_pfault (frame=0xc03724d8, usermode=0, eva=838864899)
    at /usr/src/sys/i386/i386/trap.c:849
#16 0xc03098a7 in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16, tf_edi = 0, 
      tf_esi = -1048360832, tf_ebp = -1070127816, tf_isp = -1070127868, 
      tf_ebx = -1050855680, tf_edx = -1050887671, tf_ecx = -1048360772, 
      tf_eax = 838864899, tf_trapno = 12, tf_err = 0, tf_eip = 838864899, 
      tf_cs = 8, tf_eflags = 66118, tf_esp = -1070850452, tf_ss = -1050855936})
    at /usr/src/sys/i386/i386/trap.c:448
#17 0x32001003 in ?? ()
#18 0xc02bc8ad in uhci_abort_xfer_end (v=0xc1834880)
    at /usr/src/sys/dev/usb/uhci.c:1634
#19 0xc019994d in softclock () at /usr/src/sys/kern/kern_timeout.c:131

Fix: 

Unknown
How-To-Repeat: 	Difficult to duplicate, but I seem to be able to do it occasionally
	by doing multiple downloads on my ADSL line, hence causing more
	packet loss, which eventually causes the modem lockup and sometimes
	the kernel panic.

Comment 1 Sheldon Hearn 2002-01-09 14:58:04 UTC

On Tue, 25 Dec 2001 12:34:59 GMT, Russell Vincent wrote:

> >Number:         33143
> >Category:       kern
> >Synopsis:       Kernel panic in uhci_abort_xfer_end

Soren, you recently closed a PR that reported problems with second
panics while trying to dump.

Here's another example of one, from someone equipped to provide
debugging info.

Perhaps you could take a look?  bde seems to think there's a problem
with addump() that causes these, and they really get in the way of
debugging other problems.

Ciao,
Sheldon.

Comment 2 david 2002-07-11 17:05:34 UTC

The second panic is caused in /sys/ufs/ffs/ffs_softdep.c:acquire_lock
(i.e. soft updates are on):

acquire_lock(lk)
        struct lockit *lk;
{
        pid_t holder;

        if (lk->lkt_held !=3D -1) {
                holder =3D lk->lkt_held;
                FREE_LOCK(lk);
                if (holder =3D=3D CURPROC->p_pid)
                        panic("softdep_lock: locking against myself");
                else
                        panic("softdep_lock: lock held by %d", holder);
        }
        lk->lkt_spl =3D splbio();
(*)        lk->lkt_held =3D CURPROC->p_pid;
        lockcnt++;
}

The second panic happens at the line indicated (*) when CURPROC =3D=3D =
NULL (i.e. there is no current process)

David
--
Dr David Hedley, R&D Director,
intY Ltd, Bristol, UK
http://www.inty.net/


intY has scanned this email for all known viruses (www.inty.com)

Comment 3 iedowse freebsd_committer

2002-12-01 20:59:53 UTC

State Changed
From-To: open->feedback


Does the USB panic still occur on more recent releases?

Comment 4 iedowse freebsd_committer

2002-12-07 04:54:59 UTC

State Changed
From-To: feedback->closed


The submitter no longer uses the hardware on which the problem 
occurred.