Unplugging any USB mass storage device while it is being initialized leads to a kernel page fault. This is 100% reproducible and as the machine is being used by many people, it panics often because of this bug. The relevant bits from dmesg: usb3: EHCI version 1.0 usb3: companion controllers, 2 ports each: usb0 usb1 usb2 usb3: <Intel 82801DB/L/M (ICH4) USB 2.0 controller> on ehci0 usb3: USB revision 2.0 uhub3: <Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1> on usb3 uhub3: 6 ports with 6 removable, self powered This is the device (but any USB mass storage device will work): umass0: <P Technology USB Mass Storage Device, class 0/0, rev 2.00/1.00, addr 2> on uhub3 da0 at umass-sim0 bus 0 target 0 lun 0 da0: <UT163 USB Flash Disk 0.00> Removable Direct Access SCSI-2 device da0: 40.000MB/s transfers da0: 480MB (983040 512 byte sectors: 64H 32S/T 480C) The following crash log information is typed in by hand, so please excuse any errors: umass0: BBB reset failed, IOERROR umass0: at uhub3 port 6 (addr 2) disconnected (da0: umass-sim0:0:0:0): lost device Fatal trap 12: page fault while in kernel mode cpuid=0; apic id=00 fault virtual address = 0x0 fault code = supervisor write, page not present instruction pointer = 0x20: 0xc046ae6b stack pointer = 0x28: 0xe3f87b0c frame pointer = 0x28: 0xe3f87b28 code segment = base rx0, limit 0xffffff, type 0x1b = DPL 0, pres 0, def32 1, gran 1 processor eflags = int enabled, resume, IOPL=0 current process = 2 (g_event) trap number = 12 panic: page fault cpuid=0 The instruction pointer points to the xpt_done() function. From disassembly, it looks like the crash is around here (from http://svn.freebsd.org/viewvc/base/release/7.1.0/sys/cam/cam_xpt.c?revision=186660&view=markup): switch (done_ccb->ccb_h.path->periph->type) { case CAM_PERIPH_BIO: TAILQ_INSERT_TAIL(&sim->sim_doneq, &done_ccb->ccb_h, sim_links.tqe); done_ccb->ccb_h.pinfo.index = CAM_DONEQ_INDEX; If more information is required, please let me know. I'm not familiar enough with this code to really dive in. I have one or two vmcores lying around which I could send to anyone investigating this issue. Fix: - Educate users (right...) How-To-Repeat: - Insert USB mass storage device (a memory stick will do). - Remove it during initialisation (within two seconds or so). - Page fault.
Yup, crash is at the TAILQ_INSERT_TAIL, line 4835: (kgdb) bt #0 doadump () at pcpu.h:196 #1 0xc0790ea7 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418 #2 0xc0791179 in panic (fmt=Variable "fmt" is not available. ) at /usr/src/sys/kern/kern_shutdown.c:574 #3 0xc0aa338c in trap_fatal (frame=0xe406c974, eva=0) at /usr/src/sys/i386/i386/trap.c:939 #4 0xc0aa3610 in trap_pfault (frame=0xe406c974, usermode=0, eva=0) at /usr/src/sys/i386/i386/trap.c:852 #5 0xc0aa3fcc in trap (frame=0xe406c974) at /usr/src/sys/i386/i386/trap.c:530 #6 0xc0a89e3b in calltrap () at /usr/src/sys/i386/i386/exception.s:159 #7 0xc046ae6b in xpt_done (done_ccb=0xc4030400) at /usr/src/sys/cam/cam_xpt.c:4835 #8 0xc047154e in probedone (periph=0xc47ee200, done_ccb=Variable "done_ccb" is not available. ) at /usr/src/sys/cam/cam_xpt.c:6392 #9 0xc046cff1 in camisr_runqueue (V_queue=Variable "V_queue" is not available. ) at /usr/src/sys/cam/cam_xpt.c:7316 #10 0xc047093f in xpt_bus_deregister (pathid=0) at /usr/src/sys/cam/cam_xpt.c:4421 #11 0xc06f6dc0 in umass_cam_detach_sim (sc=0xc4467a00) at /usr/src/sys/dev/usb/umass.c:2716 #12 0xc06f6e6d in umass_detach (self=0xc47ee680) at /usr/src/sys/dev/usb/umass.c:1564 #13 0xc07b5e38 in device_detach (dev=0xc47ee680) at device_if.h:212 #14 0xc06fdfe2 in usb_disconnect_port (up=0xc3fd9494, parent=0xc3fece80) at /usr/src/sys/dev/usb/usb_subr.c:1380 #15 0xc06f3e6e in uhub_explore (dev=0xc3fecc80) at /usr/src/sys/dev/usb/uhub.c:462 #16 0xc06fc195 in usb_discover (v=Variable "v" is not available. ) at /usr/src/sys/dev/usb/usb.c:724 #17 0xc06fd187 in usb_event_thread (arg=0xc3fd4880) at /usr/src/sys/dev/usb/usb.c:440 #18 0xc076ca19 in fork_exit (callout=0xc06fd0d0 <usb_event_thread>, arg=0xc3fd4880, frame=0xe406cd38) at /usr/src/sys/kern/kern_fork.c:804 #19 0xc0a89eb0 in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:264 (kgdb) print *sim $2 = {sim_action = 0xc046af70 <dead_sim_action>, sim_poll = 0xc0469b00 <dead_sim_poll>, sim_name = 0xc0af0b2e "dead_sim", softc = 0x0, mtx = 0x0, sim_doneq = {tqh_first = 0x0, tqh_last = 0x0}, links = {tqe_next = 0x0, tqe_prev = 0x0}, path_id = 0, unit_number = 0, bus_id = 0, max_tagged_dev_openings = 0, max_dev_openings = 0, flags = 0, callout = {c_links = {sle = {sle_next = 0x0}, tqe = {tqe_next = 0x0, tqe_prev = 0x0}}, c_time = 0, c_arg = 0x0, c_func = 0, c_mtx = 0x0, c_flags = 0}, devq = 0x0, ccb_freeq = {slh_first = 0xc4022400}, max_ccbs = 0, ccb_count = 0} (kgdb) print done_ccb->ccb_h $5 = {pinfo = {priority = 5, generation = 5, index = -1}, xpt_links = {le = { le_next = 0x0, le_prev = 0x0}, sle = {sle_next = 0x0}, tqe = { tqe_next = 0x0, tqe_prev = 0x0}, stqe = {stqe_next = 0x0}}, sim_links = { le = {le_next = 0x0, le_prev = 0x0}, sle = {sle_next = 0x0}, tqe = { tqe_next = 0x0, tqe_prev = 0x0}, stqe = {stqe_next = 0x0}}, periph_links = {le = {le_next = 0x0, le_prev = 0xc4015c00}, sle = { sle_next = 0x0}, tqe = {tqe_next = 0x0, tqe_prev = 0xc4015c00}, stqe = { stqe_next = 0x0}}, retry_count = 0, cbfcnp = 0xc046e8f0 <xpt_scan_bus>, func_code = XPT_SCAN_LUN, status = 1, path = 0xc480d290, path_id = 0, target_id = 0, target_lun = 0, flags = 0, periph_priv = {entries = {{ ptr = 0xc480d2a0, field = 3296776864, bytes = " Ò\200Ä"}, {ptr = 0x0, field = 0, bytes = "\000\000\000"}}, bytes = " Ò\200Ä\000\000\000"}, sim_priv = {entries = {{ptr = 0x0, field = 0, bytes = "\000\000\000"}, { ptr = 0x0, field = 0, bytes = "\000\000\000"}}, bytes = "\000\000\000\000\000\000\000"}, timeout = 0, timeout_ch = { callout = 0x0}} Hope this helps.
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped