From nobody@FreeBSD.org  Fri Apr 12 00:13:57 2002
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 9295537B400
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 12 Apr 2002 00:13:57 -0700 (PDT)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g3C7DvS75027;
	Fri, 12 Apr 2002 00:13:57 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200204120713.g3C7DvS75027@freefall.freebsd.org>
Date: Fri, 12 Apr 2002 00:13:57 -0700 (PDT)
From: Joe Ondrechen <ondrechenj@whiteice.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Kernel panic in tty_subr.c while using ppp with USB modem
X-Send-Pr-Version: www-1.0

>Number:         37015
>Category:       kern
>Synopsis:       Kernel panic in tty_subr.c while using ppp with USB modem
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    njl
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Apr 12 00:20:01 PDT 2002
>Closed-Date:    Sun Oct 26 22:45:26 PST 2003
>Last-Modified:  Sun Oct 26 22:45:26 PST 2003
>Originator:     Joe Ondrechen
>Release:        4.5R
>Organization:
N/A
>Environment:
FreeBSD kayakxw.sd.lan 4.5-RELEASE FreeBSD 4.5-RELEASE #22: Sat Apr  6 18:47:32
PST 2002     joekjr@kayakxw.sd.lan:/usr/src/sys/compile/KAYAKXW  i386  
>Description:
Frequent clist reservation botch panics occur using ppp with a USB modem.

A typical backtrace looks like:
panic: clist reservation botch
---
#0  0xc01bc4f2 in dumpsys ()
(kgdb) backtrace
#0  0xc01bc4f2 in dumpsys ()
#1  0xc01bc307 in boot ()
#2  0xc01bc6e8 in poweroff_wait ()
#3  0xc01d6438 in b_to_q (
    src=0xcde2ad84 ".com\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\r\nAG", amount=84, clistp=0xc15b4f38)
    at ../../kern/tty_subr.c:103
#4  0xc01d33d4 in ttwrite ()
#5  0xc047defe in ?? ()
#6  0xc01f47c1 in spec_write ()
#7  0xc028e034 in ufsspec_write ()
#8  0xc028e651 in ufs_vnoperatespec ()
#9  0xc01f0a4a in vn_write ()
#10 0xc01caf95 in dofilewrite ()
#11 0xc01cae4e in write ()
#12 0xc030f4a9 in syscall2 ()
#13 0xc0303b15 in Xint0x80_syscall ()
#14 0x806fadd in ?? ()
#15 0x805ab59 in ?? ()
#16 0x804d21c in ?? ()
#17 0x806c41a in ?? ()
#18 0x806bfd3 in ?? ()
#19 0x804b305 in ?? ()
      
>How-To-Repeat:
Browse web using a USB modem, ppp user mode. Other processes seem to increase the probability of this panic, such as running KDE Patience or a shell terminal within KDE. I have never had this occur while using ftp or lynx from the console.
>Fix:
      
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: kris 
State-Changed-When: Mon Jul 14 02:38:18 PDT 2003 
State-Changed-Why:  
Does this problem persist in later releases?  If so, 
can you please obtain a gdb traceback from a kernel 
containing debugging symbols (this shows the source code 
line numbers in the traceback, which is important debugging 
information). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=37015 

From: Kris Kennaway <kris@obsecurity.org>
To: freebsd-gnats-submit@FreeBSD.org, ondrechenj@whiteice.com
Cc:  
Subject: Re: kern/37015
Date: Mon, 14 Jul 2003 02:37:12 -0700

 See also i386/36850 which is a similar panic in the read() syscall.
 
 Kris
 

From: Joe Ondrechen <ondrechenj@whiteice.com>
To: freebsd-gnats-submit@FreeBSD.org, ondrechenj@whiteice.com
Cc:  
Subject: Re: kern/37015: Kernel panic in tty_subr.c while using ppp with USB modem
Date: Tue, 15 Jul 2003 23:37:32 -0700

 Kris,
 Yes, the problem still occurs in later versions, here is info for version 
 4.8:
 
 Environment:
 FreeBSD kayakxw.sd.lan 4.8-RELEASE FreeBSD 4.8-RELEASE #0: Mon Jul 14 
 23:30:39 PDT 2003     root@kayakxw.sd.lan:/usr/src/sys/compile/KAYAKXW  
 i386
 
 Backtrace:
 GNU gdb 4.18 (FreeBSD)
 Copyright 1998 Free Software Foundation, Inc. . . .
 
 This GDB was configured as "i386-unknown-freebsd"...
 IdlePTD at phsyical address 0x004ca000
 initial pcb at physical address 0x00401a40
 panicstr: clist reservation botch
 panic messages:
 ---
 panic: clist reservation botch
 
 syncing disks... panic: clist reservation botch
 Uptime: 4m42s
 
 dumping to dev #da/0x20001, offset 493616
 
 ---
 #0  dumpsys () at ../../kern/kern_shutdown.c:487
 487		if (dumping++) {
 (kgdb) backtrace
 #0  dumpsys () at ../../kern/kern_shutdown.c:487
 #1  0xc01bb417 in boot (howto=260) at ../../kern/kern_shutdown.c:316
 #2  0xc01bb83c in poweroff_wait (junk=0xc03720c4, howto=-1050975488)
     at ../../kern/kern_shutdown.c:595
 #3  0xc01d596a in putc (chr=0, clistp=0xc15b6300) at 
 ../../kern/tty_subr.c:103
 #4  0xc01d0d67 in ttyinput (c=0, tp=0xc15b6300) at ../../kern/tty.c:554
 #5  0xc04a6d5e in ?? ()
 #6  0xc02d933f in usb_transfer_complete (xfer=0xc15b9600)
     at ../../dev/usb/usbdi.c:767
 #7  0xc02d3527 in uhci_idone (ii=0xc167ec80) at ../../dev/usb/uhci.c:1164
 #8  0xc02d3400 in uhci_check_intr (sc=0xc15be000, ii=0xc167ec80)
     at ../../dev/usb/uhci.c:1058
 #9  0xc02d336b in uhci_intr (arg=0xc15be000) at ../../dev/usb/uhci.c:995
 #10 0xc034514d in intr_mux (arg=0xc15bae40)
     at ../../i386/isa/intr_machdep.c:582
 #11 0xc03302b2 in vec10 ()
 #12 0xc02b277c in interlocked_sleep (lk=0xc03d1f5c, op=1, 
 ident=0xcd3d5944, 
     flags=17, wmesg=0xc03891ff "drainvp", timo=0)
     at ../../ufs/ffs/ffs_softdep.c:329
 #13 0xc02b7ff6 in drain_output (vp=0xcd3d5900, islocked=1)
     at ../../ufs/ffs/ffs_softdep.c:4913
 #14 0xc02b6de6 in softdep_fsync_mountdev (vp=0xcd3d5900)
     at ../../ufs/ffs/ffs_softdep.c:4056
 #15 0xc02baf2a in ffs_fsync (ap=0xcd975c94) at 
 ../../ufs/ffs/ffs_vnops.c:134
 #16 0xc02b9bb3 in ffs_sync (mp=0xc1673a00, waitfor=2, cred=0xc0e3c800, 
     p=0xc041c000) at vnode_if.h:558
 #17 0xc01eb737 in sync (p=0xc041c000, uap=0x0) at 
 ../../kern/vfs_syscalls.c:576
 #18 0xc01bb1b2 in boot (howto=256) at ../../kern/kern_shutdown.c:235
 #19 0xc01bb83c in poweroff_wait (junk=0xc03720c4, howto=100)
     at ../../kern/kern_shutdown.c:595
 #20 0xc01d5b30 in b_to_q (
     src=0xcd975d8c "m, image/x-eps, image/tiff, image/x-bmp, 
 image/gif\r\nAccept-Encoding: x-gzip,]\227nJ", amount=76, 
 clistp=0xc15b6338)
     at ../../kern/tty_subr.c:103
 #21 0xc01d2acc in ttwrite (tp=0xc15b6300, uio=0xcd975ed4, flag=8323089)
     at ../../kern/tty.c:1935
 #22 0xc04a6ede in ?? ()
 #23 0xc01f4231 in spec_write (ap=0xcd975e64)
     at ../../miscfs/specfs/spec_vnops.c:283
 #24 0xc02c16b0 in ufsspec_write (ap=0xcd975e64)
     at ../../ufs/ufs/ufs_vnops.c:1827
 #25 0xc02c1ccd in ufs_vnoperatespec (ap=0xcd975e64)
     at ../../ufs/ufs/ufs_vnops.c:2394
 #26 0xc01f04d6 in vn_write (fp=0xc17945c0, uio=0xcd975ed4, 
 cred=0xc1714380, 
     flags=0, p=0xcc3168a0) at vnode_if.h:363
 #27 0xc01ca4a9 in dofilewrite (p=0xcc3168a0, fp=0xc17945c0, fd=0, 
     buf=0x80db018, nbyte=698, offset=-1, flags=0) at ../../sys/file.h:163
 #28 0xc01ca362 in write (p=0xcc3168a0, uap=0xcd975f80)
     at ../../kern/sys_generic.c:329
 #29 0xc033ac49 in syscall2 (frame={tf_fs = 134938671, tf_es = 47, 
       tf_ds = -1078001617, tf_edi = 698, tf_esi = 134983680, 
       tf_ebp = -1077937792, tf_isp = -845717548, tf_ebx = 134975488, 
       tf_edx = 0, tf_ecx = 16, tf_eax = 4, tf_trapno = 12, tf_err = 2, 
       tf_eip = 673667372, tf_cs = 31, tf_eflags = 659, tf_esp = 
 -1077937836, 
       tf_ss = 47}) at ../../i386/i386/trap.c:1175
 #30 0xc032eda5 in Xint0x80_syscall ()
 #31 0x807467b in ?? ()
 #32 0x8073749 in ?? ()
 #33 0x805b728 in ?? ()
 #34 0x804d69c in ?? ()
 #35 0x806e5a2 in ?? ()
 #36 0x806e16b in ?? ()
 #37 0x804b586 in ?? ()
 (kgdb) 
 (kgdb) quit
Responsible-Changed-From-To: freebsd-bugs->joe 
Responsible-Changed-By: kris 
Responsible-Changed-When: Thu Jul 17 17:26:35 PDT 2003 
Responsible-Changed-Why:  
Assign to USB maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=37015 
Responsible-Changed-From-To: joe->njl 
Responsible-Changed-By: njl 
Responsible-Changed-When: Thu Aug 21 21:19:17 PDT 2003 
Responsible-Changed-Why:  
I'll look into this.  See kern/25632 for more analysis. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=37015 
State-Changed-From-To: feedback->closed 
State-Changed-By: njl 
State-Changed-When: Sun Oct 26 22:32:06 PST 2003 
State-Changed-Why:  


http://www.freebsd.org/cgi/query-pr.cgi?pr=37015 
State-Changed-From-To: closed->feedback 
State-Changed-By: njl 
State-Changed-When: Sun Oct 26 22:44:06 PST 2003 
State-Changed-Why:  
I believe this was fixed in all versions. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=37015 
State-Changed-From-To: feedback->closed 
State-Changed-By: njl 
State-Changed-When: Sun Oct 26 22:45:19 PST 2003 
State-Changed-Why:  


http://www.freebsd.org/cgi/query-pr.cgi?pr=37015 
>Unformatted:
