From paul@snark.rtelekom.ru  Thu May 30 03:01:07 2002
Return-Path: <paul@snark.rtelekom.ru>
Received: from snark.rtelekom.ru (snark.rtelekom.ru [217.146.42.132])
	by hub.freebsd.org (Postfix) with ESMTP id 7470F37B400
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 30 May 2002 03:01:05 -0700 (PDT)
Received: from snark.rtelekom.ru (paul@localhost [127.0.0.1])
	by snark.rtelekom.ru (8.12.3/8.12.2) with ESMTP id g4UA0xSb043173
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 30 May 2002 14:00:59 +0400 (MSD)
	(envelope-from paul@snark.rtelekom.ru)
Received: (from paul@localhost)
	by snark.rtelekom.ru (8.12.3/8.12.3/Submit) id g4UA0ugQ043172;
	Thu, 30 May 2002 14:00:57 +0400 (MSD)
Message-Id: <200205301000.g4UA0ugQ043172@snark.rtelekom.ru>
Date: Thu, 30 May 2002 14:00:57 +0400 (MSD)
From: Paul Argentoff <argentoff@rtelekom.ru>
Reply-To: Paul Argentoff <argentoff@rtelekom.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject:
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         38736
>Category:       kern
>Synopsis:       kernel panic during memory stick removal
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-usb
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 30 03:10:01 PDT 2002
>Closed-Date:    Sun Jan 09 07:12:39 GMT 2005
>Last-Modified:  Sun Jan 09 07:12:39 GMT 2005
>Originator:     Paul Argentoff <argentoff@rtelekom.ru>
>Release:        FreeBSD 4.5-RELEASE i386
>Organization:
"Ratmir TeleKom", city of Tver, Russian Federation
>Environment:

 FreeBSD a15.ratmir.tver.ru 4.5-RELEASE FreeBSD 4.5-RELEASE #1: Wed
 May 29 18:18:51 MSD 2002
 root@a15.ratmir.tver.ru:/usr/src/sys/compile/A15-KRON  i386

                 Dmesg is attached to this report.
 
>Description:
 
 Sometimes (indeed, really often) when I remove a memory stick from the Memory
 Stick Reader (an USB device), it causes a kernel panic. The kernel is configured
 with usb/umass options and device support. Memory stick is working fine (I can
 read/write to it without a problem). But when I remove a stick from it's reader,
 I often get a kernel trap. Kernel's coredump debugging session follows.
 
>How-To-Repeat:
 
 For example (but it's not the only situation when the problem happens), remove
 the memory stick from the reader shortly after it's been inserted, while the
 stick's device registration process has not yet finished (according to console
 log)
 
 --- gdb-session begins here ---
 Script started on Wed May 29 18:53:43 2002
 [root@a15 crash]# gdb -k kernel.debug vmcore.6 
 GNU gdb 4.18
 Copyright 1998 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "i386-unknown-freebsd"...
 IdlePTD at phsyical address 0x00301000
 initial pcb at physical address 0x00266040
 panicstr: page fault
 panic messages:
 ---
 Fatal trap 12: page fault while in kernel mode
 fault virtual address	= 0x4
 fault code		= supervisor read, page not present
 instruction pointer	= 0x8:0xc01bd58e
 stack pointer	        = 0x10:0xc0243e68
 frame pointer	        = 0x10:0xc0243e70
 code segment		= base 0x0, limit 0xfffff, type 0x1b
 			= DPL 0, pres 1, def32 1, gran 1
 processor eflags	= interrupt enabled, resume, IOPL = 0
 current process		= Idle
 interrupt mask		= bio 
 trap number		= 12
 panic: page fault
 
 syncing disks... 
 
 Fatal trap 12: page fault while in kernel mode
 fault virtual address	= 0x30
 fault code		= supervisor read, page not present
 instruction pointer	= 0x8:0xc019c598
 stack pointer	        = 0x10:0xc0243c8c
 frame pointer	        = 0x10:0xc0243c94
 code segment		= base 0x0, limit 0xfffff, type 0x1b
 			= DPL 0, pres 1, def32 1, gran 1
 processor eflags	= interrupt enabled, resume, IOPL = 0
 current process		= Idle
 interrupt mask		= bio 
 trap number		= 12
 panic: page fault
 Uptime: 1m23s
 
 dumping to dev #ad/0x30004, offset 892952
 dump ata0: resetting devices .. done
 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 
 ---
 #0  dumpsys () at ../../kern/kern_shutdown.c:474
 474		if (dumping++) {
 (kgdb) where
 #0  dumpsys () at ../../kern/kern_shutdown.c:474
 #1  0xc0140458 in boot (howto=260) at ../../kern/kern_shutdown.c:313
 #2  0xc014085d in panic (fmt=0xc023b80c "%s") at ../../kern/kern_shutdown.c:582
 #3  0xc01fdf08 in trap_fatal (frame=0xc0243c4c, eva=48) at ../../i386/i386/trap.c:956
 #4  0xc01fdb9d in trap_pfault (frame=0xc0243c4c, usermode=0, eva=48) at ../../i386/i386/trap.c:849
 #5  0xc01fd72f in trap (frame={tf_fs = -1072300016, tf_es = 6815760, tf_ds = -1071382512, tf_edi = 0, 
       tf_esi = -1064190976, tf_ebp = -1071367020, tf_isp = -1071367048, tf_ebx = -1071303940, 
       tf_edx = 6832224, tf_ecx = -971604736, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1072052840, 
       tf_cs = 8, tf_eflags = 66054, tf_esp = -1064190976, tf_ss = -1064190976})
     at ../../i386/i386/trap.c:448
 #6  0xc019c598 in acquire_lock (lk=0xc02532fc) at ../../ufs/ffs/ffs_softdep.c:271
 #7  0xc01a070c in softdep_update_inodeblock (ip=0xc091bc00, bp=0xc1d25874, waitfor=0)
     at ../../ufs/ffs/ffs_softdep.c:3775
 #8  0xc019b6a6 in ffs_update (vp=0xc6167d00, waitfor=0) at ../../ufs/ffs/ffs_inode.c:106
 #9  0xc01a3c4a in ffs_sync (mp=0xc08eea00, waitfor=2, cred=0xc05ab400, p=0xc0279500)
     at ../../ufs/ffs/ffs_vfsops.c:1014
 #10 0xc0170e07 in sync (p=0xc0279500, uap=0x0) at ../../kern/vfs_syscalls.c:547
 #11 0xc014022b in boot (howto=256) at ../../kern/kern_shutdown.c:234
 #12 0xc014085d in panic (fmt=0xc023b80c "%s") at ../../kern/kern_shutdown.c:582
 #13 0xc01fdf08 in trap_fatal (frame=0xc0243e28, eva=4) at ../../i386/i386/trap.c:956
 #14 0xc01fdb9d in trap_pfault (frame=0xc0243e28, usermode=0, eva=4) at ../../i386/i386/trap.c:849
 #15 0xc01fd72f in trap (frame={tf_fs = -1071382512, tf_es = -1071972336, tf_ds = -1063387120, tf_edi = 1, 
       tf_esi = -1064330496, tf_ebp = -1071366544, tf_isp = -1071366572, tf_ebx = -1064579264, tf_edx = 64,
       tf_ecx = 0, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1071917682, tf_cs = 8, 
       tf_eflags = 66055, tf_esp = -1064330496, tf_ss = -1064611840}) at ../../i386/i386/trap.c:448
 #16 0xc01bd58e in uhci_check_intr (sc=0xc08b5000, ii=0xc08f9b00) at ../../dev/usb/uhci.c:1029
 #17 0xc01bd517 in uhci_intr (arg=0xc08b5000) at ../../dev/usb/uhci.c:990
 (kgdb) up 16
 #16 0xc01bd58e in uhci_check_intr (sc=0xc08b5000, ii=0xc08f9b00) at ../../dev/usb/uhci.c:1029
 1029			for (std = ii->stdstart; std != lstd; std = std->link.std) {
 (kgdb) up 1
 #17 0xc01bd517 in uhci_intr (arg=0xc08b5000) at ../../dev/usb/uhci.c:990
 990			uhci_check_intr(sc, ii);
 (kgdb) q
 [root@a15 crash]# exit
 
 Script done on Wed May 29 18:54:24 2002
 --- gdb-session ends here ---
 
 --- dmesg begins here ---
 Copyright (c) 1992-2002 The FreeBSD Project.
 Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
 	The Regents of the University of California. All rights reserved.
 FreeBSD 4.5-RELEASE #0: Wed May 29 19:08:26 MSD 2002
     root@a15.ratmir.tver.ru:/usr/src/sys/compile/A15-KRON
 Timecounter "i8254"  frequency 1193182 Hz
 Timecounter "TSC"  frequency 400911035 Hz
 CPU: Pentium II/Pentium II Xeon/Celeron (400.91-MHz 686-class CPU)
   Origin = "GenuineIntel"  Id = 0x652  Stepping = 2
   Features=0x183f9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR>
 real memory  = 67096576 (65524K bytes)
 avail memory = 62480384 (61016K bytes)
 Preloaded elf kernel "kernel" at 0xc02d4000.
 Preloaded elf module "if_fxp.ko" at 0xc02d409c.
 Preloaded elf module "miibus.ko" at 0xc02d413c.
 Pentium Pro MTRR support enabled
 Using $PIR table, 7 entries at 0xc00f0d10
 npx0: <math processor> on motherboard
 npx0: INT 16 interface
 pcib0: <Intel 82443BX (440 BX) host to PCI bridge> on motherboard
 pci0: <PCI bus> on pcib0
 pcib1: <Intel 82443BX (440 BX) PCI-PCI (AGP) bridge> at device 1.0 on pci0
 pci1: <PCI bus> on pcib1
 pci1: <Trident model 9850 VGA-compatible display device> at 0.0 irq 11
 isab0: <Intel 82371AB PCI to ISA bridge> at device 4.0 on pci0
 isa0: <ISA bus> on isab0
 atapci0: <Intel PIIX4 ATA33 controller> port 0xd800-0xd80f at device 4.1 on pci0
 ata0: at 0x1f0 irq 14 on atapci0
 uhci0: <Intel 82371AB/EB (PIIX4) USB controller> port 0xd400-0xd41f irq 5 at device 4.2 on pci0
 usb0: <Intel 82371AB/EB (PIIX4) USB controller> on uhci0
 usb0: USB revision 1.0
 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
 uhub0: 2 ports with 2 removable, self powered
 uhub1: Texas Instruments TUSB2046 hub, class 9/0, rev 1.10/1.25, addr 2
 uhub1: 4 ports with 4 removable, bus powered
 chip1: <Intel 82371AB Power management controller> port 0xe800-0xe80f at device 4.3 on pci0
 kron0: <KRON-PCI multiport card> port 0xd000-0xd07f irq 12 at device 10.0 on pci0
 kron0: driver is using old-style compatibility shims
 fxp0: <Intel Pro 10/100B/100+ Ethernet> port 0xb800-0xb81f mem 0xe0800000-0xe08fffff,0xe3000000-0xe3000fff irq 10 at device 11.0 on pci0
 fxp0: Ethernet address 00:a0:c9:6b:f0:ac
 inphy0: <i82555 10/100 media interface> on miibus0
 inphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
 orm0: <Option ROM> at iomem 0xc0000-0xcbfff on isa0
 fdc0: <NEC 72065B or clone> at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0
 fdc0: FIFO enabled, 8 bytes threshold
 fd0: <1440-KB 3.5" drive> on fdc0 drive 0
 atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
 atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0
 kbd0 at atkbd0
 vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
 sc0: <System console> at flags 0x100 on isa0
 sc0: VGA <16 virtual consoles, flags=0x300>
 sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
 sio0: type 16550A
 sio1 at port 0x2f8-0x2ff irq 3 on isa0
 sio1: type 16550A
 ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0
 ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
 ppc0: FIFO with 16/16/9 bytes threshold
 lpt0: <Printer> on ppbus0
 lpt0: Interrupt-driven port
 sio2 at port 0xd000-0xd007 irq 12 flags 0x205 on isa0
 sio2: type 16550A (multiport master)
 sio3 at port 0xd008-0xd00f flags 0x205 on isa0
 sio3: type 16550A (multiport)
 sio4 at port 0xd010-0xd017 flags 0x205 on isa0
 sio4: type 16550A (multiport)
 sio5 at port 0xd018-0xd01f flags 0x205 on isa0
 sio5: type 16550A (multiport)
 ad0: 9541MB <WDC WD100EB-00BHF0> [19386/16/63] at ata0-master UDMA33
 Mounting root from ufs:/dev/ad0s2a
 --- dmesg ends here ---
 
 
>Fix:
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: johan 
Responsible-Changed-When: Mon Jun 3 17:41:21 PDT 2002 
Responsible-Changed-Why:  
Misfilled PR 

http://www.freebsd.org/cgi/query-pr.cgi?pr=38736 
State-Changed-From-To: open->feedback 
State-Changed-By: kris 
State-Changed-When: Mon Jul 14 03:28:55 PDT 2003 
State-Changed-Why:  
Does this problem persist in recent releases?  There have 
been a number of changes to the USB code. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=38736 
Responsible-Changed-From-To: freebsd-bugs->joe 
Responsible-Changed-By: kris 
Responsible-Changed-When: Thu Jul 17 17:49:50 PDT 2003 
Responsible-Changed-Why:  
Assign to USB maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=38736 

From: Josef Karthauser <joe@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org,
	Paul Argentoff <argentoff@rtelekom.ru>
Cc:  
Subject: Re: kern/38736 (kernel panic during memory stick removal)
Date: Sat, 8 Nov 2003 12:25:06 +0000

 Are you unmounting the memory card before removing it?  The stack trace
 suggests that you are not.
 
 Joe
 --=20
 Josef Karthauser (joe@tao.org.uk)	       http://www.josef-k.net/
 FreeBSD (cvs meister, admin and hacker)     http://www.uk.FreeBSD.org/
 Physics Particle Theory (student)   http://www.pact.cpes.sussex.ac.uk/
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D An eclectic mix of fact an=
 d theory. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Responsible-Changed-From-To: joe->freebsd-usb 
Responsible-Changed-By: joe 
Responsible-Changed-When: Mon Nov 22 11:06:04 GMT 2004 
Responsible-Changed-Why:  
Hand this over to the USB list. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=38736 
State-Changed-From-To: feedback->closed 
State-Changed-By: julian 
State-Changed-When: Sun Jan 9 07:11:45 GMT 2005 
State-Changed-Why:  
Seems like pilot error. 
Submitter fails to respond to requests for more info. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=38736 
>Unformatted:
