From amir@active.ath.cx  Wed Sep  8 11:40:44 2004
Return-Path: <amir@active.ath.cx>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4994116A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  8 Sep 2004 11:40:44 +0000 (GMT)
Received: from napo.bezeqint.net (napo.bezeqint.net [192.115.104.9])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9BD2643D46
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  8 Sep 2004 11:40:43 +0000 (GMT)
	(envelope-from amir@active.ath.cx)
Received: from napo.bezeqint.net (localhost [127.0.0.1])
	by napo.bezeqint.net (Bezeq International SMTP out Mail Server) with SMTP id 9C0DA17000E
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  8 Sep 2004 14:40:41 +0300 (IDT)
Received: from active.ath.cx ([IP=82.80.212.164]) by eSafe SMTP Relay 1094643388; Wed Sep  8 14:40:40 2004
Received: from localhost (localhost.active.ath.cx [127.0.0.1]) by active.ath.cx (Postfix) with ESMTP id 7206E5CE7 for <FreeBSD-gnats-submit@freebsd.org>;
	 Wed,  8 Sep 2004 14:40:40 +0300 (IDT)
Received: from active.ath.cx ([127.0.0.1]) by localhost (active.ath.cx [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
	 id 13588-03 for <FreeBSD-gnats-submit@freebsd.org>; Wed,  8 Sep 2004 14:40:26 +0300 (IDT)
Received: by active.ath.cx (Postfix, from userid 1000) id 4029B5CE6; Wed,  8 Sep 2004 14:40:24 +0300 (IDT)
Message-Id: <20040908114024.4029B5CE6@active.ath.cx>
Date: Wed,  8 Sep 2004 14:40:24 +0300 (IDT)
From: Amir Shalem <amir@boom.org.il>
Reply-To: Amir@active.ath.cx, amir@boom.org.il
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: printing under usb printer causes a kernel panic
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         71491
>Category:       kern
>Synopsis:       [usb] [panic] printing under usb printer causes a kernel panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-usb
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 08 11:50:23 GMT 2004
>Closed-Date:    Sun Dec 12 08:49:11 GMT 2004
>Last-Modified:  Sun Dec 12 08:49:11 GMT 2004
>Originator:     Amir Shalem
>Release:        FreeBSD 5.3-BETA3 i386
>Organization:
>Environment:
System: FreeBSD vmware.active.ath.cx 5.3-BETA3 FreeBSD 5.3-BETA3 #2: Wed Sep 8 13:37:55 IDT 2004 root@vmware.active.ath.cx:/usr/src/sys/i386/compile/VMWARE i386

	I have set test machine, under vmware, where I installed 5.3-beta3
	The printer is HP DeskJet 3650
	I use it under cups + hpijs-cups (not in ports)

>Description:
	This bug also happens with 6-current.

	I have tried this under with:
		offical 5.3-beta3 kernel
		5.3-beta3 + ule  + usb_debug (at level 10)
		5.3-beta3 + 4bsd + usb_debug (at level 10)
	in all conditions I got the crash,
	where using the usb_debug I got it _right away_
	where as, in the offical I had to do multiply printing in cups.

	The problem is printing via cups, printing test page for example,
	causes the bug.

	if I turn DIAGNOSTIC on the bug does appear.

	I have kernel dump + kernel.debug for all kind of kernels (at request),
	here goes the dmesg and backtrace of 4bsd+usbdebug:

TD(0xc12e3f60) at 04c77f60 = link=0x04c77f84 status=0x388003ff token=0x07e90269
  4c77f84<VF> 388003ff<ACTIVE,SPD>,errcnt=3,actlen=0 pid=69,addr=2,endpt=2,D=1,m
TD(0xc12e3f80) at 04c77f80 = link=0x00000005 status=0x398003ff token=0x07e10269
  5<T,VF> 398003ff<ACTIVE,IOC,SPD>,errcnt=3,actlen=0 pid=69,addr=2,endpt=2,D=0,m
uhci_start_loop: add
ulpt_tick: err=1
uhci_timeout: uxfer=0xc16a8a00
usb_add_task: task=0xc16a8a84
usb_transfer_complete: pipe=0xc16a6a00 xfer=0xc16a8a00 status=0 actlen=0
usb_transfer_complete: repeat=0 new head=0
ulpt_read_cb: start sc=0xc13ae880, err=0 n=0
uhci_device_bulk_done: xfer=0xc16a8a00 ii=0xc16a8a6c sc=0xc12e1000 upipe=0xc16a6
uhci_end_loop: remove
uhci_device_bulk_done: length=0
usbd_start_next: pipe=0xc16a6a00, xfer=0
usb_task_thread: woke up task=0xc16a8a84
uhci_timeout_task: xfer=0xc16a8a00
uhci_abort_xfer: xfer=0xc16a8a00, status=15
uhci_abort_xfer: stop ii=0xc16a8a6c
uhci_abort_xfer: callback
usb_transfer_complete: pipe=0xc16a6a00 xfer=0xc16a8a00 status=15 actlen=0

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x4c
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc05b398d
stack pointer           = 0x10:0xc636ccbc
frame pointer           = 0x10:0xc636ccd8
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 46 (usbtask)
panic: from debugger

	and backtrace:
#25 0xc05b398d in usb_transfer_complete (xfer=0xc16a8a00)
    at ../../../dev/usb/usbdi.c:819
#26 0xc05a390a in uhci_abort_xfer (xfer=0xc16a8a00, status=USBD_TIMEOUT)
    at ../../../dev/usb/uhci.c:1994
#27 0xc05a2f08 in uhci_timeout_task (addr=0xc16a8a00)
    at ../../../dev/usb/uhci.c:1533
#28 0xc05afd45 in usb_task_thread (arg=0x0) at ../../../dev/usb/usb.c:464
#29 0xc05f29dc in fork_exit (callout=0xc05afc98 <usb_task_thread>, arg=0x0,
    frame=0xc636cd48) at ../../../kern/kern_fork.c:820
#30 0xc077ae6c in fork_trampoline () at ../../../i386/i386/exception.s:209
(kgdb) frame 25
#25 0xc05b398d in usb_transfer_complete (xfer=0xc16a8a00)
    at ../../../dev/usb/usbdi.c:819
819                     SIMPLEQ_REMOVE_HEAD(&pipe->queue, next);
(kgdb) print pipe->queue
$1 = {stqh_first = 0x0, stqh_last = 0xc16a6a14}
(kgdb) print *pipe->queue->stqh_last
$2 = (struct usbd_xfer *) 0x0
(kgdb) q


	Basicly the pipe queue is empty when reaching the code,
	and it expects to have something in queue.

>How-To-Repeat:
	Boot kernel with USB_DEBUG, and set:
		hw.usb.debug=10
		hw.usb.ulpt.debug=10
		hw.usb.uhci.debug=10
	and try to print to your usb printer.

>Fix:
	Unknown.
	Maybe to add a check to see if queue is already empty ?

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-usb 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Nov 4 07:11:23 GMT 2004 
Responsible-Changed-Why:  
Reassign to appropriate mailing list. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71491 
State-Changed-From-To: open->patched 
State-Changed-By: iedowse 
State-Changed-When: Tue Nov 9 21:50:17 GMT 2004 
State-Changed-Why:  

This should now be fixed in -CURRENT by revision 1.157 of uhci.c. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71491 
State-Changed-From-To: patched->feedback 
State-Changed-By: julian 
State-Changed-When: Sun Dec 12 05:48:36 GMT 2004 
State-Changed-Why:  
waiting to hear if the bug is fixed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71491 
State-Changed-From-To: feedback->closed 
State-Changed-By: julian 
State-Changed-When: Sun Dec 12 08:48:43 GMT 2004 
State-Changed-Why:  
Submitter confirms fixed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71491 
>Unformatted:
