From mdtancsa@customer.sentex.ca  Fri Apr  1 05:06:40 2005
Return-Path: <mdtancsa@customer.sentex.ca>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A038116A4D4
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  1 Apr 2005 05:06:40 +0000 (GMT)
Received: from avscan2.sentex.ca (avscan2.sentex.ca [199.212.134.19])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B5EE343D46
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  1 Apr 2005 05:06:39 +0000 (GMT)
	(envelope-from mdtancsa@customer.sentex.ca)
Received: from localhost (localhost.sentex.ca [127.0.0.1])
	by avscan2.sentex.ca (8.12.11/8.12.11) with ESMTP id j3156fdr075633
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 1 Apr 2005 00:06:41 -0500 (EST)
	(envelope-from mdtancsa@customer.sentex.ca)
Received: from avscan2.sentex.ca ([127.0.0.1])
 by localhost (avscan2.sentex.ca [127.0.0.1]) (amavisd-new, port 10024)
 with LMTP id 75562-01 for <FreeBSD-gnats-submit@freebsd.org>;
 Fri,  1 Apr 2005 00:06:41 -0500 (EST)
Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18])
	by avscan2.sentex.ca (8.12.11/8.12.11) with ESMTP id j3156ebE075619
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 1 Apr 2005 00:06:40 -0500 (EST)
	(envelope-from mdtancsa@customer.sentex.ca)
Received: from releng5-865.sentex.ca ([192.168.43.34])
	by lava.sentex.ca (8.12.11/8.12.11) with ESMTP id j3156Wk7029413
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 1 Apr 2005 00:06:32 -0500 (EST)
	(envelope-from mdtancsa@customer.sentex.ca)
Received: from releng5-865.sentex.ca (localhost [127.0.0.1])
	by releng5-865.sentex.ca (8.13.3/8.13.1) with ESMTP id j3156Whw002668
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 1 Apr 2005 00:06:32 -0500 (EST)
	(envelope-from mdtancsa@releng5-865.sentex.ca)
Received: (from root@localhost)
	by releng5-865.sentex.ca (8.13.3/8.13.1/Submit) id j3156W8C002667;
	Fri, 1 Apr 2005 00:06:32 -0500 (EST)
	(envelope-from mdtancsa)
Message-Id: <200504010506.j3156W8C002667@releng5-865.sentex.ca>
Date: Fri, 1 Apr 2005 00:06:32 -0500 (EST)
From: mike@sentex.net
Reply-To: mike@sentex.net
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: panic using uplcom or uftdi serial adaptor and modem (USB)
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         79420
>Category:       kern
>Synopsis:       panic using uplcom or uftdi serial adaptor and modem (USB)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    iedowse
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Apr 01 05:10:11 GMT 2005
>Closed-Date:    Sun Apr 17 02:59:25 GMT 2005
>Last-Modified:  Sun Apr 17 02:59:25 GMT 2005
>Originator:     Mike Tancsa
>Release:        FreeBSD 5.4-PRERELEASE i386
>Organization:
Sentex Communications
>Environment:
System: FreeBSD releng5-865.sentex.ca 5.4-PRERELEASE FreeBSD 5.4-PRERELEASE #9: Thu Mar 31 17:28:54 EST 2005 mdtancsa@releng5-865.sentex.ca:/usr/obj/usr/src/sys/pioneer i386

>Description:
	If an application is blasting out data on a modem attached to a USB serial adaptor the box will eventually
	panic. On the box I was testing on, about 1 to 4 hrs

[releng5-865]# kgdb kernel.debug /var/crash/vmcore.14 
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".
#0  doadump () at pcpu.h:159
159             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) bt
#0  doadump () at pcpu.h:159
#1  0xc0520f5a in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:410
#2  0xc05211f0 in panic (fmt=0xc06fdc75 "uhci_abort_xfer: not in process context") at /usr/src/sys/kern/kern_shutdown.c:566
#3  0xc04c7143 in uhci_abort_xfer (xfer=0xc1910300, status=USBD_NORMAL_COMPLETION) at /usr/src/sys/dev/usb/uhci.c:1958
#4  0xc04c70c5 in uhci_device_bulk_abort (xfer=0xc1910300) at /usr/src/sys/dev/usb/uhci.c:1921
#5  0xc04d43b7 in usbd_ar_pipe (pipe=0xc19bf500) at /usr/src/sys/dev/usb/usbdi.c:762
#6  0xc04d411b in usbd_abort_pipe (pipe=0xc19bf500) at /usr/src/sys/dev/usb/usbdi.c:556
#7  0xc04c3d4d in ucomstopread (sc=0x0) at /usr/src/sys/dev/usb/ucom.c:1160
#8  0xc04c3912 in ucomstop (tp=0xc166ee00, flag=1) at /usr/src/sys/dev/usb/ucom.c:934
#9  0xc054c88f in ttyflush (tp=0xc166ee00, rw=1) at /usr/src/sys/kern/tty.c:1420
#10 0xc054ac49 in ttyinput (c=26, tp=0xc166ee00) at /usr/src/sys/kern/tty.c:445
#11 0xc04c3c3d in ucomreadcb (xfer=0xc1910300, p=0xc1617e80, status=USBD_NORMAL_COMPLETION) at linedisc.h:122
#12 0xc04d44f8 in usb_transfer_complete (xfer=0xc1910300) at /usr/src/sys/dev/usb/usbdi.c:851
#13 0xc04c69ab in uhci_idone (ii=0x0) at /usr/src/sys/dev/usb/uhci.c:1500
#14 0xc04c6888 in uhci_check_intr (sc=0xc15e0000, ii=0xc191036c) at /usr/src/sys/dev/usb/uhci.c:1375
#15 0xc04c67da in uhci_softintr (v=0xc15e0000) at /usr/src/sys/dev/usb/uhci.c:1305
#16 0xc04d1995 in usb_schedsoftintr (bus=0x0) at /usr/src/sys/dev/usb/usb.c:864
#17 0xc04c67a7 in uhci_intr1 (sc=0xc15e0000) at /usr/src/sys/dev/usb/uhci.c:1275
#18 0xc04c6638 in uhci_intr (arg=0xc15e0000) at /usr/src/sys/dev/usb/uhci.c:1190
#19 0xc050d86d in ithread_loop (arg=0xc14f7400) at /usr/src/sys/kern/kern_intr.c:547
#20 0xc050cb00 in fork_exit (callout=0xc050d71c <ithread_loop>, arg=0xc14f7400, frame=0xcbc67d48)
    at /usr/src/sys/kern/kern_fork.c:790
#21 0xc06a3fec in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:209
(kgdb) bt full
#0  doadump () at pcpu.h:159
No locals.
#1  0xc0520f5a in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:410
        first_buf_printf = 1
#2  0xc05211f0 in panic (fmt=0xc06fdc75 "uhci_abort_xfer: not in process context") at /usr/src/sys/kern/kern_shutdown.c:566
        td = (struct thread *) 0xc14fa000
        bootopt = 260
        newpanic = 0
        ap = 0xc14fa000 "\001PO"
        buf = "uhci_abort_xfer: not in process context", '\0' <repeats 216 times>
#3  0xc04c7143 in uhci_abort_xfer (xfer=0xc1910300, status=USBD_NORMAL_COMPLETION) at /usr/src/sys/dev/usb/uhci.c:1958
        uxfer = (struct uhci_xfer *) 0xc1910300
        ii = (uhci_intr_info_t *) 0xc191036c
        upipe = (struct uhci_pipe *) 0xc19bf500
        sc = (uhci_softc_t *) 0xc15e0000
        std = (uhci_soft_td_t *) 0x0
#4  0xc04c70c5 in uhci_device_bulk_abort (xfer=0xc1910300) at /usr/src/sys/dev/usb/uhci.c:1921
No locals.
#5  0xc04d43b7 in usbd_ar_pipe (pipe=0xc19bf500) at /usr/src/sys/dev/usb/usbdi.c:762
        xfer = 0x0
#6  0xc04d411b in usbd_abort_pipe (pipe=0xc19bf500) at /usr/src/sys/dev/usb/usbdi.c:556
        err = USBD_NORMAL_COMPLETION
#7  0xc04c3d4d in ucomstopread (sc=0x0) at /usr/src/sys/dev/usb/ucom.c:1160
No locals.
#8  0xc04c3912 in ucomstop (tp=0xc166ee00, flag=1) at /usr/src/sys/dev/usb/ucom.c:934
        sc = (struct ucom_softc *) 0xc1617e80
#9  0xc054c88f in ttyflush (tp=0xc166ee00, rw=1) at /usr/src/sys/kern/tty.c:1420
No locals.
#10 0xc054ac49 in ttyinput (c=26, tp=0xc166ee00) at /usr/src/sys/kern/tty.c:445
        iflag = 11010
        lflag = 1483
        cc = (cc_t *) 0xc166eeb4 "\004\177\027\025\022\b\003\034\032\031\021\023\026\017\001"
        i = 0
        err = 0
#11 0xc04c3c3d in ucomreadcb (xfer=0xc1910300, p=0xc1617e80, status=USBD_NORMAL_COMPLETION) at linedisc.h:122
        sc = (struct ucom_softc *) 0xc1617e80
        tp = (struct tty *) 0xc166ee00
        err = USBD_NORMAL_COMPLETION
        cc = 10
        cp = (u_char *) 0xc15e9e6d "\032\033\034\035\036\037 !\"#"
        lostcc = 0
#12 0xc04d44f8 in usb_transfer_complete (xfer=0xc1910300) at /usr/src/sys/dev/usb/usbdi.c:851
        pipe = 0xc19bf500
        dmap = (usb_dma_t *) 0xc191033c
        sync = 0
        erred = 0
---Type <return> to continue, or q <return> to quit---
        repeat = 0
        polling = 0
#13 0xc04c69ab in uhci_idone (ii=0x0) at /usr/src/sys/dev/usb/uhci.c:1500
        xfer = 0xc1910300
        upipe = (struct uhci_pipe *) 0xc19bf500
        std = (uhci_soft_td_t *) 0x0
        status = 0
        nstatus = 0
        actlen = 55
#14 0xc04c6888 in uhci_check_intr (sc=0xc15e0000, ii=0xc191036c) at /usr/src/sys/dev/usb/uhci.c:1375
        std = (uhci_soft_td_t *) 0x0
        lstd = (uhci_soft_td_t *) 0xc15e5f80
        status = 0
#15 0xc04c67da in uhci_softintr (v=0xc15e0000) at /usr/src/sys/dev/usb/uhci.c:1305
        sc = (uhci_softc_t *) 0xc15e0000
        ii = (uhci_intr_info_t *) 0x0
        nextii = (uhci_intr_info_t *) 0x0
#16 0xc04d1995 in usb_schedsoftintr (bus=0x0) at /usr/src/sys/dev/usb/usb.c:864
No locals.
#17 0xc04c67a7 in uhci_intr1 (sc=0xc15e0000) at /usr/src/sys/dev/usb/uhci.c:1275
        status = 1
        ack = 1
#18 0xc04c6638 in uhci_intr (arg=0xc15e0000) at /usr/src/sys/dev/usb/uhci.c:1190
        sc = (uhci_softc_t *) 0x0
#19 0xc050d86d in ithread_loop (arg=0xc14f7400) at /usr/src/sys/kern/kern_intr.c:547
        ithd = (struct ithd *) 0xc14f7400
        ih = (struct intrhand *) 0xc15db740
        td = (struct thread *) 0xc14fa000
        p = (struct proc *) 0xc15001c4
        count = 0
        warming = 0
        warned = 0
#20 0xc050cb00 in fork_exit (callout=0xc050d71c <ithread_loop>, arg=0xc14f7400, frame=0xcbc67d48)
    at /usr/src/sys/kern/kern_fork.c:790
        p = (struct proc *) 0xc15001c4
        td = (struct thread *) 0x0
#21 0xc06a3fec in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:209
No locals.
(kgdb) 
[releng5-865]# cat /var/run/dmesg.boot 
Copyright (c) 1992-2005 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD 5.4-PRERELEASE #9: Thu Mar 31 17:28:54 EST 2005
    mdtancsa@releng5-865.sentex.ca:/usr/obj/usr/src/sys/pioneer
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Celeron(R) CPU 2.40GHz (2400.41-MHz 686-class CPU)
  Origin = "GenuineIntel"  Id = 0xf33  Stepping = 3
  Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
real memory  = 267321344 (254 MB)
avail memory = 251940864 (240 MB)
ACPI APIC Table: <AOpen  AWRDACPI>
ioapic0 <Version 2.0> irqs 0-23 on motherboard
npx0: <math processor> on motherboard
npx0: INT 16 interface
acpi0: <AOpen AWRDACPI> on motherboard
acpi0: Power Button (fixed)
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x4008-0x400b on acpi0
cpu0: <ACPI CPU> on acpi0
acpi_button0: <Power Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
agp0: <Intel 82865G (865G GMCH) SVGA controller> port 0xd000-0xd007 mem 0xfa000000-0xfa07ffff,0xf0000000-0xf7ffffff irq 16 at device 2.0 on pci0
agp0: detected 892k stolen memory
agp0: aperture size is 128M
uhci0: <Intel 82801EB (ICH5) USB controller USB-A> port 0xc000-0xc01f irq 16 at device 29.0 on pci0
usb0: <Intel 82801EB (ICH5) USB controller USB-A> on uhci0
usb0: USB revision 1.0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1: <Intel 82801EB (ICH5) USB controller USB-B> port 0xc400-0xc41f irq 19 at device 29.1 on pci0
usb1: <Intel 82801EB (ICH5) USB controller USB-B> on uhci1
usb1: USB revision 1.0
uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2: <Intel 82801EB (ICH5) USB controller USB-C> port 0xc800-0xc81f irq 18 at device 29.2 on pci0
usb2: <Intel 82801EB (ICH5) USB controller USB-C> on uhci2
usb2: USB revision 1.0
uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
uhci3: <Intel 82801EB (ICH5) USB controller USB-D> port 0xcc00-0xcc1f irq 16 at device 29.3 on pci0
usb3: <Intel 82801EB (ICH5) USB controller USB-D> on uhci3
usb3: USB revision 1.0
uhub3: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub3: 2 ports with 2 removable, self powered
pcib1: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci1: <ACPI PCI bus> on pcib1
rl0: <RealTek 8139 10/100BaseTX> port 0xa000-0xa0ff mem 0xf9000000-0xf90000ff irq 16 at device 4.0 on pci1
miibus0: <MII bus> on rl0
rlphy0: <RealTek internal media interface> on miibus0
rlphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
rl0: Ethernet address: 00:50:fc:f9:6b:7a
pci1: <simple comms, UART> at device 5.0 (no driver attached)
fxp0: <Intel 82801BA (D865) Pro/100 VE Ethernet> port 0xa800-0xa83f mem 0xf9001000-0xf9001fff irq 20 at device 8.0 on pci1
miibus1: <MII bus> on fxp0
inphy0: <i82562ET 10/100 media interface> on miibus1
inphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
fxp0: Ethernet address: 00:01:80:54:b3:b8
puc0: <Lava Computers Quattro-PCI serial port> port 0xb000-0xb007,0xac00-0xac07 irq 18 at device 10.0 on pci1
sio4: <Lava Computers Quattro-PCI serial port> on puc0
sio4: type 16550A
sio4: unable to activate interrupt in fast mode - using normal mode
sio5: <Lava Computers Quattro-PCI serial port> on puc0
sio5: type 16550A
sio5: unable to activate interrupt in fast mode - using normal mode
puc1: <Lava Computers Quattro-PCI serial port> port 0xb800-0xb807,0xb400-0xb407 irq 18 at device 10.1 on pci1
sio6: <Lava Computers Quattro-PCI serial port> on puc1
sio6: type 16550A
sio6: unable to activate interrupt in fast mode - using normal mode
sio7: <Lava Computers Quattro-PCI serial port> on puc1
sio7: type 16550A
sio7: unable to activate interrupt in fast mode - using normal mode
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel ICH5 UDMA100 controller> port 0xf000-0xf00f,0x376,0x170-0x177,0x3f6,0x1f0-0x1f7 at device 31.1 on pci0
ata0: channel #0 on atapci0
ata1: channel #1 on atapci0
pci0: <serial bus, SMBus> at device 31.3 (no driver attached)
acpi_tz0: <Thermal Zone> on acpi0
fdc0: <floppy drive controller> port 0x3f7,0x3f0-0x3f5 irq 6 drq 2 on acpi0
sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
sio0: type 16550A, console
sio1: <16550A-compatible COM port> port 0x2f8-0x2ff irq 3 on acpi0
sio1: type 16550A
atkbdc0: <Keyboard controller (i8042)> port 0x64,0x60 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
orm0: <ISA Option ROM> at iomem 0xc0000-0xc9fff on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
ucom0: FTDI USB FAST SERIAL ADAPTER, rev 2.00/5.00, addr 2
Timecounter "TSC" frequency 2400412599 Hz quality 800
Timecounters tick every 10.000 msec
Fast IPsec: Initialized Security Association Processing.
ipfw2 initialized, divert disabled, rule-based forwarding disabled, default to accept, logging limited to 31000 packets/entry by default
ad0: 38166MB <ST340014A/3.06> [77545/16/63] at ata0-master UDMA100
Mounting root from ufs:/dev/ad0s1a
WARNING: / was not properly dismounted
[releng5-865]# 

>How-To-Repeat:
	connect via dialup modem on the other end of an USB-RS232 adaptor (uplcom of utfdi)
and run the following program

#!/usr/bin/perl
#
# replace $target with an IP you can ping across the dialup connection
#
srand (time ^ $$ ^ unpack "%L*", `ps axww | gzip`);

$target="192.168.1.10";

while (1) {

$len = int(rand( 1200 ) ) + 25;
$cnt = int(rand( 20 ) ) + 1;
$slp = int(rand( 9 ) ) + 1;

        $cmd="/sbin/ping -q -i .5 -c $cnt -s $len $target";
        select(undef, undef, undef, (1/$slp));
        system($cmd);
}


>Fix:

	More details and analysis at
	http://lists.freebsd.org/pipermail/freebsd-usb/2005-March/000855.html


>Release-Note:
>Audit-Trail:

From: Mike Tancsa <mike@sentex.net>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: kern/79420: panic using uplcom or uftdi serial adaptor and
  modem (USB)
Date: Sun, 03 Apr 2005 11:45:04 -0400

 Ian Dowse provided the patch below which seems to stop the panics.  At 
 least 24hrs of testing has not resulted in a panic yet.
 
 --------------------------------------------
 
 In this case I wonder if the transfer needs to be aborted at all,
 since it is just restarted immediately afterwards. Mike, maybe you
 could try the following patch? Sorry, I haven't tested this, so I
 may be missing something obvious.
 
 Ian
 
 Index: dev/usb/ucom.c
 ===================================================================
 RCS file: /dump/FreeBSD-CVS/src/sys/dev/usb/ucom.c,v
 retrieving revision 1.51.2.2
 diff -u -r1.51.2.2 ucom.c
 --- dev/usb/ucom.c	30 Jan 2005 01:00:10 -0000	1.51.2.2
 +++ dev/usb/ucom.c	2 Apr 2005 13:10:27 -0000
 @@ -929,11 +929,13 @@
 
   	DPRINTF(("ucomstop: %d\n", flag));
 
 +#if 0
   	if (flag & FREAD) {
   		DPRINTF(("ucomstop: read\n"));
   		ucomstopread(sc);
   		ucomstartread(sc);
   	}
 +#endif
 
   	if (flag & FWRITE) {
   		DPRINTF(("ucomstop: write\n"));
 

From: Bruce Evans <bde@zeta.org.au>
To: Mike Tancsa <mike@sentex.net>
Cc: freebsd-gnats-submit@FreeBSD.ORG, iedowse@FreeBSD.ORG
Subject: Re: kern/79420: panic using uplcom or uftdi serial adaptor and modem
 (USB)
Date: Mon, 4 Apr 2005 22:19:47 +1000 (EST)

 On Sun, 3 Apr 2005, Mike Tancsa wrote:
 
 > Ian Dowse provided the patch below which seems to stop the panics.  At
 > least 24hrs of testing has not resulted in a panic yet.
 >
 > --------------------------------------------
 >
 > In this case I wonder if the transfer needs to be aborted at all,
 > since it is just restarted immediately afterwards. Mike, maybe you
 > could try the following patch? Sorry, I haven't tested this, so I
 > may be missing something obvious.
 
 > Index: dev/usb/ucom.c
 > ===================================================================
 > RCS file: /dump/FreeBSD-CVS/src/sys/dev/usb/ucom.c,v
 > retrieving revision 1.51.2.2
 > diff -u -r1.51.2.2 ucom.c
 > --- dev/usb/ucom.c	30 Jan 2005 01:00:10 -0000	1.51.2.2
 > +++ dev/usb/ucom.c	2 Apr 2005 13:10:27 -0000
 > @@ -929,11 +929,13 @@
 >
 >   	DPRINTF(("ucomstop: %d\n", flag));
 >
 > +#if 0
 >   	if (flag & FREAD) {
 >   		DPRINTF(("ucomstop: read\n"));
 >   		ucomstopread(sc);
 >   		ucomstartread(sc);
 >   	}
 > +#endif
 >
 >   	if (flag & FWRITE) {
 >   		DPRINTF(("ucomstop: write\n"));
 >
 
 The (flag & FREAD) case is supposed to flush input as much as possible
 (from any driver buffers and from hardware buffers if possible).  Starting
 and stopping the transfer is an attempt to do this.  I don't know if it
 works.
 
 PR 65769 is about a nearby bug in ucomstop().  The ucomstartread() in
 the above was missing, so flushing input often caused input to hang.
 This seems to have been fixed by adding the ucomstartcall() in rev.1.56,
 but the PR has not been closed.  I wrote a detailed analysis which
 pointed out the bogusness of just removing the FREAD support as above
 and wondered about other calls to ucomstopread(): there is a call in
 ucomparam(); it may be necessary to stop input while changing the
 parameters, but if stopping input has the side effect of flushing
 input as it should do for the above to work, then it is bad to stop
 input in ucomparam(), since TIOCSETA is supposed to _not_ flush input
 (only TIOCSETAF should flush input).
 
 The bug here seems to be that ucomstopread(sc) doesn't work when it is
 called in usb interrupt context while handling usb input, but it ucomstop()
 needs to work in this context since such calls are normal -- e.g., they
 occur whenever you type the interrupt character (if there is an interrupt
 character, and noflsh is not set).  The sio driver avoids potential
 problems in this area almost accidentally by doing the character handling
 in a software interrupt handler.  ucom also uses a software interrupt
 handler; however, it is soft only by name, since USB_USE_SOFTINTR is
 not configured in FreeBSD despite FreeBSD probably needing it more than
 NetBSD which has it configured.
 
 Bruce

From: Ian Dowse <iedowse@maths.tcd.ie>
To: Bruce Evans <bde@zeta.org.au>
Cc: Mike Tancsa <mike@sentex.net>, freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: kern/79420: panic using uplcom or uftdi serial adaptor and modem (USB) 
Date: Mon, 04 Apr 2005 21:08:14 +0100

 In message <20050404211652.F34170@delplex.bde.org>, Bruce Evans writes:
 >The (flag & FREAD) case is supposed to flush input as much as possible
 >(from any driver buffers and from hardware buffers if possible).  Starting
 >and stopping the transfer is an attempt to do this.  I don't know if it
 >works.
 
 
 Hi Bruce,
 
 Thanks for pointing out more about the bug history. In theory, I
 think stopping and immediately restarting a USB read transfer is a
 no-op due to USB's polled architecture (USB transfers are repeatedly
 re-attempted until they succeed or time out, and the USB device
 only sees this polling, not the transfer state). However in practice
 the abort-start operation will cancel any already-completed transfer
 that may be waiting on Giant for processing. It will not flush any
 input that the device happens to have waiting to be collected.
 
 In this case, removing the stop-start pair is just a temporary but
 effective workaround, as it avoids the panics at the cost of an
 increased risk of failing to flush all input. It seems possible
 to implement an asynchronous abort mechanism for USB pipes, so
 that may be a better way to handle transfers that need to be
 aborted from odd contexts.
 
 Interestingly, this panic does not seem to occur in -CURRENT, but
 I haven't investigated what is different there.
 
 Ian

From: Mike Tancsa <mike@sentex.net>
To: Ian Dowse <iedowse@maths.tcd.ie>, Bruce Evans <bde@zeta.org.au>
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: kern/79420: panic using uplcom or uftdi serial adaptor and
  modem (USB) 
Date: Mon, 04 Apr 2005 16:46:21 -0400

 At 04:08 PM 04/04/2005, Ian Dowse wrote:
 >In message <20050404211652.F34170@delplex.bde.org>, Bruce Evans writes:
 > >The (flag & FREAD) case is supposed to flush input as much as possible
 > >(from any driver buffers and from hardware buffers if possible). =
  Starting
 > >and stopping the transfer is an attempt to do this.  I don't know if it
 > >works.
 >
 >
 >Hi Bruce,
 >
 >In this case, removing the stop-start pair is just a temporary but
 >effective workaround, as it avoids the panics at the cost of an
 
 
 Just to confirm, I updated my RELENG_5 test box in question, and it didnt=20
 take long to panic it.  This time, I was just doing a couple of fetches=20
 across the dialup links ( I am testing with 2 units) and same panic.
 
 savecore: reboot after panic: uhci_abort_xfer: not in process context
 savecore: writing core to vmcore.24
 
 [releng5-865]# kgdb /usr/obj/usr/src/sys/pioneer/kernel.debug=20
 /var/crash/vmcore.24
 [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so:=
 =20
 Undefined symbol "ps_pglobal_lookup"]
 GNU gdb 6.1.1 [FreeBSD]
 Copyright 2004 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain=
  conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "i386-marcel-freebsd".
 #0  doadump () at pcpu.h:159
 159             __asm __volatile("movl %%fs:0,%0" : "=3Dr" (td));
 (kgdb) bt full
 #0  doadump () at pcpu.h:159
 No locals.
 #1  0xc052325e in boot (howto=3D260) at=
  /usr/src/sys/kern/kern_shutdown.c:410
          first_buf_printf =3D 1
 #2  0xc05234f4 in panic (fmt=3D0xc07003ab "uhci_abort_xfer: not in process=
 =20
 context") at /usr/src/sys/kern/kern_shutdown.c:566
          td =3D (struct thread *) 0xc14fa000
          bootopt =3D 260
          newpanic =3D 0
          ap =3D 0xc14fa000 "=C4\001P=C1=F0=EAO=C1"
          buf =3D "uhci_abort_xfer: not in process context", '\0' <repeats=
  216=20
 times>
 #3  0xc04c92b7 in uhci_abort_xfer (xfer=3D0xc1850400,=20
 status=3DUSBD_NORMAL_COMPLETION) at /usr/src/sys/dev/usb/uhci.c:1958
          uxfer =3D (struct uhci_xfer *) 0xc1850400
          ii =3D (uhci_intr_info_t *) 0xc185046c
          upipe =3D (struct uhci_pipe *) 0xc1992e00
          sc =3D (uhci_softc_t *) 0xc15e0000
          std =3D (uhci_soft_td_t *) 0x0
 #4  0xc04c9239 in uhci_device_bulk_abort (xfer=3D0xc1850400) at=20
 /usr/src/sys/dev/usb/uhci.c:1921
 No locals.
 #5  0xc04d66bb in usbd_ar_pipe (pipe=3D0xc1992e00) at=20
 /usr/src/sys/dev/usb/usbdi.c:762
          xfer =3D 0x0
 #6  0xc04d641f in usbd_abort_pipe (pipe=3D0xc1992e00) at=20
 /usr/src/sys/dev/usb/usbdi.c:556
          err =3D USBD_NORMAL_COMPLETION
 #7  0xc04c3ed1 in ucomstopread (sc=3D0x0) at=
  /usr/src/sys/dev/usb/ucom.c:1160
 No locals.
 #8  0xc04c3a96 in ucomstop (tp=3D0xc168e000, flag=3D3) at=20
 /usr/src/sys/dev/usb/ucom.c:934
          sc =3D (struct ucom_softc *) 0xc1617880
 #9  0xc054ec2b in ttyflush (tp=3D0xc168e000, rw=3D3) at=20
 /usr/src/sys/kern/tty.c:1420
 No locals.
 #10 0xc054cf0d in ttyinput (c=3D28, tp=3D0xc168e000) at=
  /usr/src/sys/kern/tty.c:433
          iflag =3D 11010
          lflag =3D 1483
          cc =3D (cc_t *) 0xc168e0b4=20
 "\004=FF=FF\177\027\025\022\b\003\034\032\031\021\023\026\017\001"
          i =3D -1050576768
          err =3D 0
 #11 0xc04c3dc1 in ucomreadcb (xfer=3D0xc1850400, p=3D0xc1617880,=20
 status=3DUSBD_NORMAL_COMPLETION) at linedisc.h:122
          sc =3D (struct ucom_softc *) 0xc1617880
          tp =3D (struct tty *) 0xc168e000
          err =3D USBD_NORMAL_COMPLETION
          cc =3D 32
          cp =3D (u_char *) 0xc15e9d58 "\034=ACI_E=C8gb\2141J}]\201=C2=A5-\03=
 5S=A8=E8=20
 M=A2rq=AB<\016=A1=FF=C3=F6=F9/\035\035=BE<y~/E\b"
          lostcc =3D 0
 #12 0xc04d67fc in usb_transfer_complete (xfer=3D0xc1850400) at=20
 /usr/src/sys/dev/usb/usbdi.c:851
          pipe =3D 0xc1992e00
          dmap =3D (usb_dma_t *) 0xc185043c
          sync =3D 0
          erred =3D 0
 ---Type <return> to continue, or q <return> to quit---
          repeat =3D 0
          polling =3D 0
 #13 0xc04c8b1f in uhci_idone (ii=3D0x0) at /usr/src/sys/dev/usb/uhci.c:1500
          xfer =3D 0xc1850400
          upipe =3D (struct uhci_pipe *) 0xc1992e00
          std =3D (uhci_soft_td_t *) 0x0
          status =3D 0
          nstatus =3D 0
          actlen =3D 56
 #14 0xc04c89fc in uhci_check_intr (sc=3D0xc15e0000, ii=3D0xc185046c) at=20
 /usr/src/sys/dev/usb/uhci.c:1375
          std =3D (uhci_soft_td_t *) 0x0
          lstd =3D (uhci_soft_td_t *) 0xc15e5f20
          status =3D 0
 #15 0xc04c894e in uhci_softintr (v=3D0xc15e0000) at=20
 /usr/src/sys/dev/usb/uhci.c:1305
          sc =3D (uhci_softc_t *) 0xc15e0000
          ii =3D (uhci_intr_info_t *) 0x0
          nextii =3D (uhci_intr_info_t *) 0x0
 #16 0xc04d3aa5 in usb_schedsoftintr (bus=3D0x0) at=
  /usr/src/sys/dev/usb/usb.c:870
 No locals.
 #17 0xc04c891b in uhci_intr1 (sc=3D0xc15e0000) at=20
 /usr/src/sys/dev/usb/uhci.c:1275
          status =3D 1
          ack =3D 1
 #18 0xc04c87ac in uhci_intr (arg=3D0xc15e0000) at=20
 /usr/src/sys/dev/usb/uhci.c:1190
          sc =3D (uhci_softc_t *) 0x0
 #19 0xc050fb71 in ithread_loop (arg=3D0xc14f7400) at=20
 /usr/src/sys/kern/kern_intr.c:547
          ithd =3D (struct ithd *) 0xc14f7400
          ih =3D (struct intrhand *) 0xc15db6c0
          td =3D (struct thread *) 0xc14fa000
          p =3D (struct proc *) 0xc15001c4
          count =3D 0
          warming =3D 0
          warned =3D 0
 #20 0xc050ee04 in fork_exit (callout=3D0xc050fa20 <ithread_loop>,=20
 arg=3D0xc14f7400, frame=3D0xcbc67d48)
      at /usr/src/sys/kern/kern_fork.c:790
          p =3D (struct proc *) 0xc15001c4
          td =3D (struct thread *) 0x0
 #21 0xc06a648c in fork_trampoline () at=
  /usr/src/sys/i386/i386/exception.s:209
 No locals.
 (kgdb)
 
 
          ---Mike=20
 

From: Mike Tancsa <mike@sentex.net>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: kern/79420: panic using uplcom or uftdi serial adaptor and
  modem (USB)
Date: Wed, 06 Apr 2005 13:07:01 -0400

 Just to followup, 36hrs later, the box is still stable with Ian's 
 patch/work around.  Without it, it does not take long at all to panic the box.
 
          ---Mike
 
 
 
 --------------------------------------------------------------------
 Mike Tancsa,                                      tel +1 519 651 3400
 Sentex Communications,                            mike@sentex.net
 Providing Internet since 1994                    www.sentex.net
 Cambridge, Ontario Canada                         www.sentex.net/mike
 
State-Changed-From-To: open->patched 
State-Changed-By: iedowse 
State-Changed-When: Tue Apr 12 00:29:24 GMT 2005 
State-Changed-Why:  

The new patch has been committed to -current; awaiting MFC. 


Responsible-Changed-From-To: freebsd-bugs->iedowse 
Responsible-Changed-By: iedowse 
Responsible-Changed-When: Tue Apr 12 00:29:24 GMT 2005 
Responsible-Changed-Why:  

My MFC reminder. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=79420 
State-Changed-From-To: patched->closed 
State-Changed-By: iedowse 
State-Changed-When: Sun Apr 17 02:58:47 GMT 2005 
State-Changed-Why:  

Fixed in both RELENG_5 and RELENG_5_4 now 

http://www.freebsd.org/cgi/query-pr.cgi?pr=79420 
>Unformatted:
