Skip site navigation (1)Skip section navigation (2) 
Date:      Wed,  8 Sep 2004 14:40:24 +0300 (IDT)
From:      Amir Shalem <amir@boom.org.il>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   kern/71491: printing under usb printer causes a kernel panic
Message-ID:  <20040908114024.4029B5CE6@active.ath.cx>
Resent-Message-ID: <200409081150.i88BoOIr079608@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         71491
>Category:       kern
>Synopsis:       printing under usb printer causes a kernel panic
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 08 11:50:23 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Amir Shalem
>Release:        FreeBSD 5.3-BETA3 i386
>Organization:
>Environment:
System: FreeBSD vmware.active.ath.cx 5.3-BETA3 FreeBSD 5.3-BETA3 #2: Wed Sep 8 13:37:55 IDT 2004 root@vmware.active.ath.cx:/usr/src/sys/i386/compile/VMWARE i386

	I have set test machine, under vmware, where I installed 5.3-beta3
	The printer is HP DeskJet 3650
	I use it under cups + hpijs-cups (not in ports)

>Description:
	This bug also happens with 6-current.

	I have tried this under with:
		offical 5.3-beta3 kernel
		5.3-beta3 + ule  + usb_debug (at level 10)
		5.3-beta3 + 4bsd + usb_debug (at level 10)
	in all conditions I got the crash,
	where using the usb_debug I got it _right away_
	where as, in the offical I had to do multiply printing in cups.

	The problem is printing via cups, printing test page for example,
	causes the bug.

	if I turn DIAGNOSTIC on the bug does appear.

	I have kernel dump + kernel.debug for all kind of kernels (at request),
	here goes the dmesg and backtrace of 4bsd+usbdebug:

TD(0xc12e3f60) at 04c77f60 = link=0x04c77f84 status=0x388003ff token=0x07e90269
  4c77f84<VF> 388003ff<ACTIVE,SPD>,errcnt=3,actlen=0 pid=69,addr=2,endpt=2,D=1,m
TD(0xc12e3f80) at 04c77f80 = link=0x00000005 status=0x398003ff token=0x07e10269
  5<T,VF> 398003ff<ACTIVE,IOC,SPD>,errcnt=3,actlen=0 pid=69,addr=2,endpt=2,D=0,m
uhci_start_loop: add
ulpt_tick: err=1
uhci_timeout: uxfer=0xc16a8a00
usb_add_task: task=0xc16a8a84
usb_transfer_complete: pipe=0xc16a6a00 xfer=0xc16a8a00 status=0 actlen=0
usb_transfer_complete: repeat=0 new head=0
ulpt_read_cb: start sc=0xc13ae880, err=0 n=0
uhci_device_bulk_done: xfer=0xc16a8a00 ii=0xc16a8a6c sc=0xc12e1000 upipe=0xc16a6
uhci_end_loop: remove
uhci_device_bulk_done: length=0
usbd_start_next: pipe=0xc16a6a00, xfer=0
usb_task_thread: woke up task=0xc16a8a84
uhci_timeout_task: xfer=0xc16a8a00
uhci_abort_xfer: xfer=0xc16a8a00, status=15
uhci_abort_xfer: stop ii=0xc16a8a6c
uhci_abort_xfer: callback
usb_transfer_complete: pipe=0xc16a6a00 xfer=0xc16a8a00 status=15 actlen=0

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x4c
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc05b398d
stack pointer           = 0x10:0xc636ccbc
frame pointer           = 0x10:0xc636ccd8
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 46 (usbtask)
panic: from debugger

	and backtrace:
#25 0xc05b398d in usb_transfer_complete (xfer=0xc16a8a00)
    at ../../../dev/usb/usbdi.c:819
#26 0xc05a390a in uhci_abort_xfer (xfer=0xc16a8a00, status=USBD_TIMEOUT)
    at ../../../dev/usb/uhci.c:1994
#27 0xc05a2f08 in uhci_timeout_task (addr=0xc16a8a00)
    at ../../../dev/usb/uhci.c:1533
#28 0xc05afd45 in usb_task_thread (arg=0x0) at ../../../dev/usb/usb.c:464
#29 0xc05f29dc in fork_exit (callout=0xc05afc98 <usb_task_thread>, arg=0x0,
    frame=0xc636cd48) at ../../../kern/kern_fork.c:820
#30 0xc077ae6c in fork_trampoline () at ../../../i386/i386/exception.s:209
(kgdb) frame 25
#25 0xc05b398d in usb_transfer_complete (xfer=0xc16a8a00)
    at ../../../dev/usb/usbdi.c:819
819                     SIMPLEQ_REMOVE_HEAD(&pipe->queue, next);
(kgdb) print pipe->queue
$1 = {stqh_first = 0x0, stqh_last = 0xc16a6a14}
(kgdb) print *pipe->queue->stqh_last
$2 = (struct usbd_xfer *) 0x0
(kgdb) q


	Basicly the pipe queue is empty when reaching the code,
	and it expects to have something in queue.

>How-To-Repeat:
	Boot kernel with USB_DEBUG, and set:
		hw.usb.debug=10
		hw.usb.ulpt.debug=10
		hw.usb.uhci.debug=10
	and try to print to your usb printer.

>Fix:
	Unknown.
	Maybe to add a check to see if queue is already empty ?

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040908114024.4029B5CE6>