FreeBSD Mail Archives

Date:      Sun, 29 Oct 2000 17:24:21 +0100 (CET)
From:      voland@lflat.org
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   kern/22397: ulpt0 isn't functional due to incorrect dev pointer passed to usbd_do_request_flags
Message-ID:  <200010291624.e9TGOL900623@puppy.lflat.org>

next in thread | raw e-mail | index | archive | help


>Number:         22397
>Category:       kern
>Synopsis:       ulpt0 usage leads to kernel panic
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Oct 29 08:40:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Vadim Belman
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
Mobilix A/S
>Environment:

FreeBSD puppy.lflat.org 5.0-CURRENT FreeBSD 5.0-CURRENT #2: Sun Oct 29 13:44:02 CET 2000     root@puppy.lflat.org:/usr/obj/usr/src/sys/PUPPY  i386

>Description:

If one tries using ulpt0 for printing he would end up with a kernel panic.
It occurs due to incorrect dev pointer being passed to
usbd_do_request_flags. Here is the panic message and kernel stack trace as
from gdb report:

======================================================================
IdlePTD 4214784
initial pcb at 3681c0
panicstr: from debugger
panic messages:
---
Fatal trap 12: page fault while in kernel mode
fault virtual address	= 0x20726568
fault code		= supervisor read, page not present
instruction pointer	= 0x8:0xc01811a7
stack pointer	        = 0x10:0xc842ccb4
frame pointer	        = 0x10:0xc842cccc
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 2858 (lpd)
panic: from debugger
panic: from debugger
Uptime: 36m38s

dumping to dev #da/0x20001, offset 262144
dump 128 127 126 125 124 123 122 121 120 119 118 117 116 115 114 113 112 111 110 109 108 107 106 105 104 103 102 101 100 99 98 97 96 95 94 93 92 91 90 89 88 87 86 85 84 83 82 81 80 79 78 77 76 75 74 73 72 71 70 69 68 67 66 65 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 
---
#0  dumpsys () at /usr/src/sys/kern/kern_shutdown.c:475
475		if (dumping++) {
#0  dumpsys () at /usr/src/sys/kern/kern_shutdown.c:475
#1  0xc019e6ac in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:318
#2  0xc019eaad in panic (fmt=0xc02c5894 "from debugger")
    at /usr/src/sys/kern/kern_shutdown.c:566
#3  0xc012f945 in db_panic (addr=-1072164441, have_addr=0, count=-1, 
    modif=0xc842cb2c "") at /usr/src/sys/ddb/db_command.c:433
#4  0xc012f8e3 in db_command (last_cmdp=0xc031cbdc, cmd_table=0xc031ca3c, 
    aux_cmd_tablep=0xc03616ac) at /usr/src/sys/ddb/db_command.c:333
#5  0xc012f9aa in db_command_loop () at /usr/src/sys/ddb/db_command.c:455
#6  0xc0131bf7 in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_trap.c:71
#7  0xc029c776 in kdb_trap (type=12, code=0, regs=0xc842cc74)
    at /usr/src/sys/i386/i386/db_interface.c:163
#8  0xc02a8888 in trap_fatal (frame=0xc842cc74, eva=544367976)
    at /usr/src/sys/i386/i386/trap.c:934
#9  0xc02a8601 in trap_pfault (frame=0xc842cc74, usermode=0, eva=544367976)
    at /usr/src/sys/i386/i386/trap.c:853
#10 0xc02a814b in trap (frame={tf_fs = -1071972336, tf_es = 16, tf_ds = 16, 
      tf_edi = 0, tf_esi = 375, tf_ebp = -935146292, tf_isp = -935146336, 
      tf_ebx = -935146236, tf_edx = 544367976, tf_ecx = 544367976, 
      tf_eax = -935146237, tf_trapno = 12, tf_err = 0, tf_eip = -1072164441, 
      tf_cs = 8, tf_eflags = 66118, tf_esp = -1055754752, tf_ss = 375})
    at /usr/src/sys/i386/i386/trap.c:436
#11 0xc01811a7 in usbd_do_request_flags (dev=0x20726568, req=0xc842cd04, 
    data=0xc842cd03, flags=0, actlen=0x0) at /usr/src/sys/dev/usb/usbdi.c:938
#12 0xc018117c in usbd_do_request (dev=0x20726568, req=0xc842cd04, 
    data=0xc842cd03) at /usr/src/sys/dev/usb/usbdi.c:919
#13 0xc017d540 in ulpt_status (sc=0xc1127600)
    at /usr/src/sys/dev/usb/ulpt.c:357
#14 0xc017d6e1 in ulptopen (dev=0xc103fc00, flag=2, mode=8192, p=0xc7fff100)
    at /usr/src/sys/dev/usb/ulpt.c:418
#15 0xc01e358a in spec_open (ap=0xc842cda0)
    at /usr/src/sys/miscfs/specfs/spec_vnops.c:200
#16 0xc01e3439 in spec_vnoperate (ap=0xc842cda0)
    at /usr/src/sys/miscfs/specfs/spec_vnops.c:117
#17 0xc0279071 in ufs_vnoperatespec (ap=0xc842cda0)
    at /usr/src/sys/ufs/ufs/ufs_vnops.c:2312
#18 0xc01dd467 in vn_open (ndp=0xc842ce74, flagp=0xc842ce40, cmode=48)
    at vnode_if.h:189
#19 0xc01d8ead in open (p=0xc7fff100, uap=0xc842cf80)
    at /usr/src/sys/kern/vfs_syscalls.c:999
#20 0xc02a8cf8 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47, 
      tf_edi = 134578534, tf_esi = -1077937784, tf_ebp = -1077938048, 
      tf_isp = -935145516, tf_ebx = 2, tf_edx = -1077938104, tf_ecx = 2, 
      tf_eax = 5, tf_trapno = 7, tf_err = 2, tf_eip = 269347636, tf_cs = 31, 
      tf_eflags = 582, tf_esp = -1077938092, tf_ss = 47})
    at /usr/src/sys/i386/i386/trap.c:1139
#21 0xc029d0df in Xint0x80_syscall ()
#22 0x804dbe9 in ?? ()
#23 0x804b5cd in ?? ()
#24 0x804db8e in ?? ()
#25 0x804acd5 in ?? ()
#26 0x804ab37 in ?? ()
#27 0x804a1e1 in ?? ()
======================================================================

I can't report the content of sc structure (stack frame #13, ulptclose)
because the pointer was zeroed at some point.

>How-To-Repeat:

=== /etc/printcap ===
# LABEL apsfilter
# apsfilter setup ×Ó  29 ÏËÔ 2000 16:48:56 CET
#
# DON'T DELETE THIS:
# APS_BASEDIR:/usr/local/apsfilter
#
# APS1_BEGIN:printer1:lj5mono:a4:1200x600
# - don't delete start label for apsfilter printer1
# - no other printer defines between BEGIN and END LABEL
#
lp|aps1-lj5mono-a4-auto-1200x600|Printer1 lj5mono a4 auto 1200x600:\
    :lp=/dev/ulpt0:\
    :sd=/var/spool/lpd/printer1-lj5mono-a4-auto-1200x600:\
    :lf=/var/spool/lpd/printer1-lj5mono-a4-auto-1200x600/log:\
    :af=/var/spool/lpd/printer1-lj5mono-a4-auto-1200x600/acct:\
    :if=/usr/local/apsfilter/filter/aps1-lj5mono-a4-auto-1200x600:\
    :mx#0:\
    :sh:
raw|aps2-lj5mono-a4-raw|Printer1 lj5mono a4 raw:\
    :lp=/dev/lpt0:\
    :sd=/var/spool/lpd/printer1-lj5mono-a4-raw:\
    :lf=/var/spool/lpd/printer1-lj5mono-a4-raw/log:\
    :af=/var/spool/lpd/printer1-lj5mono-a4-raw/acct:\
    :if=/usr/local/apsfilter/filter/aps2-lj5mono-a4-raw:\
    :mx#0:\
    :sf:\
    :sh:
# APS1_END - don't delete this END LABEL for printer1
=== /etc/printcap ===

Printing to lp generates the panic.

>Fix:

No known.


>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010291624.e9TGOL900623>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation