From owner-freebsd-bugs@FreeBSD.ORG  Wed Dec 10 23:40:24 2003
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D4F7316A4CF
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 10 Dec 2003 23:40:24 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C023C43D2D
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 10 Dec 2003 23:40:20 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id hBB7eKFY053424
	for <freebsd-bugs@freefall.freebsd.org>;
	Wed, 10 Dec 2003 23:40:20 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.9/8.12.9/Submit) id hBB7eKOx053423;
	Wed, 10 Dec 2003 23:40:20 -0800 (PST)
	(envelope-from gnats)
Resent-Date: Wed, 10 Dec 2003 23:40:20 -0800 (PST)
Resent-Message-Id: <200312110740.hBB7eKOx053423@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Gordon Burditt <gordonb@airmail.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A0BCB16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 10 Dec 2003 23:31:42 -0800 (PST)
Received: from hammy.burditt.org (hammy.burditt.org [206.138.224.67])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AE17C43D2A
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 10 Dec 2003 23:31:39 -0800 (PST)
	(envelope-from gordon@hammy.burditt.org)
Received: from gordon by hammy.burditt.org with local (Exim 4.24; FreeBSD)
	id 1AULIQ-000Iyz-Ot; Thu, 11 Dec 2003 01:31:38 -0600
Message-Id: <E1AULIQ-000Iyz-Ot@hammy.burditt.org>
Date: Thu, 11 Dec 2003 01:31:38 -0600
From: Gordon Burditt <gordonb@airmail.net>
Sender: Gordon Burditt <gordon@hammy.burditt.org>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
cc: gordonb@airmail.net
Subject: kern/60131: Page fault on disconnect of USB device 
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Gordon Burditt <gordonb@airmail.net>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Dec 2003 07:40:25 -0000


>Number:         60131
>Category:       kern
>Synopsis:       Page fault on disconnect of USB device
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Dec 10 23:40:18 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Gordon Burditt
>Release:        FreeBSD 5.2-BETA i386
>Organization:
>Environment:
System: FreeBSD hammy.burditt.org 4.9-STABLE FreeBSD 4.9-STABLE #7: Sat Nov 22 14:13:11 CST 2003 gordon@hammy.burditt.org:/scratch5/i386-obj/usr/src/sys/HAMMY i386


	
	Reporting from FreeBSD 4.9, laptop runs -CURRENT.
	FreeBSD-CURRENT (identifies itself as FreeBSD 5.2-BETA), 
	from December 3, 2003
	The GPS device is a serial-to-USB converter with a serial GPS.
 	port 1 addr 2: low speed, power 150 mA, config 1, Talon Technology 4800 baud serial interface(0x0001), Talon Technology(0x0a99), rev 1.05
	It is detected as ugen0.  My gpsd daemon (my own code) opens 
	/dev/ugen0.1, loops doing fgets() and stuffs data into a 
	mmap()ed shared memory segment.  If it detects an error, it 
	closes the device, waits a few seconds, and tries to open it again.

>Description:
	
	If I disconnect my USB GPS device, I get a kernel page fault.
	At the time of the disconnect, my gpsd daemon has /dev/ugen0.1 open
	and the device is sending data more or less continually.
	The panic does not occur if the device is not open (although
	it is still sending data more or less continually).
	From the stack trace it appears gpsd detects an error, closes
	the device, and panics in close.

	This started to be a problem with FreeBSD-CURRENT cvsup'd 
	around November 18 and was not a problem with an earlier
	kernel estimated to be 2 months earlier.  It is still a problem
	with FreeBSD-CURRENT on December 3.
	

>How-To-Repeat:
	
	Boot laptop with GPS connected.  gpsd starts.  Disconnect USB
	connector.  Kaboom!


panic: page fault
panic messages:
---
Fatal trap 12: page fault while in kernel mode
fault virtual address	= 0xc2d852a0
fault code		= supervisor write, page not present
instruction pointer	= 0x8:0xc05f3806
stack pointer	        = 0x10:0xd714cb24
frame pointer	        = 0x10:0xd714cb4c
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 1311 (gpsd)
trap number		= 12
panic: page fault

syncing disks, buffers remaining... 1972 1972 1970 1970 1970 1970 1970 1970 1970 1970 1970 1970 1970 1970 1970 1970 1970 1970 1970 1970 1970 1970 
giving up on 1171 buffers
Uptime: 2h1m4s
stray irq7
Shutting down ACPI
Automatic reboot in 15 seconds - press a key on the console to abort
--> Press a key on the console to reboot,
--> or switch off the system now.
Rebooting...
Copyright (c) 1992-2003 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
	The Regents of the University of California. All rights reserved.
FreeBSD 5.2-BETA #1: Wed Dec  3 20:29:36 CST 2003
    gordon@book.burditt.org:/home/obj/usr/src/sys/BOOK
Preloaded elf kernel "/boot/kernel/kernel" at 0xc0ad0000.
Preloaded elf module "/boot/kernel/snd_via82c686.ko" at 0xc0ad0244.
Preloaded elf module "/boot/kernel/snd_pcm.ko" at 0xc0ad02f8.
Preloaded elf module "/boot/kernel/aout.ko" at 0xc0ad03a4.
Preloaded elf module "/boot/kernel/if_ath.ko" at 0xc0ad0450.
Preloaded elf module "/boot/kernel/ath_hal.ko" at 0xc0ad04fc.
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: AMD Athlon(tm) Processor (1000.04-MHz 686-class CPU)
  Origin = "AuthenticAMD"  Id = 0x662  Stepping = 2
  Features=0x383f9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE>
  AMD Features=0xc0480000<MP,AMIE,DSP,3DNow!>
real memory  = 268435456 (256 MB)
avail memory = 251027456 (239 MB)
Pentium Pro MTRR support enabled
acpi0: <SONY   K5      > on motherboard
pcibios: BIOS version 2.10
Using $PIR table, 6 entries at 0xc00fdf60
acpi0: Power Button (fixed)
Timecounter "ACPI-safe" frequency 3579545 Hz quality 1000
acpi_timer0: <32-bit timer at 3.579545MHz> port 0x8008-0x800b on acpi0
acpi_cpu0: <CPU> on acpi0
acpi_tz0: <Thermal Zone> on acpi0
acpi_button0: <Sleep Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
pcib0: slot 7 INTD is routed to irq 9
pcib0: slot 7 INTD is routed to irq 9
pcib0: slot 7 INTC is routed to irq 5
pcib0: slot 7 INTC is routed to irq 5
pcib0: slot 10 INTA is routed to irq 9
pcib0: slot 10 INTB is routed to irq 10
pcib0: slot 14 INTA is routed to irq 9
pcib0: slot 16 INTA is routed to irq 10
agp0: <VIA 82C8363 (Apollo KT133A) host to PCI bridge> mem 0xf0000000-0xf7ffffff at device 0.0 on pci0
pcib1: <ACPI PCI-PCI bridge> at device 1.0 on pci0
pci1: <ACPI PCI bus> on pcib1
pcib1: slot 0 INTA is routed to irq 5
pci1: <display, VGA> at device 0.0 (no driver attached)
isab0: <PCI-ISA bridge> at device 7.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <VIA 82C686B UDMA100 controller> port 0x1c40-0x1c4f at device 7.1 on pci0
atapci0: Correcting VIA config for southbridge data corruption bug
ata0: at 0x1f0 irq 14 on atapci0
ata0: [MPSAFE]
ata1: at 0x170 irq 15 on atapci0
ata1: [MPSAFE]
uhci0: <VIA 83C572 USB controller> port 0x1c00-0x1c1f irq 9 at device 7.2 on pci0
uhci0: LegSup = 0x0000
usb0: <VIA 83C572 USB controller> on uhci0
usb0: USB revision 1.0
uhub0: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
ugen0: Talon Technology Talon Technology 4800 baud serial interface, rev 1.00/1.05, addr 2
uhci1: <VIA 83C572 USB controller> port 0x1c20-0x1c3f irq 9 at device 7.3 on pci0
uhci1: LegSup = 0x0000
usb1: <VIA 83C572 USB controller> on uhci1
usb1: USB revision 1.0
uhub1: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
isab1: <PCI-ISA bridge> at device 7.4 on pci0
device_probe_and_attach: isab1 attach returned 6
pcm0: <VIA VT82C686A> port 0x1c50-0x1c53,0x1c54-0x1c57,0x1000-0x10ff irq 5 at device 7.5 on pci0
pcm0: <Analog Devices AD1881A AC97 Codec>
pci0: <simple comms> at device 7.6 (no driver attached)
cbb0: <TI1420 PCI-CardBus Bridge> mem 0x88000000-0x88000fff irq 9 at device 10.0 on pci0
cardbus0: <CardBus bus> on cbb0
pccard0: <16-bit PCCard bus> on cbb0
cbb0: [MPSAFE]
cbb1: <TI1420 PCI-CardBus Bridge> mem 0x88001000-0x88001fff irq 10 at device 10.1 on pci0
cardbus1: <CardBus bus> on cbb1
pccard1: <16-bit PCCard bus> on cbb1
cbb1: [MPSAFE]
fwohci0: <Texas Instruments TSB12LV26> mem 0xe8000000-0xe8003fff,0xe8004000-0xe80047ff irq 9 at device 14.0 on pci0
fwohci0: OHCI version 1.0 (ROM=1)
fwohci0: No. of Isochronous channel is 4.
fwohci0: EUI64 08:00:46:03:01:13:53:bc
fwohci0: Phy 1394a available S400, 1 ports.
fwohci0: Link S400, max_rec 2048 bytes.
firewire0: <IEEE1394(FireWire) bus> on fwohci0
fwe0: <Ethernet over FireWire> on firewire0
if_fwe0: Fake Ethernet address: 0a:00:46:13:53:bc
sbp0: <SBP-2/SCSI over FireWire> on firewire0
fwohci0: Initiate bus reset
fwohci0: BUS reset
fwohci0: node_id=0xc000ffc0, gen=1, CYCLEMASTER mode
firewire0: 1 nodes, maxhop <= 0, cable IRM = 0 (me)
firewire0: bus manager 0 (me)
rl0: <RealTek 8139 10/100BaseTX> port 0x1800-0x18ff mem 0xe8004800-0xe80048ff irq 10 at device 16.0 on pci0
rl0: Ethernet address: 08:00:46:59:6d:f9
miibus0: <MII bus> on rl0
rlphy0: <RealTek internal media interface> on miibus0
rlphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
acpi_acad0: <AC Adapter> on acpi0
acpi_cmbat0: <Control Method Battery> on acpi0
acpi_cmbat1: <Control Method Battery> on acpi0
acpi_lid0: <Control Method Lid Switch> on acpi0
speaker0 port 0x61 on acpi0
fdc0: <Enhanced floppy controller (i82077, NE72065 or clone)> port 0x3f7,0x3f0-0x3f5 irq 6 drq 2 on acpi0
fdc0: FIFO enabled, 8 bytes threshold
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
sio0 port 0x3f8-0x3ff irq 4 on acpi0
sio0: type 16550A
atkbdc0: <Keyboard controller (i8042)> port 0x64,0x60 irq 1 on acpi0
atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0
kbd0 at atkbd0
psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: model GlidePoint, device ID 0
acpi_ec0: <Embedded Controller: GPE 0x1> port 0x66,0x62 on acpi0
npx0: [FAST]
npx0: <math processor> on motherboard
npx0: INT 16 interface
orm0: <Option ROMs> at iomem 0xdc000-0xdffff,0xd0000-0xd3fff,0xc0000-0xcffff on isa0
pmtimer0 on isa0
ppc0: parallel port not found.
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
sio1: configured irq 3 not in bitmap of probed irqs 0
sio1: port may not be enabled
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
Timecounter "TSC" frequency 1000041097 Hz quality 800
Timecounters tick every 10.000 msec
ipfw2 initialized, divert enabled, rule-based forwarding enabled, default to deny, logging unlimited
IPv6 packet filtering initialized, unlimited logging
IPsec: Initialized Security Association Processing.
acpi_cpu: throttling enabled, 16 steps (100% to 6.2%), currently 100.0%
system power profile changed to 'economy'
wi0: <The Linksys Group, Inc. Instant Wireless Network PC Card> at port 0x100-0x13f irq 9 function 0 config 1 on pccard0
wi0: 802.11 address: 00:06:25:18:30:d8
wi0: using RF:PRISM3(PCMCIA)
wi0: Intersil Firmware: Primary (1.1.0), Station (1.4.2)
wi0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
GEOM: create disk ad0 dp=0xc2f1da60
ad0: 19077MB <TOSHIBA MK2018GAP> [38760/16/63] at ata0-master UDMA100
acd0: CDRW <UJDA720 DVD/CDRW> at ata1-master PIO4
    ACPI-0438: *** Error: Handler for [EmbeddedControl] returned AE_NO_HARDWARE_RESPONSE
    ACPI-1287: *** Error: Method execution failed [\\_SB_.BAT2._STA] (Node 0xc2d5e540), AE_NO_HARDWARE_RESPONSE
    ACPI-0175: *** Error: Method execution failed [\\_SB_.BAT2._STA] (Node 0xc2d5e540), AE_NO_HARDWARE_RESPONSE
system power profile changed to 'performance'
Mounting root from ufs:/dev/ad0s2a
WARNING: / was not properly dismounted
WARNING: /home was not properly dismounted
WARNING: /tmp was not properly dismounted
WARNING: /usr was not properly dismounted
WARNING: /usr/X11R6 was not properly dismounted
WARNING: /usr/local was not properly dismounted
WARNING: /var was not properly dismounted
/var: mount pending error: blocks 4 files 1
key_spdadd: a SP entry exists already.
key_spdadd: a SP entry exists already.
key_spdadd: a SP entry exists already.
key_spdadd: a SP entry exists already.
ugen0: at uhub0 port 1 (addr 2) disconnected
ugen0: detached


Fatal trap 12: page fault while in kernel mode
fault virtual address	= 0xc2d852a0
fault code		= supervisor write, page not present
instruction pointer	= 0x8:0xc05f3806
stack pointer	        = 0x10:0xd67c9b24
frame pointer	        = 0x10:0xd67c9b4c
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 365 (gpsd)
trap number		= 12
panic: page fault

syncing disks, buffers remaining... 2203 2203 2201 2200 2200 2200 2200 2200 2200 2200 2200 2200 2200 2200 2200 2200 2200 2200 2200 2200 2200 2200 2200 
giving up on 1303 buffers
Uptime: 1d2h39m11s
Dumping 256 MB
 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240
---
Reading symbols from /boot/kernel/snd_via82c686.ko...
(no debugging symbols found)...done.
Loaded symbols for /boot/kernel/snd_via82c686.ko
Reading symbols from /boot/kernel/snd_pcm.ko...(no debugging symbols found)...
done.
Loaded symbols for /boot/kernel/snd_pcm.ko
Reading symbols from /boot/kernel/aout.ko...(no debugging symbols found)...
done.
Loaded symbols for /boot/kernel/aout.ko
Reading symbols from /boot/kernel/if_ath.ko...(no debugging symbols found)...
done.
Loaded symbols for /boot/kernel/if_ath.ko
Reading symbols from /boot/kernel/ath_hal.ko...(no debugging symbols found)...
done.
Loaded symbols for /boot/kernel/ath_hal.ko
Reading symbols from /boot/kernel/ntfs.ko...(no debugging symbols found)...
done.
Loaded symbols for /boot/kernel/ntfs.ko
Reading symbols from /boot/kernel/green_saver.ko...
(no debugging symbols found)...done.
Loaded symbols for /boot/kernel/green_saver.ko
Reading symbols from /boot/kernel/linux.ko...(no debugging symbols found)...
done.
Loaded symbols for /boot/kernel/linux.ko
#0  0xc065f8cb in doadump ()
(kgdb) bt
#0  0xc065f8cb in doadump ()
#1  0xc065fe08 in boot ()
#2  0xc06600f8 in panic ()
#3  0xc0836a2c in trap_fatal ()
#4  0xc08366f2 in trap_pfault ()
#5  0xc08362fd in trap ()
#6  0xc0828798 in calltrap ()
#7  0xc0629476 in spec_close ()
#8  0xc0628398 in spec_vnoperate ()
#9  0xc06bf5d6 in vn_close ()
#10 0xc06c0460 in vn_closefile ()
#11 0xc06452d9 in fdrop_locked ()
#12 0xc06443ee in fdrop ()
#13 0xc064439c in closef ()
#14 0xc06425b8 in close ()
#15 0xc0836d40 in syscall ()
#16 0xc08287ed in Xint0x80_syscall ()
(kgdb) 
>Fix:

	
	Kill daemon before disconnecting USB device (which is a nuisance).


					Gordon L. Burditt
>Release-Note:
>Audit-Trail:
>Unformatted: