Date: Fri, 17 Jun 2005 09:48:23 +0400 (MSD) From: Artemiev Igor <ai@bmc.brk.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/82350: null pointer dereference in USB stack Message-ID: <200506170548.j5H5mNKA004008@bmc-gw.bmc.brk.ru> Resent-Message-ID: <200506170550.j5H5oRpH029378@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 82350
>Category: kern
>Synopsis: null pointer dereference in USB stack
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Jun 17 05:50:26 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Artemiev Igor
>Release: FreeBSD 5.4-STABLE i386
>Organization:
Bryansk Medical Center
>Environment:
System: FreeBSD bmc-gw.bmc.brk.ru 5.4-STABLE FreeBSD 5.4-STABLE #7: Sat Jun 4 12:22:45 MSD 2005 root@bmc-gw.bmc.brk.ru:/usr/obj/usr/src/sys/bmc-gw.kernel i386
Copyright (c) 1992-2005 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 5.4-STABLE #7: Sat Jun 4 12:22:45 MSD 2005
root@bmc-gw.bmc.brk.ru:/usr/obj/usr/src/sys/bmc-gw.kernel
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Pentium(R) 4 CPU 2.80GHz (2793.01-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0xf29 Stepping = 9
Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
Hyperthreading: 2 logical CPUs
real memory = 535691264 (510 MB)
avail memory = 518729728 (494 MB)
ACPI APIC Table: <IntelR AWRDACPI>
ioapic0: Changing APIC ID to 2
ioapic0 <Version 2.0> irqs 0-23 on motherboard
ioapic1 <Version 2.0> irqs 24-47 on motherboard
npx0: <math processor> on motherboard
npx0: INT 16 interface
acpi0: <IntelR AWRDACPI> on motherboard
acpi0: Power Button (fixed)
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0
cpu0: <ACPI CPU> on acpi0
acpi_button0: <Power Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
pcib1: <ACPI PCI-PCI bridge> at device 3.0 on pci0
pci1: <ACPI PCI bus> on pcib1
em0: <Intel(R) PRO/1000 Network Connection, Version - 1.7.35> port 0x9000-0x901f mem 0xf1000000-0xf101ffff,0xf1020000-0xf103ffff irq 18 at device 1.0 on pci1
em0: Ethernet address: 00:11:2f:2c:7b:0c
em0: Speed:N/A Duplex:N/A
pcib2: <ACPI PCI-PCI bridge> at device 28.0 on pci0
pci2: <ACPI PCI bus> on pcib2
fxp0: <Intel 82559 Pro/100 Ethernet> port 0xa000-0xa03f mem 0xf5000000-0xf50fffff,0xf5100000-0xf5100fff irq 24 at device 2.0 on pci2
miibus0: <MII bus> on fxp0
inphy0: <i82555 10/100 media interface> on miibus0
inphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
fxp0: Ethernet address: 00:a9:40:0f:88:15
uhci0: <UHCI (generic) USB controller> port 0xc400-0xc41f irq 16 at device 29.0 on pci0
usb0: <UHCI (generic) USB controller> on uhci0
usb0: USB revision 1.0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1: <UHCI (generic) USB controller> port 0xc000-0xc01f irq 19 at device 29.1 on pci0
usb1: <UHCI (generic) USB controller> on uhci1
usb1: USB revision 1.0
uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
pci0: <base peripheral> at device 29.4 (no driver attached)
pci0: <base peripheral, interrupt controller> at device 29.5 (no driver attached)
ehci0: <EHCI (generic) USB 2.0 controller> mem 0xf5200000-0xf52003ff irq 23 at device 29.7 on pci0
usb2: EHCI version 1.0
usb2: companion controllers, 2 ports each: usb0 usb1
usb2: <EHCI (generic) USB 2.0 controller> on ehci0
usb2: USB revision 2.0
uhub2: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
uhub2: 4 ports with 4 removable, self powered
pcib3: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci3: <ACPI PCI bus> on pcib3
fxp1: <Intel 82559 Pro/100 Ethernet> port 0xb000-0xb03f mem 0xf4000000-0xf40fffff,0xf4140000-0xf4140fff irq 20 at device 2.0 on pci3
miibus1: <MII bus> on fxp1
inphy1: <i82555 10/100 media interface> on miibus1
inphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
fxp1: Ethernet address: 00:90:27:99:0b:e6
em1: <Intel(R) PRO/1000 Network Connection, Version - 1.7.35> port 0xb400-0xb43f mem 0xf4120000-0xf413ffff,0xf4100000-0xf411ffff irq 18 at device 8.0 on pci3
em1: Ethernet address: 00:11:2f:2c:7b:0d
em1: Speed:N/A Duplex:N/A
pci3: <display, VGA> at device 9.0 (no driver attached)
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel 6300ESB UDMA100 controller> port 0xf000-0xf00f,0x376,0x170-0x177,0x3f6,0x1f0-0x1f7 at device 31.1 on pci0
ata0: channel #0 on atapci0
ata1: channel #1 on atapci0
atapci1: <Intel 6300ESB SATA150 controller> port 0xd800-0xd80f,0xd400-0xd403,0xd000-0xd007,0xcc00-0xcc03,0xc800-0xc807 irq 18 at device 31.2 on pci0
ata2: channel #0 on atapci1
ata3: channel #1 on atapci1
pci0: <serial bus, SMBus> at device 31.3 (no driver attached)
acpi_tz0: <Thermal Zone> on acpi0
sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
sio0: type 16550A
sio1: <16550A-compatible COM port> port 0x2f8-0x2ff irq 3 on acpi0
sio1: type 16550A
ppc0: <Standard parallel printer port> port 0x778-0x77b,0x378-0x37f irq 7 on acpi0
ppc0: Generic chipset (EPP/NIBBLE) in COMPATIBLE mode
ppbus0: <Parallel port bus> on ppc0
lpt0: <Printer> on ppbus0
lpt0: Interrupt-driven port
atkbdc0: <Keyboard controller (i8042)> port 0x64,0x60 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
orm0: <ISA Option ROM> at iomem 0xc0000-0xc7fff on isa0
pmtimer0 on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
ucom0: Prolific Technology Inc. USB-Serial Controller, rev 1.10/3.00, addr 2
Timecounter "TSC" frequency 2793009972 Hz quality 800
Timecounters tick every 10.000 msec
ad0: 38166MB <ST340016A/3.05> [77545/16/63] at ata0-master UDMA100
em0: Link is up 100 Mbps Full Duplex
ad4: 114473MB <ST3120827AS/3.42> [232581/16/63] at ata2-master SATA150
ad6: 114473MB <ST3120827AS/3.42> [232581/16/63] at ata3-master SATA150
ar0: 114473MB <ATA RAID1 array> [14593/255/63] status: READY subdisks:
disk0 READY on ad4 at ata2-master
disk1 READY on ad6 at ata3-master
hostb0@pci0:0:0: class=0x060000 card=0x81161043 chip=0x25788086 rev=0x02 hdr=0x00
vendor = 'Intel Corporation'
device = '82875P/E7210 DRAM Controller / Host-Hub Interface'
class = bridge
subclass = HOST-PCI
pcib1@pci0:3:0: class=0x060400 card=0x00000000 chip=0x257b8086 rev=0x02 hdr=0x01
vendor = 'Intel Corporation'
device = '82875P/E7210 PCI to CSA Bridge'
class = bridge
subclass = PCI-PCI
pcib2@pci0:28:0: class=0x060400 card=0x00000050 chip=0x25ae8086 rev=0x02 hdr=0x01
vendor = 'Intel Corporation'
device = '6300ESB Hub Interface to PCI-X Bridge'
class = bridge
subclass = PCI-PCI
uhci0@pci0:29:0: class=0x0c0300 card=0x81171043 chip=0x25a98086 rev=0x02 hdr=0x00
vendor = 'Intel Corporation'
device = '6300ESB USB 1.1 UHCI Controller #1'
class = serial bus
subclass = USB
uhci1@pci0:29:1: class=0x0c0300 card=0x81171043 chip=0x25aa8086 rev=0x02 hdr=0x00
vendor = 'Intel Corporation'
device = '5300ESB USB 1.1 UHCI Controller #2'
class = serial bus
subclass = USB
none0@pci0:29:4: class=0x088000 card=0x81171043 chip=0x25ab8086 rev=0x02 hdr=0x00
vendor = 'Intel Corporation'
device = '6300ESB Watchdog Timer'
class = base peripheral
none1@pci0:29:5: class=0x080020 card=0x81171043 chip=0x25ac8086 rev=0x02 hdr=0x00
vendor = 'Intel Corporation'
device = '6300ESB APIC1'
class = base peripheral
subclass = interrupt controller
ehci0@pci0:29:7: class=0x0c0320 card=0x81171043 chip=0x25ad8086 rev=0x02 hdr=0x00
vendor = 'Intel Corporation'
device = '6300ESB USB 2.0 EHCI Controller'
class = serial bus
subclass = USB
pcib3@pci0:30:0: class=0x060400 card=0x00000000 chip=0x244e8086 rev=0x0a hdr=0x01
vendor = 'Intel Corporation'
device = '82801BA/CA/DB/DBL/EB/ER/FB (ICH2/3/4/4/5/5/6), 6300ESB Hub Interface to PCI Bridge'
class = bridge
subclass = PCI-PCI
isab0@pci0:31:0: class=0x060100 card=0x00000000 chip=0x25a18086 rev=0x02 hdr=0x00
vendor = 'Intel Corporation'
device = '6300ESB LPC Interface Bridge'
class = bridge
subclass = PCI-ISA
atapci0@pci0:31:1: class=0x01018a card=0x81171043 chip=0x25a28086 rev=0x02 hdr=0x00
vendor = 'Intel Corporation'
device = '6300ESB IDE Controller'
class = mass storage
subclass = ATA
atapci1@pci0:31:2: class=0x01018f card=0x81171043 chip=0x25a38086 rev=0x02 hdr=0x00
vendor = 'Intel Corporation'
device = '6300ESB Serial ATA Controller'
class = mass storage
subclass = ATA
none2@pci0:31:3: class=0x0c0500 card=0x81171043 chip=0x25a48086 rev=0x02 hdr=0x00
vendor = 'Intel Corporation'
device = '6300ESB SMBus Controller'
class = serial bus
subclass = SMBus
em0@pci1:1:0: class=0x020000 card=0x81151043 chip=0x10758086 rev=0x00 hdr=0x00
vendor = 'Intel Corporation'
device = '82547EI Gigabit Ethernet Controller'
class = network
subclass = ethernet
fxp0@pci2:2:0: class=0x020000 card=0x000c8086 chip=0x12298086 rev=0x08 hdr=0x00
vendor = 'Intel Corporation'
device = '82550/1/7/8/9 EtherExpress PRO/100(B) Ethernet Adapter'
class = network
subclass = ethernet
fxp1@pci3:2:0: class=0x020000 card=0x000b8086 chip=0x12298086 rev=0x08 hdr=0x00
vendor = 'Intel Corporation'
device = '82550/1/7/8/9 EtherExpress PRO/100(B) Ethernet Adapter'
class = network
subclass = ethernet
em1@pci3:8:0: class=0x020000 card=0x811d1043 chip=0x10768086 rev=0x00 hdr=0x00
vendor = 'Intel Corporation'
device = '82547EI Gigabit Ethernet Controller'
class = network
subclass = ethernet
none3@pci3:9:0: class=0x030000 card=0x80081002 chip=0x47521002 rev=0x27 hdr=0x00
vendor = 'ATI Technologies Inc'
device = 'Rage XL PCI'
class = display
subclass = VGA
Controller /dev/usb0:
addr 1: full speed, self powered, config 1, UHCI root hub(0x0000), Intel(0x0000), rev 1.00
port 1 powered
port 2 powered
Controller /dev/usb1:
addr 1: full speed, self powered, config 1, UHCI root hub(0x0000), Intel(0x0000), rev 1.00
port 1 powered
port 2 addr 2: full speed, power 100 mA, config 1, USB-Serial Controller(0x2303), Prolific Technology Inc.(0x067b), rev 3.00
Controller /dev/usb2:
addr 1: high speed, self powered, config 1, EHCI root hub(0x0000), Intel(0x0000), rev 1.00
port 1 powered
port 2 powered
port 3 powered
port 4 powered
>Description:
With a recurring switching from DATA to FAX mode of a modem, attached through USB-COM connector, the kernel panics. Panic occures with a period of about 5 days:
putc to a clist with no reserved cblocks
putc to a clist with no reserved cblocks
putc to a clist with no reserved cblocks
putc to a clist with no reserved cblocks
putc to a clist with no reserved cblocks
putc to a clist with no reserved cblocks
putc to a clist with no reserved cblocks
putc to a clist with no reserved cblocks
putc to a clist with no reserved cblocks
putc to a clist with no reserved cblocks
putc to a clist with no reserved cblocks
putc to a clist with no reserved cblocks
ucom0: read start failed
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x4c
fault code = supervisor read, page not present
instruction pointer = 0x8:0xc048170d
stack pointer = 0x10:0xd69649f4
frame pointer = 0x10:0xd6964a1c
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 33074 (chat)
trap number = 12
panic: page fault
Uptime: 5d3h1m35s
Dumping 510 MB
16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 256 272 288 304 320 336 352 368 384 400 416 432 448 464 480 496
kernel backtrace:
#0 doadump () at pcpu.h:160
160 __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) bt
#0 doadump () at pcpu.h:160
During symbol reading, Incomplete CFI data; unspecified registers at 0xc04c64f0.
#1 0xc04c6bae in boot (howto=0x104) at /usr/src/sys/kern/kern_shutdown.c:410
#2 0xc04c6eb5 in panic (fmt=0xc0616267 "%s") at /usr/src/sys/kern/kern_shutdown.c:566
#3 0xc05efc38 in trap_fatal (frame=0xd69649b4, eva=0x0) at /usr/src/sys/i386/i386/trap.c:817
#4 0xc05ef95b in trap_pfault (frame=0xd69649b4, usermode=0x0, eva=0x4c) at /usr/src/sys/i386/i386/trap.c:735
#5 0xc05ef544 in trap (frame=
{tf_fs = 0xc1a40018, tf_es = 0xd6960010, tf_ds = 0xc0470010, tf_edi = 0x0, tf_esi = 0xc2464280, tf_ebp = 0xd6964a1c, tf_isp = 0xd69649e0, tf_ebx = 0xc1a4c000, tf_edx = 0x0, tf_ecx = 0xc16e9f80, tf_eax = 0x0, tf_trapno = 0xc, tf_err = 0x0, tf_eip = 0xc048170d, tf_cs = 0x8, tf_eflags = 0x10246, tf_esp = 0xc16e7000, tf_ss = 0xd6964a10})
at /usr/src/sys/i386/i386/trap.c:425
#6 0xc05de8ca in calltrap () at /usr/src/sys/i386/i386/exception.s:140
#7 0xc1a40018 in ?? ()
#8 0xd6960010 in ?? ()
#9 0xc0470010 in ugen_do_read (sc=0xc2464280, endpt=0x0, uio=0xc04727b3, flag=0xc34bd100)
at /usr/src/sys/dev/usb/ugen.c:824
#10 0xc0472ad4 in uhci_abort_xfer (xfer=0xc1a4c000, status=USBD_NORMAL_COMPLETION) at /usr/src/sys/dev/usb/uhci.c:2022
#11 0xc0472937 in uhci_device_bulk_abort (xfer=0x0) at /usr/src/sys/dev/usb/uhci.c:1921
#12 0xc0481625 in usbd_ar_pipe (pipe=0xc2464280) at /usr/src/sys/dev/usb/usbdi.c:762
#13 0xc048134b in usbd_abort_pipe (pipe=0x0) at /usr/src/sys/dev/usb/usbdi.c:556
#14 0xc0744134 in ?? ()
#15 0xc2464280 in ?? ()
#16 0xd6964aa4 in ?? ()
#17 0xc0743956 in ?? ()
#18 0xc1742700 in ?? ()
#19 0x00000000 in ?? ()
#20 0xc04fcf19 in ttyioctl (dev=0x0, cmd=0x0, data=0xc04fcf19 "\203ûý¸\031", flag=0xc1743a00, td=0x0)
at /usr/src/sys/kern/tty.c:2918
Previous frame inner to this frame (corrupt stack?)
>How-To-Repeat:
Attach modem through USB-COM connector, and execute AT-commands in cycle with chat(8). After some time, kernel will panic.
>Fix:
Unknown
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200506170548.j5H5mNKA004008>