NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: kern/50837: kernel panic, fatal page fault in supervisor mode, USB mouse triggered
The following reply was made to PR kern/50837; it has been noted by GNATS.
From: Dan McMahill <dmcmahill%NetBSD.org@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc:
Subject: Re: kern/50837: kernel panic, fatal page fault in supervisor mode,
USB mouse triggered
Date: Tue, 15 Mar 2016 16:27:12 -0400
Here is some additional information. It would appear that the panic
happens with the
TAILQ_REMOVE(&taskq->tasks, task, next);
in usb_task_thread around line 461 of usb.c. I have built a DEBUG
kernel with USB_DEBUG, DIAGNOSTIC, and also bumped up usbdebug to 2 in
usb.c I also added some printf's right ahead of that TAILQ_REMOVE call.
Here is an excerpt of what goes by before the crash. Again, wiggling
the mouse triggers detaches and attaches and it doesn't take doing it
many times before a panic.
usbd_reset_port: port 1 reset done, error=NORMAL_COMPLETION
usbd_new_device bus=0xfffffe810ac4a048 port=1 depth=2 speed=1
usbd_new_device: high speed port 0
usbd_setup_pipe: dev=0xfffffe819db87e20 iface=0x0 ep=0xfffffe819db87e58
pipe=0xfffffe819db87d40
usbd_reset_port: port 1 reset done, error=NORMAL_COMPLETION
usbd_new_device: adding unit addr=3, rev=110, class=0, subclass=0,
protocol=0, maxpacket=8, len=18, speed=1
usbd_setup_pipe: dev=0xfffffe819db87e20 iface=0x0 ep=0xfffffe819db87e58
pipe=0xfffffe819db87d40
usbd_setup_pipe: dev=0xfffffe819db87e20 iface=0x0 ep=0xfffffe819db87e58
pipe=0xfffffe819db87d40
usbd_new_device: new dev (addr 3), dev=0xfffffe819db87e20,
parent=0xfffffe819dba39c8
usbd_probe_and_attach: trying device specific drivers
usbd_probe_and_attach: no device specific driver found
usbd_probe_and_attach: looping over 1 configurations
usbd_probe_and_attach: trying config idx=0
usbd_set_config_index: (addr 1) cno=3 attr=0xa0, selfpowered=0, power=100
usbd_set_config_index: set config 1
umidi_search_quirk: v=2689, p=517, i=0
uhidev0 at uhub6 port 1 configuration 1 interface 0
uhidev0: CHESEN PS2 to USB Converter, rev 1.10/0.10, addr 3, iclass 3/1
ukbd0 at uhidev0: 8 modifier keys, 6 key codes
usb_task_thread: before TAILQ_REMOVE: taskq = 0xffffffff811d33a0
task = 0xfffffe819dbbcf50
&taskq->tasks = 0xffffffff811d33a0
wskbd0 at ukbd0 mux 1
usbd_setup_pipe: dev=0xfffffe819db87e20 iface=0xfffffe810acf2b10
ep=0xfffffe819dbfc4e8 pipe=0xfffffe819db872c0
wskbd0: connecting to wsdisplay0
umidi_search_quirk: v=2689, p=517, i=1
uhidev1 at uhub6 port 1 configuration 1 interface 1
uhidev1: CHESEN PS2 to USB Converter, rev 1.10/0.10, addr 3, iclass 3/1
usb_task_thread: before TAILQ_REMOVE: taskq = 0xffffffff811d33a0
task = 0xfffffe819dbbcf50
&taskq->tasks = 0xffffffff811d33a0
usb_allocmem: large alloc 148
usb_freemem: large free
uhidev1: 3 report ids
ums0 at uhidev1 reportid 1: 5 buttons and Z dir
wsmouse0 at ums0 mux 0
uhid0 at uhidev1 reportid 2: input=1, output=0, feature=0
uhid1 at uhidev1 reportid 3: input=3, output=0, feature=0
usb_task_thread: before TAILQ_REMOVE: taskq = 0xffffffff811d33a0
task = 0xfffffe819db87300
&taskq->tasks = 0xffffffff811d33a0
usbd_do_request_flags_pipe: returning err=IOERROR
usb_task_thread: before TAILQ_REMOVE: taskq = 0xffffffff811d33a0
task = 0xfffffe819db87300
&taskq->tasks = 0xffffffff811d33a0
usbd_do_request_flags_pipe: returning err=IOERROR
usb_task_thread: before TAILQ_REMOVE: taskq = 0xffffffff811d33a0
task = 0xfffffe819db87300
&taskq->tasks = 0xffffffff811d33a0
usbd_do_request_flags_pipe: returning err=IOERROR
usb_task_thread: before TAILQ_REMOVE: taskq = 0xffffffff811d33a0
task = 0xfffffe819db87300
&taskq->tasks = 0xffffffff811d33a0
wskbd0: disconnecting from wsdisplay0
wskbd0: detached
ukbd0: detached
uhidev0: detached
uhidev0: at uhub6 port 1 (addr 3) disconnected
wsmouse0: detached
ums0: detached
uhid0: detached
uhid1: detached
uhidev1: detached
uhidev1: at uhub6 port 1 (addr 3) disconnected
usbd_do_request_flags_pipe: returning err=CANCELLED
usb_task_thread: before TAILQ_REMOVE: taskq = 0xffffffff811d33a0
task = 0xfffffe819db87300
&taskq->tasks = 0xffffffff811d33a0
fatal protection fault in supervisor mode
trap type 4 code 0 rip ffffffff809bcfb7 cs 8 rflags 10286 cr2
7f7ff7359100 ilevel 8 rsp fffffe810acaaec8
curlwp 0xfffffe810ac49960 pid 0.29 lowest kstack 0xfffffe810aca72c0
panic: trap
cpu1: Begin traceback...
vpanic() at netbsd:vpanic+0x13c
snprintf() at netbsd:snprintf
startlwp() at netbsd:startlwp
alltraps() at netbsd:alltraps+0x9e
cpu1: End traceback...
dumping to dev 0,1 (offset=2640, size=1539886):
dump <4>amdtemp0: workqueue busy: updates stopped
This is what gdb gave:
(gdb) x/i 0xffffffff809bcfb7
0xffffffff809bcfb7 <usb_task_thread+214>: mov %rdx,0x8(%rax)
(gdb) list *0xffffffff809bcfb7
0xffffffff809bcfb7 is in usb_task_thread (../../../../dev/usb/usb.c:464).
459 if (task != NULL) {
460 mpsafe = ISSET(task->flags,
USB_TASKQ_MPSAFE);
461 DPRINTFN(1, ("usb_task_thread: before
TAILQ_REMOVE: taskq = %p\n", taskq));
462 DPRINTFN(1, ("
task = %p\n", task));
463 DPRINTFN(1, ("
&taskq->tasks = %p\n", &taskq->tasks));
464 TAILQ_REMOVE(&taskq->tasks, task, next);
465 task->queue = USB_NUM_TASKQS;
466 mutex_exit(&taskq->lock);
467
468 if (!mpsafe)
(gdb)
If any developer wants to poke around, ~dmcmahill/PR50837 on
ftp.netbsd.org has the kernel with symbols, and the crash dump from
/var/crash.
Home |
Main Index |
Thread Index |
Old Index