NetBSD Problem Report #50837
From www@NetBSD.org Mon Feb 22 14:47:39 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id AC3967A213
for <gnats-bugs@gnats.NetBSD.org>; Mon, 22 Feb 2016 14:47:39 +0000 (UTC)
Message-Id: <20160222144738.8E0A67ACD9@mollari.NetBSD.org>
Date: Mon, 22 Feb 2016 14:47:38 +0000 (UTC)
From: dmcmahill@NetBSD.org
Reply-To: dmcmahill@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: kernel panic, fatal page fault in supervisor mode, USB mouse triggered
X-Send-Pr-Version: www-1.0
>Number: 50837
>Category: kern
>Synopsis: kernel panic, fatal page fault in supervisor mode, USB mouse triggered
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: skrll
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Feb 22 14:50:00 +0000 2016
>Closed-Date: Thu Sep 05 05:22:45 +0000 2019
>Last-Modified: Thu Sep 05 05:22:45 +0000 2019
>Originator: Dan McMahill
>Release: 7.0
>Organization:
>Environment:
NetBSD aaa.bbb.ccc.ddd 7.0 NetBSD 7.0 (GENERIC.201509250726Z) amd64
>Description:
I installed the released version of NetBSD-7.0 a month or two back on an HP proliant machine. The machine isn't really doing anything as I've been swamped with other projects and haven't really done anything aside from install the OS. Still, it has paniced several times (not good considering this is destined to replace a couple of ancient machines). I've noticed that the USB keyboard/mouse seem to detach and reattach a lot and this seems to trigger the panic. I am *not* running X. Just the generic AMD64 kernel and console. Actually, I have seen this panic both with a Xen DOMU kernel (the stock one from the 7.0 release) and a normal (non-Xen) kernel.
So far the panics (maybe every few weeks) have happened when I wasn't in front of the console. Today, I was starting to poke around and see what info I could get for a PR. I happened to wiggle the mouse and it produced:
wskbd0: detached
ukbd0: detached
uhidev0: detached
uhidev0: at uhub6 port 1 (addr 3) disconnected
wsmouse0: detached
ums0: detached
uhid0: detached
uhid1: detached
uhidev1: detached
uhidev1: at uhub6 port 1 (addr 3) disconnected
uvm_fault(0xffffffff8104c240, 0x0, 2) -> e
fatal page fault in supervisor mode
trap type 6 code 2 rip ffffffff809217e0 cs 8 rflags 10286 cr2 0 ilevel 8 rsp fffffe810ac64ec8
curlwp 0xfffffe810ac22960 pid 0.29 lowest kstack 0xfffffe810ac622c0
panic: trap
cpu0: Begin traceback...
vpanic() at netbsd:vpanic+0x13c
snprintf() at netbsd:snprintf
startlwp() at netbsd:startlwp
alltraps() at netbsd:alltraps+0x96
cpu0: End traceback...
dumping to dev 0,1 (offset=2640, size=1539886):
When I ran "dmesg -M netbsd.0.core -N netbsd.0" on a previous /var/crash/ crashdump, I saw something identical to the above.
If it matters, the keyboard is an older (but expensive) Kinesis keyboard connected via a PS2 to USB converter. The mouse is an unknown USB mouse. After the PS2 to USB converter it goes to a powered USB hub and then to a USB A/B switch (http://plugable.com/products/usb2-switch2) because I use the keyboard and mouse with another computer. The other computer involved was happy with this arrangement for a year or so. Then I replaced that one and had some issues with the mouse resetting a lot. Adding the powered hub eliminate all issues on the other computer (a windows 7 computer).
The PS2 to USB converter shows up as:
uhidev0: CHESEN PS2 to USB Converter, rev 1.10/0.10, addr 3, iclass 3/1
Wiggling the mouse does not reliably panic the machine although it triggers the usb detach and attach messages nearly every time (even if I keep the A/B switch in the position which connects to the NetBSD computer in question).
When the mouse is wiggled (after sitting a bit or switching A/B and back):
wskbd0: detached
ukbd0: detached
uhidev0: detached
uhidev0: at uhub6 port 1 (addr 3) disconnected
wsmouse0: detached
ums0: detached
uhid0: detached
uhid1: detached
uhidev1: detached
uhidev1: at uhub6 port 1 (addr 3) disconnected
uhidev0 at uhub6 port 1 configuration 1 interface 0
uhidev0: CHESEN PS2 to USB Converter, rev 1.10/0.10, addr 3, iclass 3/1
ukbd0 at uhidev0
wskbd0 at ukbd0 mux 1
wskbd0: connecting to wsdisplay0
uhidev1 at uhub6 port 1 configuration 1 interface 1
uhidev1: CHESEN PS2 to USB Converter, rev 1.10/0.10, addr 3, iclass 3/1
uhidev1: 3 report ids
ums0 at uhidev1 reportid 1: 5 buttons and Z dir
wsmouse0 at ums0 mux 0
uhid0 at uhidev1 reportid 2: input=1, output=0, feature=0
uhid1 at uhidev1 reportid 3: input=3, output=0, feature=0
That is for a successful switch. I get this message fairly regularly even if I don't switch the A/B switch.
>How-To-Repeat:
wiggle the mouse several times. After about 2-5 times of getting the detached and attach messages, I get a panic.
>Fix:
>Release-Note:
>Audit-Trail:
From: Dan McMahill <dmcmahill@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/50837: kernel panic, fatal page fault in supervisor mode,
USB mouse triggered
Date: Tue, 15 Mar 2016 16:27:12 -0400
Here is some additional information. It would appear that the panic
happens with the
TAILQ_REMOVE(&taskq->tasks, task, next);
in usb_task_thread around line 461 of usb.c. I have built a DEBUG
kernel with USB_DEBUG, DIAGNOSTIC, and also bumped up usbdebug to 2 in
usb.c I also added some printf's right ahead of that TAILQ_REMOVE call.
Here is an excerpt of what goes by before the crash. Again, wiggling
the mouse triggers detaches and attaches and it doesn't take doing it
many times before a panic.
usbd_reset_port: port 1 reset done, error=NORMAL_COMPLETION
usbd_new_device bus=0xfffffe810ac4a048 port=1 depth=2 speed=1
usbd_new_device: high speed port 0
usbd_setup_pipe: dev=0xfffffe819db87e20 iface=0x0 ep=0xfffffe819db87e58
pipe=0xfffffe819db87d40
usbd_reset_port: port 1 reset done, error=NORMAL_COMPLETION
usbd_new_device: adding unit addr=3, rev=110, class=0, subclass=0,
protocol=0, maxpacket=8, len=18, speed=1
usbd_setup_pipe: dev=0xfffffe819db87e20 iface=0x0 ep=0xfffffe819db87e58
pipe=0xfffffe819db87d40
usbd_setup_pipe: dev=0xfffffe819db87e20 iface=0x0 ep=0xfffffe819db87e58
pipe=0xfffffe819db87d40
usbd_new_device: new dev (addr 3), dev=0xfffffe819db87e20,
parent=0xfffffe819dba39c8
usbd_probe_and_attach: trying device specific drivers
usbd_probe_and_attach: no device specific driver found
usbd_probe_and_attach: looping over 1 configurations
usbd_probe_and_attach: trying config idx=0
usbd_set_config_index: (addr 1) cno=3 attr=0xa0, selfpowered=0, power=100
usbd_set_config_index: set config 1
umidi_search_quirk: v=2689, p=517, i=0
uhidev0 at uhub6 port 1 configuration 1 interface 0
uhidev0: CHESEN PS2 to USB Converter, rev 1.10/0.10, addr 3, iclass 3/1
ukbd0 at uhidev0: 8 modifier keys, 6 key codes
usb_task_thread: before TAILQ_REMOVE: taskq = 0xffffffff811d33a0
task = 0xfffffe819dbbcf50
&taskq->tasks = 0xffffffff811d33a0
wskbd0 at ukbd0 mux 1
usbd_setup_pipe: dev=0xfffffe819db87e20 iface=0xfffffe810acf2b10
ep=0xfffffe819dbfc4e8 pipe=0xfffffe819db872c0
wskbd0: connecting to wsdisplay0
umidi_search_quirk: v=2689, p=517, i=1
uhidev1 at uhub6 port 1 configuration 1 interface 1
uhidev1: CHESEN PS2 to USB Converter, rev 1.10/0.10, addr 3, iclass 3/1
usb_task_thread: before TAILQ_REMOVE: taskq = 0xffffffff811d33a0
task = 0xfffffe819dbbcf50
&taskq->tasks = 0xffffffff811d33a0
usb_allocmem: large alloc 148
usb_freemem: large free
uhidev1: 3 report ids
ums0 at uhidev1 reportid 1: 5 buttons and Z dir
wsmouse0 at ums0 mux 0
uhid0 at uhidev1 reportid 2: input=1, output=0, feature=0
uhid1 at uhidev1 reportid 3: input=3, output=0, feature=0
usb_task_thread: before TAILQ_REMOVE: taskq = 0xffffffff811d33a0
task = 0xfffffe819db87300
&taskq->tasks = 0xffffffff811d33a0
usbd_do_request_flags_pipe: returning err=IOERROR
usb_task_thread: before TAILQ_REMOVE: taskq = 0xffffffff811d33a0
task = 0xfffffe819db87300
&taskq->tasks = 0xffffffff811d33a0
usbd_do_request_flags_pipe: returning err=IOERROR
usb_task_thread: before TAILQ_REMOVE: taskq = 0xffffffff811d33a0
task = 0xfffffe819db87300
&taskq->tasks = 0xffffffff811d33a0
usbd_do_request_flags_pipe: returning err=IOERROR
usb_task_thread: before TAILQ_REMOVE: taskq = 0xffffffff811d33a0
task = 0xfffffe819db87300
&taskq->tasks = 0xffffffff811d33a0
wskbd0: disconnecting from wsdisplay0
wskbd0: detached
ukbd0: detached
uhidev0: detached
uhidev0: at uhub6 port 1 (addr 3) disconnected
wsmouse0: detached
ums0: detached
uhid0: detached
uhid1: detached
uhidev1: detached
uhidev1: at uhub6 port 1 (addr 3) disconnected
usbd_do_request_flags_pipe: returning err=CANCELLED
usb_task_thread: before TAILQ_REMOVE: taskq = 0xffffffff811d33a0
task = 0xfffffe819db87300
&taskq->tasks = 0xffffffff811d33a0
fatal protection fault in supervisor mode
trap type 4 code 0 rip ffffffff809bcfb7 cs 8 rflags 10286 cr2
7f7ff7359100 ilevel 8 rsp fffffe810acaaec8
curlwp 0xfffffe810ac49960 pid 0.29 lowest kstack 0xfffffe810aca72c0
panic: trap
cpu1: Begin traceback...
vpanic() at netbsd:vpanic+0x13c
snprintf() at netbsd:snprintf
startlwp() at netbsd:startlwp
alltraps() at netbsd:alltraps+0x9e
cpu1: End traceback...
dumping to dev 0,1 (offset=2640, size=1539886):
dump <4>amdtemp0: workqueue busy: updates stopped
This is what gdb gave:
(gdb) x/i 0xffffffff809bcfb7
0xffffffff809bcfb7 <usb_task_thread+214>: mov %rdx,0x8(%rax)
(gdb) list *0xffffffff809bcfb7
0xffffffff809bcfb7 is in usb_task_thread (../../../../dev/usb/usb.c:464).
459 if (task != NULL) {
460 mpsafe = ISSET(task->flags,
USB_TASKQ_MPSAFE);
461 DPRINTFN(1, ("usb_task_thread: before
TAILQ_REMOVE: taskq = %p\n", taskq));
462 DPRINTFN(1, ("
task = %p\n", task));
463 DPRINTFN(1, ("
&taskq->tasks = %p\n", &taskq->tasks));
464 TAILQ_REMOVE(&taskq->tasks, task, next);
465 task->queue = USB_NUM_TASKQS;
466 mutex_exit(&taskq->lock);
467
468 if (!mpsafe)
(gdb)
If any developer wants to poke around, ~dmcmahill/PR50837 on
ftp.netbsd.org has the kernel with symbols, and the crash dump from
/var/crash.
Responsible-Changed-From-To: kern-bug-people->skrll
Responsible-Changed-By: skrll@NetBSD.org
Responsible-Changed-When: Sat, 19 Mar 2016 11:26:39 +0000
Responsible-Changed-Why:
Take
State-Changed-From-To: open->feedback
State-Changed-By: skrll@NetBSD.org
State-Changed-When: Wed, 22 Nov 2017 19:15:46 +0000
State-Changed-Why:
Please try latest netbsd-7/netbsd-8/head and report results
State-Changed-From-To: feedback->closed
State-Changed-By: skrll@NetBSD.org
State-Changed-When: Thu, 05 Sep 2019 05:22:45 +0000
State-Changed-Why:
Timeout on feedback
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home