On 29.09.2016 02:40, Hans Petter Selasky wrote:
> On 09/29/16 11:24, Jan Henrik Sylvester wrote:
>> On 09/29/2016 10:17, Hans Petter Selasky wrote:
>>> Hi,
>>>
>>> I created this differential review:
>>>
>>> https://reviews.freebsd.org/D8070
>>>
>>> Jan Henrik: Can you download this patch and try it instead of the one I
>>> sent?
>>>
>>> --HPS
>>
>> Pulling the naked USB 3.0 ExpressCard without detaching it does not lead
>> to a panic anymore.
>>
>> Anyhow, the scenario that happened frequently on 10.3 for me without a
>> panic was pulling the USB 3.0 ExpressCard together with an usb stick.
>> That still leads to a panic on 11.0 + D8070:
>>
>> fault code                      = supervisor read data, page not present
>> instruction pointer        = 0x20:0xffffffff80ab48ca
>> stack pointer            = 0x28:0xfffffe022476ba20
>> frame pointer            = 0x28:0xfffffe022476baa0
>> code segment            = base 0x0, limit 0xfffff, type 0x1b
>>                 = DPL 0, pres 1, long 1, def32 0, gran 1
>> processor eflags        = interrupt enabled, resume, IOPL = 0
>> current process            = 4 (doneq0)
>> trap number                     = 12
>> panic: page fault
>> cpuid = 1
>> KDB: stack backtrace:
>> #0 0xffffffff80b24107 at kdb_backtrace+0x67
>> #1 0xffffffff80ad93e2 at vpanic+0x182
>> #2 0xffffffff80ad9253 at panic+0x43
>> #3 0xffffffff80fa0d31 at trap_fatal+0x351
>> #4 0xffffffff80fa0f23 at trap_pfault+0x1e3
>> #5 0xffffffff80fa04cc at trap+0x26c
>> #6 0xffffffff80f841d1 at calltrap+0x8
>> #7 0xffffffff8030a879 at xpt_release_simq+0x79
>> #8 0xffffffff8030a649 at xpt_async_process+0x409
>> #9 0xffffffff8030b187 at xpt_done_process+0x807
>> #10 0xffffffff8030d916 at xpt_done_td+0x146
>> #11 0xffffffff80a90055 at fork_exit+0x85
>> #12 0xffffffff80f8467e at fork_trampoline+0xe
>>
> 
> Hi,
> 
> This panic seems to be an issue within the CAM subsystem. Apparently the
> CAM sim detach is not waiting for the release to complete, so functions
> inside umass.ko are referred after umass.ko is unloaded.
> 
> imp+mav: Any comments?

cam_sim_free() that should be called as part of SIM destruction process
waits for all of SIM references to be dropped, that also recursively
implies all other references.  It worked file last time I tested it, but
it was quite a long time ago.  I can not say what went wrong here, but I
guess that either USB somehow did not wait for cam_sim_free(), or
something somewhere did not do reference counting properly, allowing
destruction of some still referenced item.

-- 
Alexander Motin
_______________________________________________
freebsd-usb@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-usb
To unsubscribe, send any mail to "freebsd-usb-unsubscr...@freebsd.org"

Reply via email to