On 09/29/16 20:20, Alexander Motin wrote:
On 29.09.2016 02:40, Hans Petter Selasky wrote:
On 09/29/16 11:24, Jan Henrik Sylvester wrote:
On 09/29/2016 10:17, Hans Petter Selasky wrote:

I created this differential review:


Jan Henrik: Can you download this patch and try it instead of the one I


Pulling the naked USB 3.0 ExpressCard without detaching it does not lead
to a panic anymore.

Anyhow, the scenario that happened frequently on 10.3 for me without a
panic was pulling the USB 3.0 ExpressCard together with an usb stick.
That still leads to a panic on 11.0 + D8070:

fault code                      = supervisor read data, page not present
instruction pointer        = 0x20:0xffffffff80ab48ca
stack pointer            = 0x28:0xfffffe022476ba20
frame pointer            = 0x28:0xfffffe022476baa0
code segment            = base 0x0, limit 0xfffff, type 0x1b
                = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process            = 4 (doneq0)
trap number                     = 12
panic: page fault
cpuid = 1
KDB: stack backtrace:
#0 0xffffffff80b24107 at kdb_backtrace+0x67
#1 0xffffffff80ad93e2 at vpanic+0x182
#2 0xffffffff80ad9253 at panic+0x43
#3 0xffffffff80fa0d31 at trap_fatal+0x351
#4 0xffffffff80fa0f23 at trap_pfault+0x1e3
#5 0xffffffff80fa04cc at trap+0x26c
#6 0xffffffff80f841d1 at calltrap+0x8
#7 0xffffffff8030a879 at xpt_release_simq+0x79
#8 0xffffffff8030a649 at xpt_async_process+0x409
#9 0xffffffff8030b187 at xpt_done_process+0x807
#10 0xffffffff8030d916 at xpt_done_td+0x146
#11 0xffffffff80a90055 at fork_exit+0x85
#12 0xffffffff80f8467e at fork_trampoline+0xe


This panic seems to be an issue within the CAM subsystem. Apparently the
CAM sim detach is not waiting for the release to complete, so functions
inside umass.ko are referred after umass.ko is unloaded.

imp+mav: Any comments?

cam_sim_free() that should be called as part of SIM destruction process
waits for all of SIM references to be dropped, that also recursively
implies all other references.  It worked file last time I tested it, but
it was quite a long time ago.  I can not say what went wrong here, but I
guess that either USB somehow did not wait for cam_sim_free(), or
something somewhere did not do reference counting properly, allowing
destruction of some still referenced item.


I've updated:


Can you tra again Jan?

Also, can you get some more dmesg, from the panicing case?

freebsd-usb@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-usb-unsubscr...@freebsd.org"

Reply via email to