>Number: 182820 >Category: usb >Synopsis: usbusX if destroy page fault panic >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-usb >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Oct 08 01:50:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Alexander Vysokovskih >Release: 10.0-ALPHA4 r255933 >Organization: >Environment: FreeBSD sandbox-10.ural.org 10.0-ALPHA4 FreeBSD 10.0-ALPHA4 #0 r255933: Sun Sep 29 02:50:54 UTC 2013 r...@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 >Description: KDB: debugger backends: ddb KDB: current backend: ddb Copyright (c) 1992-2013 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 10.0-ALPHA4 #0 r255933: Sun Sep 29 02:50:54 UTC 2013 r...@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 FreeBSD clang version 3.3 (tags/RELEASE_33/final 183502) 20130610 WARNING: WITNESS option enabled, expect reduced performance. CPU: Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz (2471.71-MHz K8-class CPU) Origin = "GenuineIntel" Id = 0x306a9 Family = 0x6 Model = 0x3a Stepping = 9 Features=0x1783fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE,SSE2,HTT> Features2=0x201<SSE3,SSSE3> AMD Features=0x28100800<SYSCALL,NX,RDTSCP,LM> AMD Features2=0x1<LAHF> real memory = 2147418112 (2047 MB) avail memory = 2049912832 (1954 MB) Event timer "LAPIC" quality 400 ACPI APIC Table: <VBOX VBOXAPIC> FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs FreeBSD/SMP: 1 package(s) x 2 core(s) cpu0 (BSP): APIC ID: 0 cpu1 (AP): APIC ID: 1 random device not loaded; using insecure entropy ioapic0 <Version 1.1> irqs 0-23 on motherboard random: <Software, Yarrow> initialized kbd1 at kbdmux0 acpi0: <VBOX VBOXXSDT> on motherboard acpi0: Power Button (fixed) acpi0: Sleep Button (fixed) cpu0: <ACPI CPU> on acpi0 cpu1: <ACPI CPU> on acpi0 attimer0: <AT timer> port 0x40-0x43,0x50-0x53 on acpi0 Timecounter "i8254" frequency 1193182 Hz quality 0 Event timer "i8254" frequency 1193182 Hz quality 100 Timecounter "ACPI-fast" frequency 3579545 Hz quality 900 acpi_timer0: <32-bit timer at 3.579545MHz> port 0x4008-0x400b on acpi0 pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0 pci0: <ACPI PCI bus> on pcib0 isab0: <PCI-ISA bridge> at device 1.0 on pci0 isa0: <ISA bus> on isab0 atapci0: <Intel PIIX4 UDMA33 controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xd000-0xd00f at device 1.1 on pci0 ata0: <ATA channel> at channel 0 on atapci0 ata1: <ATA channel> at channel 1 on atapci0 vgapci0: <VGA-compatible display> mem 0xe0000000-0xe07fffff irq 18 at device 2.0 on pci0 virtio_pci0: <VirtIO PCI Network adapter> port 0xd020-0xd03f irq 19 at device 3.0 on pci0 vtnet0: <VirtIO Networking Adapter> on virtio_pci0 virtio_pci0: host features: 0x410fdda3 <NotifyOnEmpty,VLanFilter,RxMode,ControlVq,Status,MrgRxBuf,TxUFO,TxTSOv6,TxTSOv4,RxUFO,RxTSOv6,RxTSOv4,MacAddress,RxChecksum,TxChecksum> virtio_pci0: negotiated features: 0xf99a3 <VLanFilter,RxMode,ControlVq,Status,MrgRxBuf,TxTSOv6,TxTSOv4,RxTSOv6,RxTSOv4,MacAddress,RxChecksum,TxChecksum> vtnet0: Ethernet address: 08:00:27:9e:bb:21 pci0: <base peripheral> at device 4.0 (no driver attached) ohci0: <OHCI (generic) USB controller> mem 0xf0404000-0xf0404fff irq 22 at device 6.0 on pci0 usbus0 on ohci0 pci0: <bridge> at device 7.0 (no driver attached) ehci0: <Intel 82801FB (ICH6) USB 2.0 controller> mem 0xf0405000-0xf0405fff irq 19 at device 11.0 on pci0 usbus1: EHCI version 1.0 usbus1 on ehci0 uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 uart0: console (9600,n,8,1) battery0: <ACPI Control Method Battery> on acpi0 acpi_acad0: <AC Adapter> on acpi0 atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0 atkbd0: <AT Keyboard> irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] psm0: <PS/2 Mouse> irq 12 on atkbdc0 psm0: [GIANT-LOCKED] psm0: model IntelliMouse Explorer, device ID 4 orm0: <ISA Option ROMs> at iomem 0xc0000-0xc7fff,0xe2000-0xe2fff on isa0 sc0: <System console> at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 atrtc0: <AT realtime clock> at port 0x70 irq 8 on isa0 Event timer "RTC" frequency 32768 Hz quality 0 ppc0: cannot reserve I/O port range Timecounters tick every 10.000 msec usbus0: 12Mbps Full Speed USB v1.0 usbus1: 480Mbps High Speed USB v2.0 ugen0.1: <Apple> at usbus0 uhub0: <Apple OHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus0 ugen1.1: <Intel> at usbus1 uhub1: <Intel EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus1 ada0 at ata0 bus 0 scbus0 target 0 lun 0 ada0: <VBOX HARDDISK 1.0> ATA-6 device ada0: 33.300MB/s transfers (UDMA2, PIO 65536bytes) ada0: 8710MB (17839056 512 byte sectors: 16H 63S/T 16383C) ada0: Previously was known as ad0 cd0 at ata1 bus 0 scbus1 target 0 lun 0 cd0: <VBOX CD-ROM 1.0> Removable CD-ROM SCSI-0 device cd0: 33.300MB/s transfers (UDMA2, ATAPI 12bytes, PIO 65534bytes) cd0: Attempt to query device size failed: NOT READY, Medium not present Netvsc initializing... SMP: AP CPU #1 Launched! WARNING: WITNESS option enabled, expect reduced performance. uhub0: 8 ports with 8 removable, self powered Root mount waiting for: usbus1 usbus0 Root mount waiting for: usbus1 usbus0 ugen0.2: <PixArt> at usbus0 Root mount waiting for: usbus1 Root mount waiting for: usbus1 uhub1: 8 ports with 8 removable, self powered Trying to mount root from ufs:/dev/ada0p2 [rw]... WARNING: / was not properly dismounted WARNING: /: mount pending error: blocks 0 files 4 vtnet0: link state changed to UP ums0: <PixArt Microsoft USB Optical Mouse, class 0/0, rev 1.10/1.00, addr 2> on usbus0 ums0: 3 buttons and [XYZ] coordinates ID=0
--- Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x10 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff80a8c5ec stack pointer = 0x28:0xfffffe007b7727e0 frame pointer = 0x28:0xfffffe007b772800 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 847 (ifconfig) Reading symbols from /boot/kernel/ums.ko.symbols...done. Loaded symbols for /boot/kernel/ums.ko.symbols #0 doadump (textdump=0) at pcpu.h:218 218 pcpu.h: No such file or directory. in pcpu.h (kgdb) bt #0 doadump (textdump=0) at pcpu.h:218 #1 0xffffffff8034136e in db_dump (dummy=<value optimized out>, dummy2=0, dummy3=0, dummy4=0x0) at /usr/src/sys/ddb/db_command.c:543 #2 0xffffffff80340e0d in db_command (cmd_table=<value optimized out>) at /usr/src/sys/ddb/db_command.c:449 #3 0xffffffff80340b84 in db_command_loop () at /usr/src/sys/ddb/db_command.c:502 #4 0xffffffff80343530 in db_trap (type=<value optimized out>, code=0) at /usr/src/sys/ddb/db_main.c:231 #5 0xffffffff808ef433 in kdb_trap (type=12, code=0, tf=<value optimized out>) at /usr/src/sys/kern/subr_kdb.c:654 #6 0xffffffff80cae62a in trap_fatal (frame=0xfffffe007b772730, eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:868 #7 0xffffffff80cae8e4 in trap_pfault (frame=0x0, usermode=0) at /usr/src/sys/amd64/amd64/trap.c:699 #8 0xffffffff80cae0e0 in trap (frame=0xfffffe007b772730) at /usr/src/sys/amd64/amd64/trap.c:463 #9 0xffffffff80c95ec2 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:232 #10 0xffffffff80a8c5ec in nd6_purge (ifp=0xfffff8000256f800) at /usr/src/sys/netinet6/nd6.c:823 #11 0xffffffff80a778b9 in in6_ifdetach (ifp=0xfffff8000256f800) at /usr/src/sys/netinet6/in6_ifattach.c:813 ---Type <return> to continue, or q <return> to quit--- #12 0xffffffff8097b3d3 in if_detach (ifp=0xfffff8000256f800) at /usr/src/sys/net/if.c:871 #13 0xffffffff8075ebb2 in usbpf_clone_destroy (ifc=0xfffff800027d4d80, ifp=0xfffff8000256f800) at /usr/src/sys/dev/usb/usb_pf.c:225 #14 0xffffffff80980ae2 in if_clone_destroyif (ifc=0xfffff800027d4d80, ifp=0xfffff8000256f800) at /usr/src/sys/net/if_clone.c:333 #15 0xffffffff8098097e in if_clone_destroy (name=<value optimized out>) at /usr/src/sys/net/if_clone.c:291 #16 0xffffffff8097d806 in ifioctl (so=0xfffff80002c6f570, cmd=<value optimized out>, data=0xfffff8000279f660 "usbus0", td=0xfffff80002c02490) at /usr/src/sys/net/if.c:2513 #17 0xffffffff8090e94a in kern_ioctl (td=0xfffff80002c02490, fd=<value optimized out>, com=8) at file.h:319 #18 0xffffffff8090e62f in sys_ioctl (td=0xfffff80002c02490, uap=0xfffffe007b772b80) at /usr/src/sys/kern/sys_generic.c:698 #19 0xffffffff80caee35 in amd64_syscall (td=0xfffff80002c02490, traced=0) at subr_syscall.c:134 #20 0xffffffff80c961ab in Xfast_syscall () at /usr/src/sys/amd64/amd64/exception.S:391 #21 0x000000080119b9ca in ?? () Previous frame inner to this frame (corrupt stack?) Current language: auto; currently minimal (kgdb) (kgdb) fr 15 #15 0xffffffff8098097e in if_clone_destroy (name=<value optimized out>) at /usr/src/sys/net/if_clone.c:291 291 err = if_clone_destroyif(ifc, ifp); (kgdb) fr 14 #14 0xffffffff80980ae2 in if_clone_destroyif (ifc=0xfffff800027d4d80, ifp=0xfffff8000256f800) at /usr/src/sys/net/if_clone.c:333 333 err = (*ifc->ifc_destroy)(ifc, ifp); (kgdb) fr 13 #13 0xffffffff8075ebb2 in usbpf_clone_destroy (ifc=0xfffff800027d4d80, ifp=0xfffff8000256f800) at /usr/src/sys/dev/usb/usb_pf.c:225 225 if_detach(ifp); (kgdb) fr 12 #12 0xffffffff8097b3d3 in if_detach (ifp=0xfffff8000256f800) at /usr/src/sys/net/if.c:871 871 in6_ifdetach(ifp); (kgdb) fr 11 #11 0xffffffff80a778b9 in in6_ifdetach (ifp=0xfffff8000256f800) at /usr/src/sys/netinet6/in6_ifattach.c:813 813 nd6_purge(ifp); (kgdb) fr 10 #10 0xffffffff80a8c5ec in nd6_purge (ifp=0xfffff8000256f800) at /usr/src/sys/netinet6/nd6.c:823 823 if (ND_IFINFO(ifp)->flags & ND6_IFF_ACCEPT_RTADV) { (kgdb) print ifp $1 = (struct ifnet *) 0xfffff8000256f800 (kgdb) print *ifp $2 = {if_softc = 0xfffffe00008bb320, if_l2com = 0x0, if_vnet = 0x0, if_link = { tqe_next = 0x0, tqe_prev = 0xfffff80002570018}, if_xname = "usbus0\000\000\000\000\000\000\000\000\000", if_dname = 0xffffffff80ee5a5c "usbus", if_dunit = 0, if_refcount = 2, if_addrhead = {tqh_first = 0xfffff8000241d600, tqh_last = 0xfffff8000241d6c0}, if_pcount = 0, if_carp = 0x0, if_bpf = 0xfffff800027a3500, if_index = 3, if_index_reserved = 0, if_vlantrunk = 0x0, if_flags = 0, if_capabilities = 0, if_capenable = 0, if_linkmib = 0x0, if_linkmiblen = 0, if_data = {ifi_type = 160 '▒', ifi_physical = 0 '\0', ifi_addrlen = 0 '\0', ifi_hdrlen = 0 '\0', ifi_link_state = 0 '\0', ifi_vhid = 0 '\0', ifi_baudrate_pf = 0 '\0', ifi_datalen = 152 '\230', ifi_mtu = 0, ifi_metric = 0, ifi_baudrate = 0, ifi_ipackets = 0, ifi_ierrors = 0, ifi_opackets = 0, ifi_oerrors = 0, ifi_collisions = 0, ifi_ibytes = 0, ifi_obytes = 0, ifi_imcasts = 0, ifi_omcasts = 0, ifi_iqdrops = 0, ifi_noproto = 0, ifi_hwassist = 0, ifi_epoch = 52, ifi_lastchange = {tv_sec = 1381179412, tv_usec = 796566}}, if_multiaddrs = {tqh_first = 0x0, tqh_last = 0xfffff8000256f938}, if_amcount = 0, if_output = 0, if_input = 0, if_start = 0, if_ioctl = 0xffffffff8075f2b0 <usbpf_ioctl>, if_init = 0, if_resolvemulti = 0, if_qflush = 0xffffffff8097d550 <if_qflush>, if_transmit = 0xffffffff809800a0 <if_transmit>, if_reassign = 0, if_home_vnet = 0x0, if_addr = 0xfffff8000241d600, if_llsoftc = 0x0, if_drv_flags = 0, if_snd = {ifq_head = 0x0, ifq_tail = 0x0, ifq_len = 0, ---Type <return> to continue, or q <return> to quit--- ifq_maxlen = 50, ifq_drops = 0, ifq_mtx = {lock_object = { lo_name = 0xfffff8000256f828 "usbus0", lo_flags = 16973824, lo_data = 0, lo_witness = 0xfffffe00006d3d80}, mtx_lock = 4}, ifq_drv_head = 0x0, ifq_drv_tail = 0x0, ifq_drv_len = 0, ifq_drv_maxlen = 0, altq_type = 0, altq_flags = 0, altq_disc = 0x0, altq_ifp = 0xfffff8000256f800, altq_enqueue = 0, altq_dequeue = 0, altq_request = 0, altq_clfier = 0x0, altq_classify = 0, altq_tbr = 0x0, altq_cdnr = 0x0}, if_broadcastaddr = 0x0, if_bridge = 0x0, if_label = 0x0, if_unused = {0x0, 0x0}, if_afdata = {0x0, 0x0, 0xfffff80002426f20, 0x0 <repeats 39 times>}, if_afdata_initialized = 2, if_afdata_lock = { lock_object = {lo_name = 0xffffffff80f27a92 "if_afdata", lo_flags = 86179840, lo_data = 0, lo_witness = 0xfffffe00006d3d00}, rw_lock = 1}, if_linktask = {ta_link = {stqe_next = 0x0}, ta_pending = 0, ta_priority = 0, ta_func = 0xffffffff8097a5e0 <do_link_state_change>, ta_context = 0xfffff8000256f800}, if_addr_lock = {lock_object = { lo_name = 0xffffffff80f1ab75 "if_addr_lock", lo_flags = 86179840, lo_data = 0, lo_witness = 0xfffffe00006ccb80}, rw_lock = 1}, if_clones = {le_next = 0x0, le_prev = 0xfffff800027d4da8}, if_groups = { tqh_first = 0xfffff80002acd020, tqh_last = 0xfffff80002acd028}, if_pf_kif = 0x0, if_lagg = 0x0, if_description = 0x0, if_fib = 0, if_alloctype = 160 '▒', if_hw_tsomax = 65535, if_cspare = "\000\000", if_ispare = {0, 0, 0, 0}, if_pspare = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}} --- (kgdb) print ifp->if_afdata $3 = {0x0, 0x0, 0xfffff80002426f20, 0x0 <repeats 39 times>} (kgdb) print ifp->if_afdata[28] $4 = (void *) 0x0 --- There is no checks about existense of ifp scructure member used in ND_IFINFO macro in nd6_purge(). #define AF_INET6 28 /* IPv6 */ #define ND_IFINFO(ifp) \ (((struct in6_ifextra *)(ifp)->if_afdata[AF_INET6])->nd_ifinfo) mld6_var.h also contain same macro used in mld_ifdetach(): #define MLD_IFINFO(ifp) \ (((struct in6_ifextra *)(ifp)->if_afdata[AF_INET6])->mld_ifinfo) >How-To-Repeat: In my VirtualBox just new installed FreeBSD 10.0-ALPHA4 #r255933 panicked like: # ifconfig usbus0 create # ifconfig usbus0 destroy or # usbdump ^C >Fix: I think what my pretty simple patch not very smart at all. Why we should call in6_ifdetach() for usb interfaces? >Release-Note: >Audit-Trail: >Unformatted: _______________________________________________ freebsd-usb@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-usb To unsubscribe, send any mail to "freebsd-usb-unsubscr...@freebsd.org"