Re: USB removal kernel panic
On 2020-01-15 19:15, Martin Pieuchot wrote: > Diff below should fix the issue. Yep, no more panics for me as a result of unplugging, thank you to all involved.
Re: USB removal kernel panic
ср, 15 янв. 2020 г. в 22:15, Martin Pieuchot : > > On 15/01/20(Wed) 20:26, Vadim Zhukov wrote: > > I have a diff or two for that, will send when I'll come home. > > After discussing the issue with Peter Stuge, we figured out that > the free should happen *after* calling config_detach() for the child > device (video(4)). > > When video(4) is detached it will call: > > vdevgone()->videoclose()->uvideo_close() > > this last function will sleep until all I/O are finished or cancelled as > part of usbd_pipe_close(9). > > Diff below should fix the issue. Looks good; works here on amd64 with 2 different uvideo(4) devices, including broken one. > Index: dev/video.c > === > RCS file: /cvs/src/sys/dev/video.c,v > retrieving revision 1.42 > diff -u -p -r1.42 video.c > --- dev/video.c 6 Oct 2019 17:13:10 - 1.42 > +++ dev/video.c 15 Jan 2020 19:11:20 - > @@ -463,9 +463,6 @@ videodetach(struct device *self, int fla > struct video_softc *sc = (struct video_softc *)self; > int maj, mn; > > - if (sc->sc_fbuffer != NULL) > - free(sc->sc_fbuffer, M_DEVBUF, sc->sc_fbufferlen); > - > /* locate the major number */ > for (maj = 0; maj < nchrdev; maj++) > if (cdevsw[maj].d_open == videoopen) > @@ -474,6 +471,8 @@ videodetach(struct device *self, int fla > /* Nuke the vnodes for any open instances (calls close). */ > mn = self->dv_unit; > vdevgone(maj, mn, mn, VCHR); > + > + free(sc->sc_fbuffer, M_DEVBUF, sc->sc_fbufferlen); > > return (0); > } > Index: dev/usb/uvideo.c > === > RCS file: /cvs/src/sys/dev/usb/uvideo.c,v > retrieving revision 1.205 > diff -u -p -r1.205 uvideo.c > --- dev/usb/uvideo.c14 Oct 2019 09:20:48 - 1.205 > +++ dev/usb/uvideo.c15 Jan 2020 19:09:48 - > @@ -644,10 +644,10 @@ uvideo_detach(struct device *self, int f > /* Wait for outstanding requests to complete */ > usbd_delay_ms(sc->sc_udev, UVIDEO_NFRAMES_MAX); > > - uvideo_vs_free_frame(sc); > - > if (sc->sc_videodev != NULL) > rv = config_detach(sc->sc_videodev, flags); > + > + uvideo_vs_free_frame(sc); > > return (rv); > } -- WBR, Vadim Zhukov
Re: USB removal kernel panic
On 15/01/20(Wed) 20:26, Vadim Zhukov wrote: > I have a diff or two for that, will send when I'll come home. After discussing the issue with Peter Stuge, we figured out that the free should happen *after* calling config_detach() for the child device (video(4)). When video(4) is detached it will call: vdevgone()->videoclose()->uvideo_close() this last function will sleep until all I/O are finished or cancelled as part of usbd_pipe_close(9). Diff below should fix the issue. Index: dev/video.c === RCS file: /cvs/src/sys/dev/video.c,v retrieving revision 1.42 diff -u -p -r1.42 video.c --- dev/video.c 6 Oct 2019 17:13:10 - 1.42 +++ dev/video.c 15 Jan 2020 19:11:20 - @@ -463,9 +463,6 @@ videodetach(struct device *self, int fla struct video_softc *sc = (struct video_softc *)self; int maj, mn; - if (sc->sc_fbuffer != NULL) - free(sc->sc_fbuffer, M_DEVBUF, sc->sc_fbufferlen); - /* locate the major number */ for (maj = 0; maj < nchrdev; maj++) if (cdevsw[maj].d_open == videoopen) @@ -474,6 +471,8 @@ videodetach(struct device *self, int fla /* Nuke the vnodes for any open instances (calls close). */ mn = self->dv_unit; vdevgone(maj, mn, mn, VCHR); + + free(sc->sc_fbuffer, M_DEVBUF, sc->sc_fbufferlen); return (0); } Index: dev/usb/uvideo.c === RCS file: /cvs/src/sys/dev/usb/uvideo.c,v retrieving revision 1.205 diff -u -p -r1.205 uvideo.c --- dev/usb/uvideo.c14 Oct 2019 09:20:48 - 1.205 +++ dev/usb/uvideo.c15 Jan 2020 19:09:48 - @@ -644,10 +644,10 @@ uvideo_detach(struct device *self, int f /* Wait for outstanding requests to complete */ usbd_delay_ms(sc->sc_udev, UVIDEO_NFRAMES_MAX); - uvideo_vs_free_frame(sc); - if (sc->sc_videodev != NULL) rv = config_detach(sc->sc_videodev, flags); + + uvideo_vs_free_frame(sc); return (rv); }
Re: USB removal kernel panic
I have a diff or two for that, will send when I'll come home. ср, 15 янв. 2020 г., 19:28 Martin Pieuchot : > Thanks for the report. > > > ddb{0}> > memcpy(80165000,fd804da1f728,8d8,80165000,b5bd47118 > > ed5c95a,80165000) at memcpy+0x15 > > uvideo_vs_cb(fd80778f2870,801667d8,0) at uvideo_vs_cb+0x8b > > usb_transfer_complete(fd80778f2870) at usb_transfer_complete+0x20f > > xhci_event_dequeue(800af000) at xhci_event_dequeue+0x103 > > xhci_softintr(800af000) at xhci_softintr+0x2d > > softintr_dispatch(1) at softintr_dispatch+0xf2 > > Xsoftnet(0,819c05e0,0,18041969,80,a) at Xsoftnet+0x1f > > Xspllower(0,0,c7ef80837208d4cc,8159c000,81983ee1,708000) > at Xsp > > llower+0x19 > > free(8159c000,2,708000) at free+0x160 > > uvideo_detach(80165000,1) at uvideo_detach+0x71 > > config_detach(80165000,1) at config_detach+0x152 > > usbd_detach(80137500,80086d00) at usbd_detach+0x5a > > uhub_port_connect(80086d00,4,2a0,286) at uhub_port_connect+0x68 > > uhub_explore(800a9500) at uhub_explore+0x23d > > usb_explore(800a9400) at usb_explore+0x12b > > usb_task_thread(80001f8efb30) at usb_task_thread+0x10b > > end trace frame: 0x0, count: -16 > > ddb{0}> > memcpy(80165000,fd804da1f728,8d8,80165000,b5bd47118 > > It seems that the pipe aren't close when uvideo_detach() is called. > This is similar to the recent race fixed in uhidev(4). It would be > great to find a generic way of handling this situation. > > uhidev_detach() calls vdevgone() for example... > >
Re: USB removal kernel panic
Thanks for the report. > ddb{0}> > memcpy(80165000,fd804da1f728,8d8,80165000,b5bd47118 > ed5c95a,80165000) at memcpy+0x15 > uvideo_vs_cb(fd80778f2870,801667d8,0) at uvideo_vs_cb+0x8b > usb_transfer_complete(fd80778f2870) at usb_transfer_complete+0x20f > xhci_event_dequeue(800af000) at xhci_event_dequeue+0x103 > xhci_softintr(800af000) at xhci_softintr+0x2d > softintr_dispatch(1) at softintr_dispatch+0xf2 > Xsoftnet(0,819c05e0,0,18041969,80,a) at Xsoftnet+0x1f > Xspllower(0,0,c7ef80837208d4cc,8159c000,81983ee1,708000) at > Xsp > llower+0x19 > free(8159c000,2,708000) at free+0x160 > uvideo_detach(80165000,1) at uvideo_detach+0x71 > config_detach(80165000,1) at config_detach+0x152 > usbd_detach(80137500,80086d00) at usbd_detach+0x5a > uhub_port_connect(80086d00,4,2a0,286) at uhub_port_connect+0x68 > uhub_explore(800a9500) at uhub_explore+0x23d > usb_explore(800a9400) at usb_explore+0x12b > usb_task_thread(80001f8efb30) at usb_task_thread+0x10b > end trace frame: 0x0, count: -16 > ddb{0}> > memcpy(80165000,fd804da1f728,8d8,80165000,b5bd47118 It seems that the pipe aren't close when uvideo_detach() is called. This is similar to the recent race fixed in uhidev(4). It would be great to find a generic way of handling this situation. uhidev_detach() calls vdevgone() for example...
USB removal kernel panic
>Synopsis: >Category: >Environment: System : OpenBSD 6.6 Details : OpenBSD 6.6 (GENERIC.MP) #3: Thu Nov 21 03:20:01 MST 2019 r...@syspatch-66-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP Architecture: OpenBSD.amd64 Machine : amd64 >Description: e kernel: page fault trap, code=0 Stopped at memcpy+0x15:repe movsq (%rsi),%es:(%rdi) ddb{0}> ddb{0}> ddb{0}> No such command ddb{0}> memcpy(80165000,fd804da1f728,8d8,80165000,b5bd47118 ed5c95a,80165000) at memcpy+0x15 uvideo_vs_cb(fd80778f2870,801667d8,0) at uvideo_vs_cb+0x8b usb_transfer_complete(fd80778f2870) at usb_transfer_complete+0x20f xhci_event_dequeue(800af000) at xhci_event_dequeue+0x103 xhci_softintr(800af000) at xhci_softintr+0x2d softintr_dispatch(1) at softintr_dispatch+0xf2 Xsoftnet(0,819c05e0,0,18041969,80,a) at Xsoftnet+0x1f Xspllower(0,0,c7ef80837208d4cc,8159c000,81983ee1,708000) at Xsp llower+0x19 free(8159c000,2,708000) at free+0x160 uvideo_detach(80165000,1) at uvideo_detach+0x71 config_detach(80165000,1) at config_detach+0x152 usbd_detach(80137500,80086d00) at usbd_detach+0x5a uhub_port_connect(80086d00,4,2a0,286) at uhub_port_connect+0x68 uhub_explore(800a9500) at uhub_explore+0x23d usb_explore(800a9400) at usb_explore+0x12b usb_task_thread(80001f8efb30) at usb_task_thread+0x10b end trace frame: 0x0, count: -16 ddb{0}> memcpy(80165000,fd804da1f728,8d8,80165000,b5bd47118 ed5c95a,80165000) at memcpy+0x15 end trace frame: 0x80001f8ecee0, count: 0 ddb{0}> memcpy(80165000,fd804da1f728,8d8,80165000,b5bd47118 ed5c95a,80165000) at memcpy+0x15 uvideo_vs_cb(fd80778f2870,801667d8,0) at uvideo_vs_cb+0x8b usb_transfer_complete(fd80778f2870) at usb_transfer_complete+0x20f xhci_event_dequeue(800af000) at xhci_event_dequeue+0x103 xhci_softintr(800af000) at xhci_softintr+0x2d softintr_dispatch(1) at softintr_dispatch+0xf2 Xsoftnet(0,819c05e0,0,18041969,80,a) at Xsoftnet+0x1f Xspllower(0,0,c7ef80837208d4cc,8159c000,81983ee1,708000) at Xsp llower+0x19 free(8159c000,2,708000) at free+0x160 uvideo_detach(80165000,1) at uvideo_detach+0x71 config_detach(80165000,1) at config_detach+0x152 usbd_detach(80137500,80086d00) at usbd_detach+0x5a uhub_port_connect(80086d00,4,2a0,286) at uhub_port_connect+0x68 uhub_explore(800a9500) at uhub_explore+0x23d usb_explore(800a9400) at usb_explore+0x12b usb_task_thread(80001f8efb30) at usb_task_thread+0x10b end trace frame: 0x0, count: -16 ddb{0}>PID TID PPIDUID S FLAGS WAIT COMMAND 73421 378519 1808 30x80 nanosleep motion 73421 169533 1808 3 0x480 poll motion 73421 249921 1808 3 0x480 poll motion 73421 182264 1808 7 0x400motion 73421 501327 1808 3 0x480 fsleepmotion 73421 68577 1808 3 0x480 fsleepmotion 73421 495193 1808 3 0x480 fsleepmotion 73421 86799 1808 3 0x480 fsleepmotion 73421 175532 1808 3 0x480 fsleepmotion 73421 276330 1808 3 0x480 fsleepmotion 73421 436757 1808 3 0x480 fsleepmotion 73421 355839 1808 3 0x480 fsleepmotion 24501 137057 8062 1002 30x100082 nanosleep sleep 96133 231862 59487 1002 30x100082 nanosleep sleep 36064 221973 1 0 30x80 selectsshd 95865 94851 12428 1000 30x100083 ttyin ksh 12428 484765 73684 1000 30x90 selectsshd 73684 202144 1 0 30x92 poll sshd 37530 479133 40234 0 30x100083 ttyin sh 40234 510843 73997 1000 30x10008b pause ksh 73997 455759 66670 1000 30x90 selectsshd 66670 81334 1 0 30x92 poll sshd 75210 454196 1 0 30x100083 ttyin getty 59487 512598 99679 1002 30x10008a pause sh 8062 282798 8620 1002 30x10008a pause sh 99679 376310 12576 1002 30x10008a pause sh 8620 220053 93055 1002 30x10008a pause sh 12576 93622 47373 0 30x100090 piperdcron 93055 216296 47373 0 30x100090 piperdcron 47373 366615 1 0 30x100098 poll cron 40789 306932 1 0 30x80 kqreadapmd 91559 370400 16201 95 30x100092 kqreadsmtpd 71216 134567 16201103 30x100092