>Number: 182820
>Category: usb
>Synopsis: usbusX if destroy page fault panic
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-usb
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Oct 08 01:50:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Alexander Vysokovskih
>Release: 10.0-ALPHA4 r255933
>Organization:
>Environment:
FreeBSD sandbox-10.ural.org 10.0-ALPHA4 FreeBSD 10.0-ALPHA4 #0 r255933: Sun Sep
29 02:50:54 UTC 2013 r...@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC
amd64
>Description:
KDB: debugger backends: ddb
KDB: current backend: ddb
Copyright (c) 1992-2013 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 10.0-ALPHA4 #0 r255933: Sun Sep 29 02:50:54 UTC 2013
r...@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64
FreeBSD clang version 3.3 (tags/RELEASE_33/final 183502) 20130610
WARNING: WITNESS option enabled, expect reduced performance.
CPU: Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz (2471.71-MHz K8-class CPU)
Origin = "GenuineIntel" Id = 0x306a9 Family = 0x6 Model = 0x3a Stepping =
9
Features=0x1783fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE,SSE2,HTT>
Features2=0x201<SSE3,SSSE3>
AMD Features=0x28100800<SYSCALL,NX,RDTSCP,LM>
AMD Features2=0x1<LAHF>
real memory = 2147418112 (2047 MB)
avail memory = 2049912832 (1954 MB)
Event timer "LAPIC" quality 400
ACPI APIC Table: <VBOX VBOXAPIC>
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
FreeBSD/SMP: 1 package(s) x 2 core(s)
cpu0 (BSP): APIC ID: 0
cpu1 (AP): APIC ID: 1
random device not loaded; using insecure entropy
ioapic0 <Version 1.1> irqs 0-23 on motherboard
random: <Software, Yarrow> initialized
kbd1 at kbdmux0
acpi0: <VBOX VBOXXSDT> on motherboard
acpi0: Power Button (fixed)
acpi0: Sleep Button (fixed)
cpu0: <ACPI CPU> on acpi0
cpu1: <ACPI CPU> on acpi0
attimer0: <AT timer> port 0x40-0x43,0x50-0x53 on acpi0
Timecounter "i8254" frequency 1193182 Hz quality 0
Event timer "i8254" frequency 1193182 Hz quality 100
Timecounter "ACPI-fast" frequency 3579545 Hz quality 900
acpi_timer0: <32-bit timer at 3.579545MHz> port 0x4008-0x400b on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
isab0: <PCI-ISA bridge> at device 1.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel PIIX4 UDMA33 controller> port
0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xd000-0xd00f at device 1.1 on pci0
ata0: <ATA channel> at channel 0 on atapci0
ata1: <ATA channel> at channel 1 on atapci0
vgapci0: <VGA-compatible display> mem 0xe0000000-0xe07fffff irq 18 at device
2.0 on pci0
virtio_pci0: <VirtIO PCI Network adapter> port 0xd020-0xd03f irq 19 at device
3.0 on pci0
vtnet0: <VirtIO Networking Adapter> on virtio_pci0
virtio_pci0: host features: 0x410fdda3
<NotifyOnEmpty,VLanFilter,RxMode,ControlVq,Status,MrgRxBuf,TxUFO,TxTSOv6,TxTSOv4,RxUFO,RxTSOv6,RxTSOv4,MacAddress,RxChecksum,TxChecksum>
virtio_pci0: negotiated features: 0xf99a3
<VLanFilter,RxMode,ControlVq,Status,MrgRxBuf,TxTSOv6,TxTSOv4,RxTSOv6,RxTSOv4,MacAddress,RxChecksum,TxChecksum>
vtnet0: Ethernet address: 08:00:27:9e:bb:21
pci0: <base peripheral> at device 4.0 (no driver attached)
ohci0: <OHCI (generic) USB controller> mem 0xf0404000-0xf0404fff irq 22 at
device 6.0 on pci0
usbus0 on ohci0
pci0: <bridge> at device 7.0 (no driver attached)
ehci0: <Intel 82801FB (ICH6) USB 2.0 controller> mem 0xf0405000-0xf0405fff irq
19 at device 11.0 on pci0
usbus1: EHCI version 1.0
usbus1 on ehci0
uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
uart0: console (9600,n,8,1)
battery0: <ACPI Control Method Battery> on acpi0
acpi_acad0: <AC Adapter> on acpi0
atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: [GIANT-LOCKED]
psm0: model IntelliMouse Explorer, device ID 4
orm0: <ISA Option ROMs> at iomem 0xc0000-0xc7fff,0xe2000-0xe2fff on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
atrtc0: <AT realtime clock> at port 0x70 irq 8 on isa0
Event timer "RTC" frequency 32768 Hz quality 0
ppc0: cannot reserve I/O port range
Timecounters tick every 10.000 msec
usbus0: 12Mbps Full Speed USB v1.0
usbus1: 480Mbps High Speed USB v2.0
ugen0.1: <Apple> at usbus0
uhub0: <Apple OHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus0
ugen1.1: <Intel> at usbus1
uhub1: <Intel EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus1
ada0 at ata0 bus 0 scbus0 target 0 lun 0
ada0: <VBOX HARDDISK 1.0> ATA-6 device
ada0: 33.300MB/s transfers (UDMA2, PIO 65536bytes)
ada0: 8710MB (17839056 512 byte sectors: 16H 63S/T 16383C)
ada0: Previously was known as ad0
cd0 at ata1 bus 0 scbus1 target 0 lun 0
cd0: <VBOX CD-ROM 1.0> Removable CD-ROM SCSI-0 device
cd0: 33.300MB/s transfers (UDMA2, ATAPI 12bytes, PIO 65534bytes)
cd0: Attempt to query device size failed: NOT READY, Medium not present
Netvsc initializing... SMP: AP CPU #1 Launched!
WARNING: WITNESS option enabled, expect reduced performance.
uhub0: 8 ports with 8 removable, self powered
Root mount waiting for: usbus1 usbus0
Root mount waiting for: usbus1 usbus0
ugen0.2: <PixArt> at usbus0
Root mount waiting for: usbus1
Root mount waiting for: usbus1
uhub1: 8 ports with 8 removable, self powered
Trying to mount root from ufs:/dev/ada0p2 [rw]...
WARNING: / was not properly dismounted
WARNING: /: mount pending error: blocks 0 files 4
vtnet0: link state changed to UP
ums0: <PixArt Microsoft USB Optical Mouse, class 0/0, rev 1.10/1.00, addr 2> on
usbus0
ums0: 3 buttons and [XYZ] coordinates ID=0
---
Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address = 0x10
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff80a8c5ec
stack pointer = 0x28:0xfffffe007b7727e0
frame pointer = 0x28:0xfffffe007b772800
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 847 (ifconfig)
Reading symbols from /boot/kernel/ums.ko.symbols...done.
Loaded symbols for /boot/kernel/ums.ko.symbols
#0 doadump (textdump=0) at pcpu.h:218
218 pcpu.h: No such file or directory.
in pcpu.h
(kgdb) bt
#0 doadump (textdump=0) at pcpu.h:218
#1 0xffffffff8034136e in db_dump (dummy=<value optimized out>, dummy2=0,
dummy3=0, dummy4=0x0) at /usr/src/sys/ddb/db_command.c:543
#2 0xffffffff80340e0d in db_command (cmd_table=<value optimized out>)
at /usr/src/sys/ddb/db_command.c:449
#3 0xffffffff80340b84 in db_command_loop ()
at /usr/src/sys/ddb/db_command.c:502
#4 0xffffffff80343530 in db_trap (type=<value optimized out>, code=0)
at /usr/src/sys/ddb/db_main.c:231
#5 0xffffffff808ef433 in kdb_trap (type=12, code=0, tf=<value optimized out>)
at /usr/src/sys/kern/subr_kdb.c:654
#6 0xffffffff80cae62a in trap_fatal (frame=0xfffffe007b772730,
eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:868
#7 0xffffffff80cae8e4 in trap_pfault (frame=0x0, usermode=0)
at /usr/src/sys/amd64/amd64/trap.c:699
#8 0xffffffff80cae0e0 in trap (frame=0xfffffe007b772730)
at /usr/src/sys/amd64/amd64/trap.c:463
#9 0xffffffff80c95ec2 in calltrap ()
at /usr/src/sys/amd64/amd64/exception.S:232
#10 0xffffffff80a8c5ec in nd6_purge (ifp=0xfffff8000256f800)
at /usr/src/sys/netinet6/nd6.c:823
#11 0xffffffff80a778b9 in in6_ifdetach (ifp=0xfffff8000256f800)
at /usr/src/sys/netinet6/in6_ifattach.c:813
---Type <return> to continue, or q <return> to quit---
#12 0xffffffff8097b3d3 in if_detach (ifp=0xfffff8000256f800)
at /usr/src/sys/net/if.c:871
#13 0xffffffff8075ebb2 in usbpf_clone_destroy (ifc=0xfffff800027d4d80,
ifp=0xfffff8000256f800) at /usr/src/sys/dev/usb/usb_pf.c:225
#14 0xffffffff80980ae2 in if_clone_destroyif (ifc=0xfffff800027d4d80,
ifp=0xfffff8000256f800) at /usr/src/sys/net/if_clone.c:333
#15 0xffffffff8098097e in if_clone_destroy (name=<value optimized out>)
at /usr/src/sys/net/if_clone.c:291
#16 0xffffffff8097d806 in ifioctl (so=0xfffff80002c6f570,
cmd=<value optimized out>, data=0xfffff8000279f660 "usbus0",
td=0xfffff80002c02490) at /usr/src/sys/net/if.c:2513
#17 0xffffffff8090e94a in kern_ioctl (td=0xfffff80002c02490,
fd=<value optimized out>, com=8) at file.h:319
#18 0xffffffff8090e62f in sys_ioctl (td=0xfffff80002c02490,
uap=0xfffffe007b772b80) at /usr/src/sys/kern/sys_generic.c:698
#19 0xffffffff80caee35 in amd64_syscall (td=0xfffff80002c02490, traced=0)
at subr_syscall.c:134
#20 0xffffffff80c961ab in Xfast_syscall ()
at /usr/src/sys/amd64/amd64/exception.S:391
#21 0x000000080119b9ca in ?? ()
Previous frame inner to this frame (corrupt stack?)
Current language: auto; currently minimal
(kgdb)
(kgdb) fr 15
#15 0xffffffff8098097e in if_clone_destroy (name=<value optimized out>)
at /usr/src/sys/net/if_clone.c:291
291 err = if_clone_destroyif(ifc, ifp);
(kgdb) fr 14
#14 0xffffffff80980ae2 in if_clone_destroyif (ifc=0xfffff800027d4d80,
ifp=0xfffff8000256f800) at /usr/src/sys/net/if_clone.c:333
333 err = (*ifc->ifc_destroy)(ifc, ifp);
(kgdb) fr 13
#13 0xffffffff8075ebb2 in usbpf_clone_destroy (ifc=0xfffff800027d4d80,
ifp=0xfffff8000256f800) at /usr/src/sys/dev/usb/usb_pf.c:225
225 if_detach(ifp);
(kgdb) fr 12
#12 0xffffffff8097b3d3 in if_detach (ifp=0xfffff8000256f800)
at /usr/src/sys/net/if.c:871
871 in6_ifdetach(ifp);
(kgdb) fr 11
#11 0xffffffff80a778b9 in in6_ifdetach (ifp=0xfffff8000256f800)
at /usr/src/sys/netinet6/in6_ifattach.c:813
813 nd6_purge(ifp);
(kgdb) fr 10
#10 0xffffffff80a8c5ec in nd6_purge (ifp=0xfffff8000256f800)
at /usr/src/sys/netinet6/nd6.c:823
823 if (ND_IFINFO(ifp)->flags & ND6_IFF_ACCEPT_RTADV) {
(kgdb) print ifp
$1 = (struct ifnet *) 0xfffff8000256f800
(kgdb) print *ifp
$2 = {if_softc = 0xfffffe00008bb320, if_l2com = 0x0, if_vnet = 0x0, if_link = {
tqe_next = 0x0, tqe_prev = 0xfffff80002570018},
if_xname = "usbus0\000\000\000\000\000\000\000\000\000",
if_dname = 0xffffffff80ee5a5c "usbus", if_dunit = 0, if_refcount = 2,
if_addrhead = {tqh_first = 0xfffff8000241d600,
tqh_last = 0xfffff8000241d6c0}, if_pcount = 0, if_carp = 0x0,
if_bpf = 0xfffff800027a3500, if_index = 3, if_index_reserved = 0,
if_vlantrunk = 0x0, if_flags = 0, if_capabilities = 0, if_capenable = 0,
if_linkmib = 0x0, if_linkmiblen = 0, if_data = {ifi_type = 160 '▒',
ifi_physical = 0 '\0', ifi_addrlen = 0 '\0', ifi_hdrlen = 0 '\0',
ifi_link_state = 0 '\0', ifi_vhid = 0 '\0', ifi_baudrate_pf = 0 '\0',
ifi_datalen = 152 '\230', ifi_mtu = 0, ifi_metric = 0, ifi_baudrate = 0,
ifi_ipackets = 0, ifi_ierrors = 0, ifi_opackets = 0, ifi_oerrors = 0,
ifi_collisions = 0, ifi_ibytes = 0, ifi_obytes = 0, ifi_imcasts = 0,
ifi_omcasts = 0, ifi_iqdrops = 0, ifi_noproto = 0, ifi_hwassist = 0,
ifi_epoch = 52, ifi_lastchange = {tv_sec = 1381179412, tv_usec = 796566}},
if_multiaddrs = {tqh_first = 0x0, tqh_last = 0xfffff8000256f938},
if_amcount = 0, if_output = 0, if_input = 0, if_start = 0,
if_ioctl = 0xffffffff8075f2b0 <usbpf_ioctl>, if_init = 0,
if_resolvemulti = 0, if_qflush = 0xffffffff8097d550 <if_qflush>,
if_transmit = 0xffffffff809800a0 <if_transmit>, if_reassign = 0,
if_home_vnet = 0x0, if_addr = 0xfffff8000241d600, if_llsoftc = 0x0,
if_drv_flags = 0, if_snd = {ifq_head = 0x0, ifq_tail = 0x0, ifq_len = 0,
---Type <return> to continue, or q <return> to quit---
ifq_maxlen = 50, ifq_drops = 0, ifq_mtx = {lock_object = {
lo_name = 0xfffff8000256f828 "usbus0", lo_flags = 16973824,
lo_data = 0, lo_witness = 0xfffffe00006d3d80}, mtx_lock = 4},
ifq_drv_head = 0x0, ifq_drv_tail = 0x0, ifq_drv_len = 0,
ifq_drv_maxlen = 0, altq_type = 0, altq_flags = 0, altq_disc = 0x0,
altq_ifp = 0xfffff8000256f800, altq_enqueue = 0, altq_dequeue = 0,
altq_request = 0, altq_clfier = 0x0, altq_classify = 0, altq_tbr = 0x0,
altq_cdnr = 0x0}, if_broadcastaddr = 0x0, if_bridge = 0x0, if_label = 0x0,
if_unused = {0x0, 0x0}, if_afdata = {0x0, 0x0, 0xfffff80002426f20,
0x0 <repeats 39 times>}, if_afdata_initialized = 2, if_afdata_lock = {
lock_object = {lo_name = 0xffffffff80f27a92 "if_afdata",
lo_flags = 86179840, lo_data = 0, lo_witness = 0xfffffe00006d3d00},
rw_lock = 1}, if_linktask = {ta_link = {stqe_next = 0x0}, ta_pending = 0,
ta_priority = 0, ta_func = 0xffffffff8097a5e0 <do_link_state_change>,
ta_context = 0xfffff8000256f800}, if_addr_lock = {lock_object = {
lo_name = 0xffffffff80f1ab75 "if_addr_lock", lo_flags = 86179840,
lo_data = 0, lo_witness = 0xfffffe00006ccb80}, rw_lock = 1},
if_clones = {le_next = 0x0, le_prev = 0xfffff800027d4da8}, if_groups = {
tqh_first = 0xfffff80002acd020, tqh_last = 0xfffff80002acd028},
if_pf_kif = 0x0, if_lagg = 0x0, if_description = 0x0, if_fib = 0,
if_alloctype = 160 '▒', if_hw_tsomax = 65535, if_cspare = "\000\000",
if_ispare = {0, 0, 0, 0}, if_pspare = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}}
---
(kgdb) print ifp->if_afdata
$3 = {0x0, 0x0, 0xfffff80002426f20, 0x0 <repeats 39 times>}
(kgdb) print ifp->if_afdata[28]
$4 = (void *) 0x0
---
There is no checks about existense of ifp scructure member used in ND_IFINFO
macro in nd6_purge().
#define AF_INET6 28 /* IPv6 */
#define ND_IFINFO(ifp) \
(((struct in6_ifextra *)(ifp)->if_afdata[AF_INET6])->nd_ifinfo)
mld6_var.h also contain same macro used in mld_ifdetach():
#define MLD_IFINFO(ifp) \
(((struct in6_ifextra *)(ifp)->if_afdata[AF_INET6])->mld_ifinfo)
>How-To-Repeat:
In my VirtualBox just new installed FreeBSD 10.0-ALPHA4 #r255933 panicked like:
# ifconfig usbus0 create
# ifconfig usbus0 destroy
or
# usbdump
^C
>Fix:
I think what my pretty simple patch not very smart at all. Why we should call
in6_ifdetach() for usb interfaces?
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebsd-usb@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-usb
To unsubscribe, send any mail to "freebsd-usb-unsubscr...@freebsd.org"
