OK. Sorry for the top post.
I need to recreate this because this data is already freed and corrupted.
So is this panic in bhyve? What's the bhyve configuration you are using?
You say this happens as you move the xhci pass through device back to
the host. Does the same thing happen if you instead devctl detach the xhciX
the device instead? It looks like you have a da0 device on the usb bus, any
others?
I need a way to reproduce it, and I kinda get what you're doing, but step
by step instructions would be way better... And it may be a week before
I get to it: my daughter is graduating next Friday, so my whole routine and
schedule is off.
Warner
On Sat, May 10, 2025 at 4:52 PM Bjoern A. Zeeb
<bzeeb-li...@lists.zabbadoz.net> wrote:
>
> On Sat, 10 May 2025, Warner Losh wrote:
>
> > Yes. usb is hanky in its newbus integration and always has been.
> >
> > How did you get this to happen? I know that it can happen in some weird
> > error scenarios (that I've not been able to reproduce), but just removing
> > the
> > device is orderly enough...
> >
> > But it looks like jhb's cleanup may have opened the issue back up, since
> > usb_detatch_device shouldn't find anything still attached. I'm guessing that
> > there are devices that are children of this node that are attached and also
> > somehow devices of the interface?
> >
> > So interesting crash, but without a lot more data about the usb
> > configuration
> > and what device is being detached, I can't help you.
>
> Was a blind dump reboot on a ddb> prompt I didn't see.
>
> As said I moved the XHCI between bhyve passthru and the base system or
> the other direction. Seems xhci -> ppt.
>
> Unread portion of the kernel message buffer:
> ugen0.2: <Generic EMV Smartcard Reader> at usbus0 (disconnected)
> ugen0.3: <vendor 0x8087 product 0x0032> at usbus0 (disconnected)
> ugen0.4: <Chicony Electronics Co.,Ltd. Integrated Camera> at usbus0
> (disconnected)
> ugen0.5: <vendor 0x06cb product 0x009a> at usbus0 (disconnected)
> ugen0.6: <Generic USB3.0-CRW> at usbus0 (disconnected)
> umass0: at uhub1, port 15, addr 5 (disconnected)
> da0 at umass-sim0 bus 0 scbus1 target 0 lun 0
> da0: <Generic- SD/MMC 1.00> s/n 20120501030900000 detached
> pass1 at umass-sim0 bus 0 scbus1 target 0 lun 0
> pass1: <Generic- SD/MMC 1.00> s/n 20120501030900000 detached
> (pass1:umass-sim0:0:0:0): Periph destroyed
> (da0:umass-sim0:0:0:0): Periph destroyed
> umass0: detached
> uhub1: detached
> ugen0.1: <Intel XHCI root HUB> at usbus0 (disconnected)
>
> If I manually check the bt (the source tree has changed):
>
> #14 devclass_get_name (dc=0x7373616c63627573) at sys/kern/subr_bus.c:976
> #15 device_get_name (dev=0xfffff8000158e700) at sys/kern/subr_bus.c:1908
> #16 device_printf (dev=dev@entry=0xfffff8000158e700, fmt=0xffffffff81231211
> "at %s, port %d, addr %d (disconnected)\n") at sys/kern/subr_bus.c:1998
>
> (kgdb) p (*(devclass_t) 0x7373616c63627573)
> Cannot access memory at address 0x7373616c63627573
> (kgdb) p (*(device_t) 0xfffff8000158e700)
> $3 = {ops = 0x6567753d6e656775, link = {tqe_next = 0x65646320312e306e,
> tqe_prev = 0x2e306e6567753d76}, devlink = {tqe_next = 0x726f646e65762031,
> tqe_prev = 0x203030303078303d}, parent = 0x3d746375646f7270, children =
> {tqh_first = 0x6420303030307830, tqh_last = 0x3d7373616c637665}, driver =
> 0x7665642039307830, devclass = 0x7373616c63627573, unit = 813183037, nameunit
> = 0x2022223d6d756e72 <error: Cannot access memory at address
> 0x2022223d6d756e72>, desc = 0x3d657361656c6572 <error: Cannot access memory
> at address 0x3d657361656c6572>, busy = 825260080, state = 1830826032,
> devflags = 1030055023, flags = 1953722216, order = 1953392928, ivars =
> 0x646e6520303d6563, softc = 0x313d73746e696f70, props = { lh_first =
> 0x73616c63746e6920}, sysctl_ctx = {tqh_first = 0x6920393078303d73, tqh_last =
> 0x616c63627573746e}, sysctl_tree = 0x20303078303d7373}
>
>
> #17 0xffffffff8094ac63 in usb_detach_device_sub (udev=0xfffff800018b7000,
> ppdev=0xfffff80001595588, ppnpinfo=0xfffff800015955b8, flag=<optimized out>)
> (kgdb) p *(struct usb_device *)0xfffff800018b7000
> $6 =
> ..
> 0x0 <repeats 126 times>}, ugen_symlink = 0x0, ctrl_dev =
> 0xfffff8000189af40, pd_list = {slh_first = 0xfffff80001581180}, ugen_name =
> "ugen0.1", '\000' <repeats 12 times>,
> plugtime = 2146883647, state = USB_STATE_DETACHED, speed =
> USB_SPEED_SUPER, refcount = 1, power = 0, langid = 1, autoQuirk = {0, 0, 0,
> 0, 0, 0, 0, 0}, address = 1 '\001',
> ..
> 0}, bufsize = 0, bufsize_max = 0, hc_max_frame_size = 0,
> hc_max_packet_size = 0, hc_max_packet_count = 0 '\000', speed =
> USB_SPEED_VARIABLE, dma_tag_max = 0 '\000',
> err = USB_ERR_NORMAL_COMPLETION}}}, data = "Intel XHCI root HUB,
> class 9/0, rev 3.00/1.00, addr 1", '\000' <repeats 201 times>}}
> (kgdb) p/x *(device_t *)0xfffff80001595588
> $7 = 0x0
> (kgdb) p *(char *)0xfffff800015955b8
> $8 = 0 '\000'
>
> #20 0xffffffff8094d24c in usb_free_device
> (udev=udev@entry=0xfffff800018b7000, flag=<optimized out>)
> (kgdb) p/x *(struct usb_device *)0xfffff800018b7000
> $1 = ..
> (kgdb) p/x *$1->parent_dev
> $2 = {ops = 0xfffff800016e4000, link = {tqe_next = 0x0, tqe_prev =
> 0xfffff80001b63b30}, devlink = {tqe_next = 0xfffff80001b64200, tqe_prev =
> 0xfffff80001b64c18}, parent = 0xfffff80001b63b00, children = {tqh_first =
> 0x0, tqh_last = 0xfffff80001b64a30}, driver = 0xffffffff818952b8, devclass =
> 0xfffff8000170d680, unit = 0x0, nameunit = 0xfffff80001b87f30, desc = 0x0,
> busy = 0x0, state = 0x1e, devflags = 0x0, flags = 0x407, order = 0x0, ivars =
> 0xfffffe01051e0428, softc = 0x0, props = {lh_first = 0x0}, sysctl_ctx =
> {tqh_first = 0xfffff800018ac3a0, tqh_last = 0xfffff800018ac4c8}, sysctl_tree
> = 0xfffff80001b7f900}
> (kgdb) p (char *)$2->nameunit
> $6 = 0xfffff80001b87f30 "usbus0"
> (kgdb) p *(char *)$2->devclass
> $7 = 0 '\000'
> (kgdb) p/x *(device_t)$2->parent
> $8 = {ops = 0xfffff800016e3000, link = {tqe_next = 0xfffff80001b63a00,
> tqe_prev = 0xfffff80001b63c08}, devlink = {tqe_next = 0xfffff80001b63a00,
> tqe_prev = 0xfffff80001b63c18}, parent = 0xfffff80001b62100, children =
> {tqh_first = 0xfffff80001b64a00, tqh_last = 0xfffff80001b64a08}, driver =
> 0xffffffff81894d08, devclass = 0xfffff8000170d700, unit = 0x0, nameunit =
> 0xfffff80001b49140, desc = 0xffffffff81246094, busy = 0x0, state = 0x1e,
> devflags = 0x0, flags = 0x405, order = 0x0, ivars = 0xfffff80001b6f780, softc
> = 0xfffffe010505c000, props = {lh_first = 0x0}, sysctl_ctx = {tqh_first =
> 0xfffff800030a1880, tqh_last = 0xfffff800018ac668}, sysctl_tree =
> 0xfffff80001b50080}
> (kgdb) p (char *)$8->nameunit
> $10 = 0xfffff80001b49140 "xhci0"
>
>
> > Warner
> >
> > On Sat, May 10, 2025 at 1:36 PM Bjoern A. Zeeb
> > <bzeeb-li...@lists.zabbadoz.net> wrote:
> >>
> >> Hi,
> >>
> >> hit this twice when switching an XHCI from ppt0 back to xhci (or vice
> >> versa ?) on a previous kernel (sorry I hit 4 other panics and I don't
> >> have more details anymore). That kernel may have been 3-4 weeks old,
> >> so may be fixed by now?
> >>
> >> Fatal trap 9: general protection fault while in kernel mode
> >> cpuid = 0; apic id = 00
> >> instruction pointer = 0x20:0xffffffff80b8d519
> >> stack pointer = 0x28:0xfffffe01047d4c80
> >> frame pointer = 0x28:0xfffffe01047d4dc0
> >> code segment = base 0x0, limit 0xfffff, type 0x1b
> >> = DPL 0, pres 1, long 1, def32 0, gran 1
> >> processor eflags = interrupt enabled, resume, IOPL = 0
> >> current process = 15 (usbus0)
> >> rdi: fffffe01047d4c88 rsi: ffffffff80ba9460 rdx: fffffe01047d4d18
> >> rcx: 0000000000200000 r8: 0000000000000001 r9: 8080808080808080
> >> rax: 7373616c63627573 rbx: ffffffff81231211 rbp: fffffe01047d4dc0
> >> r10: fffff8000159d110 r11: ffffcfd1ced1cfd0 r12: fffff80001595580
> >> r13: 0000000000000000 r14: fffff8000158e700 r15: fffffe01047d4c88
> >> trap number = 9
> >> panic: general protection fault
> >> cpuid = 0
> >> time = 1746609904
> >> KDB: stack backtrace:
> >> db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame
> >> 0xfffffe01047d4a00
> >> vpanic() at vpanic+0x136/frame 0xfffffe01047d4b30
> >> panic() at panic+0x43/frame 0xfffffe01047d4b90
> >> trap_fatal() at trap_fatal+0x68/frame 0xfffffe01047d4bb0
> >> calltrap() at calltrap+0x8/frame 0xfffffe01047d4bb0
> >> --- trap 0x9, rip = 0xffffffff80b8d519, rsp = 0xfffffe01047d4c80, rbp =
> >> 0xfffffe01047d4dc0 ---
> >> device_printf() at device_printf+0x89/frame 0xfffffe01047d4dc0
> >> usb_detach_device() at usb_detach_device+0xd3/frame 0xfffffe01047d4e00
> >> usb_unconfigure() at usb_unconfigure+0x83/frame 0xfffffe01047d4e40
> >> usb_free_device() at usb_free_device+0x15c/frame 0xfffffe01047d4e80
> >> usb_bus_detach() at usb_bus_detach+0x6e/frame 0xfffffe01047d4eb0
> >> usb_process() at usb_process+0xc5/frame 0xfffffe01047d4ef0
> >> fork_exit() at fork_exit+0x7b/frame 0xfffffe01047d4f30
> >> fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe01047d4f30
> >> --- trap 0x3a8d224b, rip = 0x91722c9d5743a0fe, rsp = 0xc95674b90f67f8da,
> >> rbp = 0x84eb42daceb9d67e ---
> >> KDB: enter: panic
> >>
> >>
> >> --
> >> Bjoern A. Zeeb r15:7
> >>
> >
>
> --
> Bjoern A. Zeeb r15:7
