Bug #2300

DFBSD v3.0.0.6.gbd613-RELEASE - EHCI module unload panic

Added by tuxillo over 2 years ago. Updated 5 months ago.

Status:FeedbackStart date:02/07/2012
Priority:NormalDue date:
Assignee:tuxillo% Done:

0%

Category:Driver
Target version:3.8.0

Description

Hi,

When unloading ehci module, after few seconds of activity I get this panic:

Fatal trap 12: page fault while in kernel mode
cpuid = 1; lapic->id = 01000000
fault virtual address = 0x48
fault code = supervisor read data, page not present
instruction pointer = 0x8:0xffffffff806ce788
stack pointer = 0x10:0xffffffe0a36aa870
frame pointer = 0x10:0xffffffe0a36aa908
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 0, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 680
current thread = pri 6
trap number = 12
panic: page fault
cpuid = 1

[...]

(kgdb) bt
#0 _get_mycpu () at ./machine/thread.h:69
#1 md_dumpsys (di=<optimized out>) at /usr/src/sys/platform/pc64/x86_64/dump_machdep.c:263
#2 0xffffffff80499ea5 in dumpsys () at /usr/src/sys/kern/kern_shutdown.c:925
#3 0xffffffff8049a50b in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:387
#4 0xffffffff8049a7c2 in panic (fmt=0xffffffff807a86cb "%s") at /usr/src/sys/kern/kern_shutdown.c:831
#5 0xffffffff807598d4 in trap_fatal (frame=0xffffffe0a36aa7b8, eva=<optimized out>)
at /usr/src/sys/platform/pc64/x86_64/trap.c:1018
#6 0xffffffff80759ae1 in trap_pfault (frame=0xffffffe0a36aa7b8, usermode=0)
at /usr/src/sys/platform/pc64/x86_64/trap.c:912
#7 0xffffffff8075a0b5 in trap (frame=0xffffffe0a36aa7b8) at /usr/src/sys/platform/pc64/x86_64/trap.c:617
#8 0xffffffff80743fdf in calltrap () at /usr/src/sys/platform/pc64/x86_64/exception.S:188
#9 0xffffffff806ce788 in usbioctl (ap=0xffffffe0a36aa918) at /usr/src/sys/bus/usb/usb.c:614
#10 0xffffffff8047bf3c in dev_dioctl (dev=0xffffffe07dede490, cmd=<optimized out>, data=<optimized out>,
fflag=<optimized out>, cred=<optimized out>, msg=<optimized out>) at /usr/src/sys/kern/kern_device.c:243
#11 0xffffffff80665ac1 in devfs_fo_ioctl (fp=0xffffffe07df2b0d8, com=536892675, data=<optimized out>,
ucred=<optimized out>, msg=<optimized out>) at /usr/src/sys/vfs/devfs/devfs_vnops.c:1449
#12 0xffffffff804cb26e in fo_ioctl (fp=0xffffffe07df2b0d8, com=536892675,
data=0xffffffe0a36aaa58 "p\367\377\377\377\177", cred=0xffffffe00e2c7260, msg=0xffffffe0a36aab68)
at /usr/src/sys/sys/file2.h:88
#13 0xffffffff804cb725 in mapped_ioctl (fd=<optimized out>, com=536892675, uspc_data=<optimized out>,
map=<optimized out>, msg=<optimized out>) at /usr/src/sys/kern/sys_generic.c:733
#14 0xffffffff804cb7be in sys_ioctl (uap=0xffffffe00e2c7260) at /usr/src/sys/kern/sys_generic.c:552
#15 0xffffffff8075a891 in syscall2 (frame=0xffffffe0a36aac18) at /usr/src/sys/platform/pc64/x86_64/trap.c:1231
#16 0xffffffff8074422b in Xfast_syscall () at /usr/src/sys/platform/pc64/x86_64/exception.S:323
#17 0x000000000000002b in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

Core available upon request. Also, if someone is experiencing this too please add your findings to this ticket.

Cheers,
Antonio Huete

usb_detach01.diff Magnifier - Destroy device upon usb_detach() (302 Bytes) tuxillo, 03/09/2013 11:09 AM


Related issues

Related to Bug #2402: Showstopper panics for Release 3.2 New 08/15/2012

History

#1 Updated by swildner over 2 years ago

So what is the ioctl number it is failing on (ap->a_cmd in frame 9 should have it e.g.)?

#2 Updated by tuxillo over 1 year ago

It still happens in latest master as of today.

Basically the problem is that the /dev/usbN device in question remains, hence the loop doing select() on usbd(8) issues a new ioctl() to an already deregistered device which has no softc at all anymore.

Attached patch fixes it by removing the device related to EHCI from /dev, but this causes usbd(8) to die. There must be a better solution, so any pointer is welcome.

#3 Updated by tuxillo 5 months ago

  • Description updated (diff)
  • Category set to Driver
  • Status changed from In Progress to Feedback
  • Target version set to 3.8.0

Marcus,

Can you please have a look at the attached patch? Does it look okay for you?

The fact that usbd(8) dies could just be an issue in the daemon itself that had to be handled separatedly.

Cheers,
Antonio Huete

Also available in: Atom PDF