From owner-freebsd-bugs@freebsd.org  Wed Sep 23 17:45:14 2015
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6EBC2A06BD4
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Wed, 23 Sep 2015 17:45:14 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 536921BB4
 for <freebsd-bugs@FreeBSD.org>; Wed, 23 Sep 2015 17:45:14 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t8NHjEhe045057
 for <freebsd-bugs@FreeBSD.org>; Wed, 23 Sep 2015 17:45:14 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 203288] axge(4) panics on unplug
Date: Wed, 23 Sep 2015 17:45:14 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 11.0-CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: cem@freebsd.org
X-Bugzilla-Status: New
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-203288-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2015 17:45:14 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203288

            Bug ID: 203288
           Summary: axge(4) panics on unplug
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: cem@freebsd.org

ifconfig(1) tickling axge(4) on uether, unconfigured.  Non-DEBUG kernel:

__mtx_lock_sleep on offset from NULL: 0x3a0

bt:
__mtx_lock_sleep
usbd_do_request_flags+0xa23
usbd_do_request_proc+0x6c
axge_read_mem+0xdb
axge_read_cmd_2+0x42
axge_miibus_readreg+0xb4
rgephy_status+0x80
rgephy_service+0x374
mii_pollstat+0x56
axge_ifmedia_sts+0x61
ifmedia_ioctl+0x178
uether_ioctl+0x2cb
axge_ioctl+0x233
ifioctl+0xb4f
kern_ioctl+0x414
sys_ioctl+0x153
...


Last messages before panic:

ugen0.2: <ASIX Elec. Corp.> at usbus0 (disconnected)
axge0: at uhub0, port 5, addr 1 (disconnected)
rgephy0: detached
miibus0: detached



Relevent GDB trace:

...
#11 0xffffffff808d89f3 in usbd_do_request_flags (udev=<value optimized out>,
mtx=<value optimized out>, 
    req=0xfffffe02257924b0, data=0xfffffe0225792500, flags=977, actlen=<value
optimized out>, timeout=Cannot access memory at address 0x7530
)
    at /usr/home/cmeyer/src/freebsd/sys/dev/usb/usb_request.c:732
#12 0xffffffff808d8a7c in usbd_do_request_proc (udev=0xfffff800078f8000,
pproc=0xfffff8000787b440, 
    req=0xfffffe02257924b0, data=0xfffffe0225792500, flags=0, actlen=0x0,
timeout=<value optimized out>)
    at /usr/home/cmeyer/src/freebsd/sys/dev/usb/usb_request.c:766
#13 0xffffffff8260dd2b in axge_read_mem (sc=0xfffff8000787b400, cmd=2 '\002',
index=1, val=3, buf=0xfffffe0225792500, 
    len=2) at
/usr/home/cmeyer/src/freebsd/sys/modules/usb/axge/../../../dev/usb/net/if_axge.c:221
#14 0xffffffff8260dd82 in axge_read_cmd_2 (sc=0xfffff8000787b400, cmd=2 '\002',
index=1, reg=3)
    at
/usr/home/cmeyer/src/freebsd/sys/modules/usb/axge/../../../dev/usb/net/if_axge.c:258
#15 0xffffffff8260d384 in axge_miibus_readreg (dev=0xfffff8000781ae00, phy=3,
reg=1)
    at
/usr/home/cmeyer/src/freebsd/sys/modules/usb/axge/../../../dev/usb/net/if_axge.c:290
#16 0xffffffff80635de0 in rgephy_status (sc=0xfffff8000782c080) at
miibus_if.h:26
#17 0xffffffff80635d14 in rgephy_service (sc=0xfffff8000782c080,
mii=0xfffff8000782be00, cmd=3)
    at /usr/home/cmeyer/src/freebsd/sys/dev/mii/rgephy.c:260
#18 0xffffffff806319d6 in mii_pollstat (mii=0xfffff8000782be00) at
/usr/home/cmeyer/src/freebsd/sys/dev/mii/mii.c:611
#19 0xffffffff8260e681 in axge_ifmedia_sts (ifp=0xfffff800044c7800,
ifmr=0xfffffe02257928e0)
    at
/usr/home/cmeyer/src/freebsd/sys/modules/usb/axge/../../../dev/usb/net/if_axge.c:508
#20 0xffffffff80b8d448 in ifmedia_ioctl (ifp=0xfffff8000787b6c0,
ifr=0xfffffe02257928e0, ifm=0xfffff8000782be00, 
    cmd=<value optimized out>) at
/usr/home/cmeyer/src/freebsd/sys/net/if_media.c:309
#21 0xffffffff82613f8b in uether_ioctl (ifp=0xfffff800044c7800,
command=3224398136, data=0xfffffe02257928e0 "ue0")
    at
/usr/home/cmeyer/src/freebsd/sys/modules/usb/uether/../../../dev/usb/net/usb_ethernet.c:528
#22 0xffffffff8260ea73 in axge_ioctl (ifp=0xfffff800044c7800, cmd=3224398136,
data=0xfffffe02257928e0 "ue0")
    at
/usr/home/cmeyer/src/freebsd/sys/modules/usb/axge/../../../dev/usb/net/if_axge.c:923
#23 0xffffffff80b82d5f in ifioctl (so=<value optimized out>, cmd=<value
optimized out>, data=<value optimized out>, 
    td=<value optimized out>) at /usr/home/cmeyer/src/freebsd/sys/net/if.c:2506
#24 0xffffffff80af69f4 in kern_ioctl (td=0xfffff80042627000, fd=<value
optimized out>, com=18446735278730276864, 
    data=<value optimized out>) at file.h:326
#25 0xffffffff80af6533 in sys_ioctl (td=0xfffff80042627000,
uap=0xfffffe0225792a40)
    at /usr/home/cmeyer/src/freebsd/sys/kern/sys_generic.c:723
...

(kgdb) fr 12
#12 0xffffffff808d8a7c in usbd_do_request_proc (udev=0xfffff800078f8000,
pproc=0xfffff8000787b440, 
    req=0xfffffe02257924b0, data=0xfffffe0225792500, flags=0, actlen=0x0,
timeout=<value optimized out>)
    at /usr/home/cmeyer/src/freebsd/sys/dev/usb/usb_request.c:766
766             err = usbd_do_request_flags(udev, pproc->up_mtx,
(kgdb) p pproc
$2 = (struct usb_process *) 0xfffff8000787b440
(kgdb) p pproc.up_mtx
$3 = (struct mtx *) 0x0
(kgdb) p *pproc
$4 = {
  up_qhead = {
    tqh_first = 0x0, 
    tqh_last = 0xfffff8000787b440
  }, 
  up_cv = {
    cv_description = 0xffffffff8141c9b0 "-", 
    cv_waiters = 0
  }, 
  up_drain = {
    cv_description = 0xffffffff81403370 "usbdrain", 
    cv_waiters = 0
  }, 
  up_ptr = 0x0, 
  up_curtd = 0xfffff80007fcc9a0, 
  up_mtx = 0x0, 
  up_msg_num = 0, 
  up_prio = 32 ' ', 
  up_gone = 1 '\001', 
  up_msleep = 0 '\0', 
  up_csleep = 0 '\0', 
  up_dsleep = 0 '\0'
}


I have a core, although I don't have time to debug it myself right now nor do I
want to publish it widely.  If it would help, I can probably arrange to get it
to some FreeBSD committer for further debugging.  Anyway, it is easy to
reproduce.

-- 
You are receiving this mail because:
You are the assignee for the bug.