From nobody Thu Oct 23 12:41:48 2025
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cslz165gbz6DPmf
	for <freebsd-current@mlmmj.nyi.freebsd.org>; Thu, 23 Oct 2025 12:41:49 +0000 (UTC)
	(envelope-from kevans@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R13" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cslz15M4xz49lg;
	Thu, 23 Oct 2025 12:41:49 +0000 (UTC)
	(envelope-from kevans@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1761223309;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=XQe1+88F+9oY/29s/WZCOkwFKsWS3kgAN3vwGJ4tV1g=;
	b=BXPnscQWnO7I1O61tekpgQ2C4po75sX6fgnl2GFdTc4RlQhfWqvBPlqh7r0Onhx/0AR/M/
	viqMeNlionh8trIxbbUn13XwYYyyrA7W6XRYGF+x8Icg1KgaR2heXadgaU/o/VCblLvFny
	v167T9YHL1Jer1tvOfjzxKGw48LhxIQhwHmma1hwNGjb7ekprAmjzjfJ4fACuR5H2AlEAI
	Q2zAzRWF7FBEUgwEcHc0HYTl1NGAcJjTOYpfAgTV4rLkP7ASNJp42IqHX4lDtOOG1uO0M3
	HLMdQMibK46NPNV8l8nyBbL2U1PVNFq4h/HQPSCCjRY0G8kwoXgZa58CAoegbA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1761223309;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=XQe1+88F+9oY/29s/WZCOkwFKsWS3kgAN3vwGJ4tV1g=;
	b=ZFjb7RMc2gZJ9gidZ6DDaXei1mkZmPL0vcS/iZebK+6lPV/MOwXbqlGe2DAnOA0UOLoX3v
	HPFPp2ho4maPbUPTC+XT/dz+nX/uNSmjvaMOrN3NGpJHLVLFjpRPPAuzWyRpOLuYD04AMI
	Hq/AipMBiY04JLhymshnhN0rnLShd18OUhpjkD3kKclGsgU8eC8+3YAD0ih4EamqTcdj3U
	VBRdIMbQFjntiGwz/ZlAo5Pjo90MEVwnUtsLvWRsjNPiuOWmHoToKm2GnA7+yGMSh2Rw8I
	QivqRYyOgnH1GwZv7+fBE0omeiZZNFA0zE61IPmQjGv1a6G+HMAJ1405zeRpcw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1761223309; a=rsa-sha256; cv=none;
	b=JxLDh/oHMjpzRw7Q/qUXzrc61GW2k0ltHZrJAdEVo17HqZ8LRHmEPkkgCYFG11o4/N6E1E
	QkoSGJKR2oCf3r6nqnlqUAVtLJS8Qwr+imerLX5/b7SVfpLLFOODdV/yTpMkGWPzGAsTkx
	U+1ASWVXNZB2or3tWjX29/c2yA1u/eVvUyZLuXD6pDVZwzBqB9oaLczAmkZhgFHm52sgVU
	CqccZECO7J3q7+KHXCuFBxyiYleWpYzQlkF8PSbcoXra0VvIZ2lbduAgNc2Ymj2HF+I8bz
	NWlFLte2DulNoRU26nRTY/uLf6Dka1kp6PJcSLwoeOW2+3gII+bn9Mbvx934HQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from [10.9.4.95] (unknown [209.182.120.176])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: kevans/mail)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4cslz12k5SzBfg;
	Thu, 23 Oct 2025 12:41:49 +0000 (UTC)
	(envelope-from kevans@FreeBSD.org)
Message-ID: <bfdfb864-c8e0-4487-a414-d6dd45ffce9a@FreeBSD.org>
Date: Thu, 23 Oct 2025 07:41:48 -0500
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: FreeBSD CURRENT <freebsd-current@freebsd.org>
From: Kyle Evans <kevans@FreeBSD.org>
Subject: evdev-induced panic (devfs / destroy_dev race?)
Cc: wulf@FreeBSD.org, Konstantin Belousov <kib@freebsd.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Hi,

Not sure if anyone else has noticed this, but I seem to have scared up an evdev panic:

Fatal trap 9: general protection fault while in kernel mode
cpuid = 1; apic id = 01
instruction pointer = 0x20:0xffffffff80b98b5b
stack pointer           = 0x28:0xfffffe01a62b4b60
frame pointer           = 0x28:0xfffffe01a62b4c00
code segment        = base 0x0, limit 0xfffff, type 0x1b
             = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags    = interrupt enabled, resume, IOPL = 0
current process     = 7339 (moused)
rdi: fffff80001b55128 rsi: 0000000000000001 rdx: 0000000000000000
rcx: fffffe0186e5b570  r8: fffff80353686cd0  r9: fffffe01a62b5000
rax: fffff800027d7780 rbx: fffff80001b55128 rbp: fffffe01a62b4c00
r10: 0000000000002af8 r11: 000000000000298c r12: fffff80353686780
r13: deadc0dedeadc0c0 r14: 0000000000000001 r15: 0000000000000000
trap number     = 9
panic: general protection fault
cpuid = 1
time = 1761098215
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01a62b48e0
vpanic() at vpanic+0x136/frame 0xfffffe01a62b4a10
panic() at panic+0x43/frame 0xfffffe01a62b4a70
trap_fatal() at trap_fatal+0x68/frame 0xfffffe01a62b4a90
calltrap() at calltrap+0x8/frame 0xfffffe01a62b4a90
--- trap 0x9, rip = 0xffffffff80b98b5b, rsp = 0xfffffe01a62b4b60, rbp = 0xfffffe01a62b4c00 ---
_sx_xlock_hard() at _sx_xlock_hard+0x18b/frame 0xfffffe01a62b4c00
_sx_xlock() at _sx_xlock+0xac/frame 0xfffffe01a62b4c40
evdev_dtor() at evdev_dtor+0x5c/frame 0xfffffe01a62b4c70
devfs_destroy_cdevpriv() at devfs_destroy_cdevpriv+0xab/frame 0xfffffe01a62b4c90
devfs_close_f() at devfs_close_f+0x63/frame 0xfffffe01a62b4cc0
_fdrop() at _fdrop+0x1a/frame 0xfffffe01a62b4ce0
closef() at closef+0x1e3/frame 0xfffffe01a62b4d70
closefp_impl() at closefp_impl+0x71/frame 0xfffffe01a62b4db0
closefp_hl() at closefp_hl+0x70/frame 0xfffffe01a62b4e00
amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe01a62b4f30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01a62b4f30
--- syscall (6, FreeBSD ELF64, close), rip = 0x2b5f166d5eaa, rsp = 0x2b5f133b49c8, rbp = 0x2b5f133b4ab0 ---
KDB: enter: panic

This was seemingly the result of removing my mouse's USB dongle.  Presumably detach revoked the client and
woke it up, which then triggered the above close() from moused to race with destroy_dev() for invoking the
cdevpriv dtor.

I spent a few minutes thinking about it and didn't really come to a good idea of what the fix might be,
though I suspect there's nothing evdev can really do about it at the moment and we might need to somehow
coordinate this in destroy_dev().

Kyle Evans