From nobody Sun May 11 03:07:33 2025 X-Original-To: current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Zw72p4KPxz5wDQK for ; Sun, 11 May 2025 03:07:46 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Zw72n6zjTz3RJ3 for ; Sun, 11 May 2025 03:07:45 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-pj1-x1035.google.com with SMTP id 98e67ed59e1d1-30c7306890dso885457a91.1 for ; Sat, 10 May 2025 20:07:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20230601.gappssmtp.com; s=20230601; t=1746932864; x=1747537664; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=U26zlgLe0oQvuu3ZZo2FWf9El/25TRYZ4Xn0g3lrH5w=; b=fbwgadYbwn8Y3Hne8UwbfjQs56+pn64JRiCN4SLwXSsIDI0wGBfbke4XbMfMhtX8iY zDzPuVCqDz29EzOY7Nwi/V+W7PRimrQZLKxkdhDg4zS23dtAz9yTAlLYLgTrA/QJAwkr nrWcamyPIIfiH4aljSobJUZqXFs0L9KwC+S8gIr3qtySk0hnsPtpUEmeMIU7zwJZpKOc zWkWNxTSruZ3iAUDv0x2cXj7X5uV275X2bd+FxYe4WRnQo+rGdK8JgzJr7yJ3VeLxTvl h81bpVDj61s9g1lL3L1+hgMETbKDMUelFtIDZ5JMuJ5B692iIsu+SPUVz1YGqEqcWCso zISw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746932864; x=1747537664; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=U26zlgLe0oQvuu3ZZo2FWf9El/25TRYZ4Xn0g3lrH5w=; b=CkIKfhbAOt8tFKxLKxB6fZ6QEc0+C9V6635eDwORoVh37rhhUNjLJh5VlFUwN4H9N7 LmnC6c6GtqjZig58gs+SHWUs8VHj0ek80ogRenN4xPuzEIKQiRem84RdW/Qz92pqa73v rJZBcv+yTeRIMfcHducERSdDVpHo7tvqWLQ2YvpZxEVVWRx9gdQgfTT5nH4wY3KvkEYn 5t5aQ6wzRgrzefygJx6vzYTMJoUGD1INbSjHv8iu/wsAfCKfYasLfVYwAu3IQ+WYTSIq 1LUqv+f5aOcJ7S+UyDurKZbLtE+PjWNLIZoomy5zYAt13oMiRNDXeN4vyWzY/B14YK4c 9LcQ== X-Forwarded-Encrypted: i=1; AJvYcCW6DcdXKlXsBC/n4j2y30B6D9YgBsPAuWjbmKwvfiqXN+f9m6JnI05Xp7VUareMPmXNhJcc04KH@freebsd.org X-Gm-Message-State: AOJu0Yxz+7h6hiuvSpGVF+48u3wfVhdCyfQJQtdY5FdB+cEWOgvKLRLW JaJ5zNhj+FoUICyYjWOOFyVo+DD43VX+3NzSF8d/YuMrlXAlyRXz+vVQNE92KA/0L24XLzyBAZh fXwOLIFWSbEyHGbFXdtoV4OIi1Mv137B12f1SNKiz4RCIlKQn X-Gm-Gg: ASbGncs+cbVmWVFCopUvgOJ7OJgWEjT6ZX5DJiCmJPu1n8jNOSZOMWWBrk2UAsxmniQ QDr141LNlcloubROUbnPhnUtOt3KeHGH+IzpLOFKBD/PWoyYocMjU8gXjzRZDP7mStaiYMKyZUm e5b/YpAsVA9e30WzYymFigwXcHaVLtnKSF/lDUrv62UFM= X-Google-Smtp-Source: AGHT+IGUeD+jjzZu4X+QORj+ngBRI+w+lSNq9bJeWMfTjW12ykzHhY6uHEuWG4EPby0p+6r1b70cUr5TIgYrs/SYx1E= X-Received: by 2002:a17:90b:2fd0:b0:2ee:8ea0:6b9c with SMTP id 98e67ed59e1d1-30c3d0eac6amr17448158a91.12.1746932864298; Sat, 10 May 2025 20:07:44 -0700 (PDT) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 References: <9p19rsns-ro3r-so94-14p1-2s9p61377q73@yvfgf.mnoonqbm.arg> In-Reply-To: From: Warner Losh Date: Sat, 10 May 2025 21:07:33 -0600 X-Gm-Features: AX0GCFvDumLSldVPTcxKrLKUhpClODimaW5-RpvtY6Dm-JIJVktNI7dHyfKZFR0 Message-ID: Subject: Re: panic in usb_detach_device / device_printf To: "Bjoern A. Zeeb" Cc: usb@freebsd.org, current@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4Zw72n6zjTz3RJ3 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Spamd-Bar: ---- OK. Sorry for the top post. I need to recreate this because this data is already freed and corrupted. So is this panic in bhyve? What's the bhyve configuration you are using? You say this happens as you move the xhci pass through device back to the host. Does the same thing happen if you instead devctl detach the xhciX the device instead? It looks like you have a da0 device on the usb bus, any others? I need a way to reproduce it, and I kinda get what you're doing, but step by step instructions would be way better... And it may be a week before I get to it: my daughter is graduating next Friday, so my whole routine and schedule is off. Warner On Sat, May 10, 2025 at 4:52=E2=80=AFPM Bjoern A. Zeeb wrote: > > On Sat, 10 May 2025, Warner Losh wrote: > > > Yes. usb is hanky in its newbus integration and always has been. > > > > How did you get this to happen? I know that it can happen in some weird > > error scenarios (that I've not been able to reproduce), but just removi= ng the > > device is orderly enough... > > > > But it looks like jhb's cleanup may have opened the issue back up, sinc= e > > usb_detatch_device shouldn't find anything still attached. I'm guessing= that > > there are devices that are children of this node that are attached and = also > > somehow devices of the interface? > > > > So interesting crash, but without a lot more data about the usb configu= ration > > and what device is being detached, I can't help you. > > Was a blind dump reboot on a ddb> prompt I didn't see. > > As said I moved the XHCI between bhyve passthru and the base system or > the other direction. Seems xhci -> ppt. > > Unread portion of the kernel message buffer: > ugen0.2: at usbus0 (disconnected) > ugen0.3: at usbus0 (disconnected) > ugen0.4: at usbus0 (disc= onnected) > ugen0.5: at usbus0 (disconnected) > ugen0.6: at usbus0 (disconnected) > umass0: at uhub1, port 15, addr 5 (disconnected) > da0 at umass-sim0 bus 0 scbus1 target 0 lun 0 > da0: s/n 20120501030900000 detached > pass1 at umass-sim0 bus 0 scbus1 target 0 lun 0 > pass1: s/n 20120501030900000 detached > (pass1:umass-sim0:0:0:0): Periph destroyed > (da0:umass-sim0:0:0:0): Periph destroyed > umass0: detached > uhub1: detached > ugen0.1: at usbus0 (disconnected) > > If I manually check the bt (the source tree has changed): > > #14 devclass_get_name (dc=3D0x7373616c63627573) at sys/kern/subr_bus.c:97= 6 > #15 device_get_name (dev=3D0xfffff8000158e700) at sys/kern/subr_bus.c:190= 8 > #16 device_printf (dev=3Ddev@entry=3D0xfffff8000158e700, fmt=3D0xffffffff= 81231211 "at %s, port %d, addr %d (disconnected)\n") at sys/kern/subr_bus.c= :1998 > > (kgdb) p (*(devclass_t) 0x7373616c63627573) > Cannot access memory at address 0x7373616c63627573 > (kgdb) p (*(device_t) 0xfffff8000158e700) > $3 =3D {ops =3D 0x6567753d6e656775, link =3D {tqe_next =3D 0x65646320312e= 306e, tqe_prev =3D 0x2e306e6567753d76}, devlink =3D {tqe_next =3D 0x726f646= e65762031, tqe_prev =3D 0x203030303078303d}, parent =3D 0x3d746375646f7270,= children =3D {tqh_first =3D 0x6420303030307830, tqh_last =3D 0x3d7373616c6= 37665}, driver =3D 0x7665642039307830, devclass =3D 0x7373616c63627573, uni= t =3D 813183037, nameunit =3D 0x2022223d6d756e72 , desc =3D 0x3d657361656c6572 , busy =3D 825260080, state = =3D 1830826032, devflags =3D 1030055023, flags =3D 1953722216, order =3D 19= 53392928, ivars =3D 0x646e6520303d6563, softc =3D 0x313d73746e696f70, props= =3D { lh_first =3D 0x73616c63746e6920}, sysctl_ctx =3D {tqh_first =3D 0x69= 20393078303d73, tqh_last =3D 0x616c63627573746e}, sysctl_tree =3D 0x2030307= 8303d7373} > > > #17 0xffffffff8094ac63 in usb_detach_device_sub (udev=3D0xfffff800018b700= 0, ppdev=3D0xfffff80001595588, ppnpinfo=3D0xfffff800015955b8, flag=3D) > (kgdb) p *(struct usb_device *)0xfffff800018b7000 > $6 =3D > .. > 0x0 }, ugen_symlink =3D 0x0, ctrl_dev =3D 0xfffff= 8000189af40, pd_list =3D {slh_first =3D 0xfffff80001581180}, ugen_name =3D = "ugen0.1", '\000' , > plugtime =3D 2146883647, state =3D USB_STATE_DETACHED, speed =3D USB_S= PEED_SUPER, refcount =3D 1, power =3D 0, langid =3D 1, autoQuirk =3D {0, 0,= 0, 0, 0, 0, 0, 0}, address =3D 1 '\001', > .. > 0}, bufsize =3D 0, bufsize_max =3D 0, hc_max_frame_size =3D = 0, hc_max_packet_size =3D 0, hc_max_packet_count =3D 0 '\000', speed =3D US= B_SPEED_VARIABLE, dma_tag_max =3D 0 '\000', > err =3D USB_ERR_NORMAL_COMPLETION}}}, data =3D "Intel XHCI roo= t HUB, class 9/0, rev 3.00/1.00, addr 1", '\000' }} > (kgdb) p/x *(device_t *)0xfffff80001595588 > $7 =3D 0x0 > (kgdb) p *(char *)0xfffff800015955b8 > $8 =3D 0 '\000' > > #20 0xffffffff8094d24c in usb_free_device (udev=3Dudev@entry=3D0xfffff800= 018b7000, flag=3D) > (kgdb) p/x *(struct usb_device *)0xfffff800018b7000 > $1 =3D .. > (kgdb) p/x *$1->parent_dev > $2 =3D {ops =3D 0xfffff800016e4000, link =3D {tqe_next =3D 0x0, tqe_prev = =3D 0xfffff80001b63b30}, devlink =3D {tqe_next =3D 0xfffff80001b64200, tqe_= prev =3D 0xfffff80001b64c18}, parent =3D 0xfffff80001b63b00, children =3D {= tqh_first =3D 0x0, tqh_last =3D 0xfffff80001b64a30}, driver =3D 0xffffffff8= 18952b8, devclass =3D 0xfffff8000170d680, unit =3D 0x0, nameunit =3D 0xffff= f80001b87f30, desc =3D 0x0, busy =3D 0x0, state =3D 0x1e, devflags =3D 0x0,= flags =3D 0x407, order =3D 0x0, ivars =3D 0xfffffe01051e0428, softc =3D 0x= 0, props =3D {lh_first =3D 0x0}, sysctl_ctx =3D {tqh_first =3D 0xfffff80001= 8ac3a0, tqh_last =3D 0xfffff800018ac4c8}, sysctl_tree =3D 0xfffff80001b7f90= 0} > (kgdb) p (char *)$2->nameunit > $6 =3D 0xfffff80001b87f30 "usbus0" > (kgdb) p *(char *)$2->devclass > $7 =3D 0 '\000' > (kgdb) p/x *(device_t)$2->parent > $8 =3D {ops =3D 0xfffff800016e3000, link =3D {tqe_next =3D 0xfffff80001b6= 3a00, tqe_prev =3D 0xfffff80001b63c08}, devlink =3D {tqe_next =3D 0xfffff80= 001b63a00, tqe_prev =3D 0xfffff80001b63c18}, parent =3D 0xfffff80001b62100,= children =3D {tqh_first =3D 0xfffff80001b64a00, tqh_last =3D 0xfffff80001b= 64a08}, driver =3D 0xffffffff81894d08, devclass =3D 0xfffff8000170d700, uni= t =3D 0x0, nameunit =3D 0xfffff80001b49140, desc =3D 0xffffffff81246094, bu= sy =3D 0x0, state =3D 0x1e, devflags =3D 0x0, flags =3D 0x405, order =3D 0x= 0, ivars =3D 0xfffff80001b6f780, softc =3D 0xfffffe010505c000, props =3D {l= h_first =3D 0x0}, sysctl_ctx =3D {tqh_first =3D 0xfffff800030a1880, tqh_las= t =3D 0xfffff800018ac668}, sysctl_tree =3D 0xfffff80001b50080} > (kgdb) p (char *)$8->nameunit > $10 =3D 0xfffff80001b49140 "xhci0" > > > > Warner > > > > On Sat, May 10, 2025 at 1:36=E2=80=AFPM Bjoern A. Zeeb > > wrote: > >> > >> Hi, > >> > >> hit this twice when switching an XHCI from ppt0 back to xhci (or vice > >> versa ?) on a previous kernel (sorry I hit 4 other panics and I don't > >> have more details anymore). That kernel may have been 3-4 weeks old, > >> so may be fixed by now? > >> > >> Fatal trap 9: general protection fault while in kernel mode > >> cpuid =3D 0; apic id =3D 00 > >> instruction pointer =3D 0x20:0xffffffff80b8d519 > >> stack pointer =3D 0x28:0xfffffe01047d4c80 > >> frame pointer =3D 0x28:0xfffffe01047d4dc0 > >> code segment =3D base 0x0, limit 0xfffff, type 0x1b > >> =3D DPL 0, pres 1, long 1, def32 0, gran 1 > >> processor eflags =3D interrupt enabled, resume, IOPL =3D 0 > >> current process =3D 15 (usbus0) > >> rdi: fffffe01047d4c88 rsi: ffffffff80ba9460 rdx: fffffe01047d4d18 > >> rcx: 0000000000200000 r8: 0000000000000001 r9: 8080808080808080 > >> rax: 7373616c63627573 rbx: ffffffff81231211 rbp: fffffe01047d4dc0 > >> r10: fffff8000159d110 r11: ffffcfd1ced1cfd0 r12: fffff80001595580 > >> r13: 0000000000000000 r14: fffff8000158e700 r15: fffffe01047d4c88 > >> trap number =3D 9 > >> panic: general protection fault > >> cpuid =3D 0 > >> time =3D 1746609904 > >> KDB: stack backtrace: > >> db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01= 047d4a00 > >> vpanic() at vpanic+0x136/frame 0xfffffe01047d4b30 > >> panic() at panic+0x43/frame 0xfffffe01047d4b90 > >> trap_fatal() at trap_fatal+0x68/frame 0xfffffe01047d4bb0 > >> calltrap() at calltrap+0x8/frame 0xfffffe01047d4bb0 > >> --- trap 0x9, rip =3D 0xffffffff80b8d519, rsp =3D 0xfffffe01047d4c80, = rbp =3D 0xfffffe01047d4dc0 --- > >> device_printf() at device_printf+0x89/frame 0xfffffe01047d4dc0 > >> usb_detach_device() at usb_detach_device+0xd3/frame 0xfffffe01047d4e00 > >> usb_unconfigure() at usb_unconfigure+0x83/frame 0xfffffe01047d4e40 > >> usb_free_device() at usb_free_device+0x15c/frame 0xfffffe01047d4e80 > >> usb_bus_detach() at usb_bus_detach+0x6e/frame 0xfffffe01047d4eb0 > >> usb_process() at usb_process+0xc5/frame 0xfffffe01047d4ef0 > >> fork_exit() at fork_exit+0x7b/frame 0xfffffe01047d4f30 > >> fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe01047d4f30 > >> --- trap 0x3a8d224b, rip =3D 0x91722c9d5743a0fe, rsp =3D 0xc95674b90f6= 7f8da, rbp =3D 0x84eb42daceb9d67e --- > >> KDB: enter: panic > >> > >> > >> -- > >> Bjoern A. Zeeb r15= :7 > >> > > > > -- > Bjoern A. Zeeb r15:7