Date: Sun, 16 Feb 2014 10:20:00 GMT From: =?ISO-2022-JP?B?SGlyb28gT25vICgbJEI+LkxuGyhCIBskQjQyQDgbKEIp?= <hiroo.ono@gmail.com> To: freebsd-bugs@FreeBSD.org Subject: kern/183835: Kernel panic with VIMAGE on insertion of axe USB network interface Message-ID: <201402161020.s1GAK0FN012090@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/183835; it has been noted by GNATS.
From: =?ISO-2022-JP?B?SGlyb28gT25vICgbJEI+LkxuGyhCIBskQjQyQDgbKEIp?= <hiroo.ono@gmail.com>
To: bug-followup@FreeBSD.org, elakin@infohell.net
Cc:
Subject: kern/183835: Kernel panic with VIMAGE on insertion of axe USB network interface
Date: Sun, 16 Feb 2014 19:10:16 +0900
--bcaec51d2eb8e55f9804f2833e21
Content-Type: text/plain; charset=ISO-8859-1
Hello,
Attached patch to sys/dev/usb/usb_ethernet.c should solve the problem
of VIMAGE and USB ether.
The problem occur when ue_attach_post_task() (in
sys/dev/usb/net/usb_ethernet.c) is called.
ue_attach_post_task() calls if_alloc() (in sys/net/if.c) and
ether_attach() (in sys/net/if_ethersubr.c), which
finally refer V_if_index. The backtrace is as follows.
Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address = 0x18
fault code = supervisor read, page not present
instruction pointer = 0x20:0xc0b8eae1
stack pointer = 0x28:0xe8fafc18
frame pointer = 0x28:0xe8fafc3c
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 15 (axe0)
Uptime: 2m53s
Physical memory: 991 MB
Dumping 64 MB: 49 33 17 1
Reading symbols from /boot/kernel/if_axe.ko.symbols...done.
Loaded symbols for /boot/kernel/if_axe.ko.symbols
Reading symbols from /boot/kernel/uether.ko.symbols...done.
Loaded symbols for /boot/kernel/uether.ko.symbols
#0 doadump (textdump=1) at pcpu.h:233
in pcpu.h
(kgdb) bt
#0 doadump (textdump=1) at pcpu.h:233
#1 0xc0aca740 in kern_reboot (howto=260)
at /usr/src/sys/kern/kern_shutdown.c:447
#2 0xc0acab1f in panic (fmt=<value optimized out>)
at /usr/src/sys/kern/kern_shutdown.c:754
#3 0xc0524225 in db_panic (addr=-1061623071, have_addr=0, count=-1,
modif=0xe8faf894 "") at /usr/src/sys/ddb/db_command.c:482
#4 0xc0523e57 in db_command (cmd_table=<value optimized out>)
at /usr/src/sys/ddb/db_command.c:449
#5 0xc0523b70 in db_command_loop () at /usr/src/sys/ddb/db_command.c:502
#6 0xc05263b0 in db_trap (type=<value optimized out>, code=744908288)
at /usr/src/sys/ddb/db_main.c:231
#7 0xc0b05738 in kdb_trap (type=<value optimized out>,
code=<value optimized out>, tf=<value optimized out>)
at /usr/src/sys/kern/subr_kdb.c:656
#8 0xc0fc11ba in trap_fatal (frame=0xe8fafbd8, eva=24)
at /usr/src/sys/i386/i386/trap.c:1038
#9 0xc0fc152d in trap_pfault (frame=0x0, usermode=<value optimized out>,
eva=0) at /usr/src/sys/i386/i386/trap.c:859
#10 0xc0fc0b09 in trap (frame=0xe8fafbd8) at /usr/src/sys/i386/i386/trap.c:556
#11 0xc0faa62c in calltrap () at /usr/src/sys/i386/i386/exception.s:170
#12 0xc0b8eae1 in if_alloc (type=<value optimized out>)
at /usr/src/sys/net/if.c:280
#13 0xc64b614e in ue_attach_post_task (_task=0xc5d1faac)
at /usr/src/sys/modules/usb/uether/../../../dev/usb/net/usb_ethernet.c:210
#14 0xc095d1c1 in usb_process (arg=0xc5d1fa20)
at /usr/src/sys/dev/usb/usb_process.c:177
#15 0xc0a984b3 in fork_exit (callout=0xc095d090 <usb_process>)
at /usr/src/sys/kern/kern_fork.c:995
#16 0xc0faa6d4 in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:279
The problem is that curvnet is NULL when ue_attach_post_task()
is invoked, and with VIMAGE, V_if_index is defined to
VNET(if_index) => VNET_VNET(curvnet, if_index)
=> (*VNET_VNET_PTR((curvnet), if_index))
=> (*_VNET_PTR((curvnet)->vnet_data_base, if_index))
and so on.
For device attachment, the following code device_probe_and_attach()
(in kern/subr_bus.c)
CURVNET_SET_QUIET(vnet0);
error = device_attach(dev);
CURVNET_RESTORE();
should assign curvnet to vnet0, but it is not the case for ue device.
As an example of USB ethernet device, with if_axe, device_attach(dev)
is axe_attach() (in sys/dev/usb/net/if_axe.c).
axe_attach() calls uether_ifattach() (in sys/dev/usb/net/usb_ethernet.c)
(other USB ethernet devices' *_attach() also calls this function),
which *queues* (not calls) ue_attach_post_task.
As ue_attach_post_task is called from usb_process (not from uther_ifattach),
it is not assured that curvnet is properly assigned.
--bcaec51d2eb8e55f9804f2833e21
Content-Type: text/plain; charset=US-ASCII; name="usb_ethernet.c.diff"
Content-Disposition: attachment; filename="usb_ethernet.c.diff"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_hrq5ia9d0
LS0tIHVzYl9ldGhlcm5ldC5jLm9yaWcJMjAxNC0wMi0xNiAyMDowODozMi4wMDAwMDAwMDAgKzA5
MDAKKysrIHVzYl9ldGhlcm5ldC5jCTIwMTQtMDItMTYgMjA6MTM6MjcuMDAwMDAwMDAwICswOTAw
CkBAIC00Nyw2ICs0Nyw3IEBACiAjaW5jbHVkZSA8bmV0L2lmX3R5cGVzLmg+CiAjaW5jbHVkZSA8
bmV0L2lmX21lZGlhLmg+CiAjaW5jbHVkZSA8bmV0L2lmX3ZsYW5fdmFyLmg+CisjaW5jbHVkZSA8
bmV0L3ZuZXQuaD4KIAogI2luY2x1ZGUgPGRldi9taWkvbWlpLmg+CiAjaW5jbHVkZSA8ZGV2L21p
aS9taWl2YXIuaD4KQEAgLTIwNiw2ICsyMDcsNyBAQAogCXVzYl9jYWxsb3V0X2luaXRfbXR4KCZ1
ZS0+dWVfd2F0Y2hkb2csIHVlLT51ZV9tdHgsIDApOwogCXN5c2N0bF9jdHhfaW5pdCgmdWUtPnVl
X3N5c2N0bF9jdHgpOwogCisJQ1VSVk5FVF9TRVRfUVVJRVQodm5ldDApOwogCWVycm9yID0gMDsK
IAlpZnAgPSBpZl9hbGxvYyhJRlRfRVRIRVIpOwogCWlmIChpZnAgPT0gTlVMTCkgewpAQCAtMjUz
LDYgKzI1NSw4IEBACiAJaWYgKGlmcC0+aWZfY2FwYWJpbGl0aWVzICYgSUZDQVBfVkxBTl9NVFUp
CiAJCWlmcC0+aWZfaGRybGVuID0gc2l6ZW9mKHN0cnVjdCBldGhlcl92bGFuX2hlYWRlcik7CiAK
KwlDVVJWTkVUX1JFU1RPUkUoKTsKKwogCXNucHJpbnRmKG51bSwgc2l6ZW9mKG51bSksICIldSIs
IHVlLT51ZV91bml0KTsKIAl1ZS0+dWVfc3lzY3RsX29pZCA9IFNZU0NUTF9BRERfTk9ERSgmdWUt
PnVlX3N5c2N0bF9jdHgsCiAJICAgICZTWVNDVExfTk9ERV9DSElMRFJFTihfbmV0LCB1ZSksCg==
--bcaec51d2eb8e55f9804f2833e21--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402161020.s1GAK0FN012090>