NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
kern/48588: one time crash in usb_allocmem_flags
>Number: 48588
>Category: kern
>Synopsis: one time crash in usb_allocmem_flags
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Feb 10 20:50:00 +0000 2014
>Originator: Alexander Nasonov
>Release: NetBSD 6.99.28
>Organization:
home sweet home
>Environment:
$ ident /netbsd | grep usb
$NetBSD: if_athn_usb.c,v 1.6 2013/10/16 18:23:39 christos Exp $
$NetBSD: usb.c,v 1.148 2013/11/09 07:52:22 skrll Exp $
$NetBSD: usb_mem.c,v 1.64 2013/12/22 18:29:25 mlelstv Exp $
$NetBSD: usb_pci.c,v 1.7 2008/04/28 20:23:55 martin Exp $
$NetBSD: usb_quirks.c,v 1.80 2013/11/14 16:33:20 nonaka Exp $
$NetBSD: usb_subr.c,v 1.195 2013/10/03 07:35:37 skrll Exp $
$NetBSD: usbdi.c,v 1.160 2013/11/30 12:16:14 skrll Exp $
$NetBSD: usbdi_util.c,v 1.62 2013/09/26 07:25:31 skrll Exp $
System: NetBSD neva 6.99.28 NetBSD 6.99.28 (GENERIC) #0: Sun Jan 12 00:07:53
GMT 2014
alnsn@neva:/home/alnsn/netbsd-current/src/sys/arch/amd64/compile/obj/GENERIC
amd64
Architecture: x86_64
Machine: amd64
>Description:
I was running current amd64 when I got a random crash shortly
after switching to X mode. If my analysis is correct, it crashed
in usb_allocmem_flags inside this loop:
LIST_FOREACH(f, &usb_frag_freelist, next) {
KDASSERTMSG(usb_valid_block_p(f->block, &usb_blk_fraglist),
"%s: usb frag %p: unknown block pointer %p",
__func__, f, f->block);
if (f->block->tag == tag)
break;
}
It couldn't access f->block->tag. I wasn't actively using any of
the usb devices at that time.
The kernel is not vanilla GENERIC. I enabled UHID_DEBUG, set
urtwn_debug to DBG_ALL and changed uts.c (touchscreen driver)
to ignore z dimension when it's not available. The full diff
is available on web site at ~alnsn/usb_allocmem_flags.diff.
crash> dmesg
...
fatal protection fault in supervisor mode
trap type 4 code 0 rip ffffffff808515e2 cs 8 rflags 13282 cr2
7f7ff5773020 ilevel 0 rsp fffffe80ca6f16c0
curlwp 0xfffffe811a8aaba0 pid 475.1 lowest kstack 0xfffffe80ca6ee000
panic: trap
cpu2: Begin traceback...
vpanic() at netbsd:vpanic+0x13e
printf_nolog() at netbsd:printf_nolog
startlwp() at netbsd:startlwp
alltraps() at netbsd:alltraps+0x9e
ehci_allocm() at netbsd:ehci_allocm+0x2c
usbd_transfer() at netbsd:usbd_transfer+0x5f
usbd_open_pipe_intr() at netbsd:usbd_open_pipe_intr+0xcb
uhidev_open() at netbsd:uhidev_open+0xb3
wsmouseopen() at netbsd:wsmouseopen+0xf3
cdev_open() at netbsd:cdev_open+0x87
spec_open() at netbsd:spec_open+0x183
VOP_OPEN() at netbsd:VOP_OPEN+0x33
vn_open() at netbsd:vn_open+0x1b0
do_open() at netbsd:do_open+0x102
do_sys_openat() at netbsd:do_sys_openat+0x68
sys_open() at netbsd:sys_open+0x24
syscall() at netbsd:syscall+0x9a
--- syscall (number 5) ---
7f7ff403af3a:
cpu2: End traceback...
rebooting in 10 9 8 7 6 5 4 3 2 1 0
crash> dmesg|grep usb
usb0 at xhci0: USB revision 2.0
usb1 at ehci0: USB revision 2.0
uhub0 at usb0: NetBSD xHCI Root Hub, class 9/0, rev 2.00/1.00, addr 0
uhub1 at usb1: vendor 0x8086 EHCI root hub, class 9/0, rev 2.00/1.00,
addr 1
usbd_transfer() at netbsd:usbd_transfer+0x5f
usbd_open_pipe_intr() at netbsd:usbd_open_pipe_intr+0xcb
crash> x 0xffffffff808515e2
usb_allocmem_flags+0xfd: 751a3948
$ objdump -d /netbsd
...
ffffffff8085158b: 48 c7 c7 60 15 f8 80 mov $0xffffffff80f81560,%rdi
ffffffff80851592: e8 69 42 d3 ff callq ffffffff80585800
<mutex_enter>
ffffffff80851597: 48 8b 05 c2 bf 69 00 mov 0x69bfc2(%rip),%rax
# ffffffff80eed560 <usb_frag_freelist>
ffffffff8085159e: 48 85 c0 test %rax,%rax
ffffffff808515a1: 75 3c jne ffffffff808515df
<usb_allocmem_flags+0xfa>
/* You don't need to look at this block */
ffffffff808515a3: 48 8d 4d c8 lea -0x38(%rbp),%rcx
ffffffff808515a7: 45 31 c0 xor %r8d,%r8d
ffffffff808515aa: ba 40 00 00 00 mov $0x40,%edx
ffffffff808515af: be 00 10 00 00 mov $0x1000,%esi
ffffffff808515b4: 48 89 df mov %rbx,%rdi
ffffffff808515b7: e8 f4 fb ff ff callq ffffffff808511b0
<usb_block_allocmem>
ffffffff808515bc: 89 c3 mov %eax,%ebx
ffffffff808515be: 85 c0 test %eax,%eax
ffffffff808515c0: 75 ac jne ffffffff8085156e
<usb_allocmem_flags+0x89>
ffffffff808515c2: 48 8b 4d c8 mov -0x38(%rbp),%rcx
ffffffff808515c6: c7 41 38 00 00 00 00 movl $0x0,0x38(%rcx)
ffffffff808515cd: bb 40 00 00 00 mov $0x40,%ebx
ffffffff808515d2: 31 d2 xor %edx,%edx
ffffffff808515d4: eb 57 jmp ffffffff8085162d
<usb_allocmem_flags+0x148>
/* end of block. */
/* LIST_FOREACH(f, &usb_frag_freelist, next) { */
ffffffff808515d6: 48 8b 40 10 mov 0x10(%rax),%rax
ffffffff808515da: 48 85 c0 test %rax,%rax
ffffffff808515dd: 74 c4 je ffffffff808515a3
<usb_allocmem_flags+0xbe>
ffffffff808515df: 48 8b 10 mov (%rax),%rdx
ffffffff808515e2: 48 39 1a cmp %rbx,(%rdx)
ffffffff808515e5: 75 ef jne ffffffff808515d6
<usb_allocmem_flags+0xf1>
crash> ps
PID LID S CPU FLAGS STRUCT LWP * NAME WAIT
475 > 1 7 2 0 fffffe811a8aaba0 Xorg
72 1 2 3 9020000 fffffe811a709b80 xinit
43 1 2 3 8020000 fffffe811a709760 sh
437 1 2 3 8020000 fffffe811d311720 ksh
420 1 2 2 8020000 fffffe811e2b6240 getty
435 1 2 0 8020000 fffffe811e2b6a80 getty
429 1 2 3 8020000 fffffe811e2b6660 login
412 1 2 0 8020000 fffffe811e4c1220 getty
390 1 2 0 8020000 fffffe8119a90b60 cron
407 1 2 0 8020000 fffffe811d767b00 inetd
342 1 2 3 8020000 fffffe811d311300 privoxy
357 1 2 3 8020000 fffffe811c3b9b20 sshd
332 > 1 7 0 8020000 fffffe811d7812a0 tor
319 1 3 1 8020080 fffffe811d7676e0 powerd kqueue
176 > 1 7 3 8020000 fffffe811e28fac0 syslogd
126 1 3 1 8020080 fffffe811e28f280 dhcpcd select
1 1 3 1 8020080 fffffe8107acda40 init wait
0 65 3 2 200 fffffe811e28f6a0 physiod physiod
0 64 3 2 200 fffffe811e4c1640 aiodoned aiodoned
0 63 2 2 200 fffffe81074185c0 ioflush
0 62 3 2 200 fffffe811e4c1a60 pgdaemon pgdaemon
0 58 3 2 200 fffffe81074189e0 usb1 usbevt
0 57 3 2 200 fffffe8107acd200 usb0 usbevt
0 56 3 2 200 fffffe8107409a00 coretemp1 coretemp1
0 55 3 2 200 fffffe81074095e0 coretemp0 coretemp0
0 54 3 2 200 fffffe81074091c0 acpitz0 acpitz0
0 53 3 2 200 fffffe810740ba20 acpibat1 acpibat1
0 52 3 2 200 fffffe81074181a0 acpibat0 acpibat0
0 51 3 2 200 fffffe8107acd620 cryptoret crypto_w
0 50 3 2 200 fffffe810740b1e0 unpgc unpgc
0 49 3 0 200 fffffe810740b600 vmem_rehash vmem_rehash
0 40 3 0 200 fffffe81072e6180 iic0 iicintr
0 39 3 0 200 fffffe81072e65a0 atabus0 atath
0 38 3 0 200 fffffe81072e69c0 usbtask-dr usbtsk
0 37 3 0 200 fffffe81071f7160 usbtask-hc usbtsk
0 36 3 0 200 fffffe81071f7580 pms0 pmsreset
0 35 3 0 200 fffffe81071f79a0 acpiec sci thre ecsci
0 34 3 3 200 fffffe81071e5140 xcall/3 xcall
0 33 1 3 200 fffffe81071e5560 softser/3
0 32 1 3 200 fffffe81071e5980 softclk/3
0 31 1 3 200 fffffe81071e9120 softbio/3
0 30 1 3 200 fffffe81071e9540 softnet/3
0 29 1 3 201 fffffe81071e9960 idle/3
0 28 3 2 200 fffffe81071d1100 xcall/2 xcall
0 27 1 2 200 fffffe81071d1520 softser/2
0 26 1 2 200 fffffe81071d1940 softclk/2
0 25 1 2 200 fffffe81071d70e0 softbio/2
0 24 1 2 200 fffffe81071d7500 softnet/2
0 23 1 2 201 fffffe81071d7920 idle/2
0 22 3 1 200 fffffe81071bf0c0 xcall/1 xcall
0 21 1 1 200 fffffe81071bf4e0 softser/1
0 20 1 1 200 fffffe81071bf900 softclk/1
0 19 1 1 200 fffffe81071b80a0 softbio/1
0 18 1 1 200 fffffe81071b84c0 softnet/1
0 > 17 7 1 201 fffffe81071b88e0 idle/1
0 16 3 0 200 fffffe811e616080 sysmon smtaskq
0 15 3 1 200 fffffe811e6164a0 pmfsuspend pmfsuspend
0 14 3 0 200 fffffe811e6168c0 pmfevent pmfevent
0 13 3 0 200 fffffe811f527060 sopendfree sopendfr
0 12 3 3 200 fffffe811f527480 nfssilly nfssilly
0 11 3 0 200 fffffe811f5278a0 cachegc cachegc
0 10 3 0 200 fffffe811f92d040 vrele vrele
0 9 3 0 200 fffffe811f92d460 vdrain vdrain
0 8 3 0 200 fffffe811f92d880 modunload mod_unld
0 7 3 0 200 fffffe811f939020 xcall/0 xcall
0 6 1 0 200 fffffe811f939440 softser/0
0 > 5 7 0 200 fffffe811f939860 softclk/0
0 4 1 0 200 fffffe811f940000 softbio/0
0 3 1 0 200 fffffe811f940420 softnet/0
0 2 1 0 201 fffffe811f940840 idle/0
0 1 2 2 200 ffffffff80ed6800 swapper
>How-To-Repeat:
Not repeatable.
>Fix:
Not known.
>Unformatted:
Source last checked out about a month ago.
Home |
Main Index |
Thread Index |
Old Index