NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
kern/52047: usb_mem.c: fatal page fault in supervisor mode
>Number: 52047
>Category: kern
>Synopsis: usb_mem.c: fatal page fault in supervisor mode
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Mar 08 04:20:00 +0000 2017
>Originator: Matthew Mondor
>Release: NetBSD 7.1_RC1
>Organization:
>Environment:
System: NetBSD ninja.xisop 7.1_RC1 NetBSD 7.1_RC1 (GENERIC_MM) amd64
Architecture: x86_64
Machine: amd64
>Description:
# gdb --symbols=/usr/obj/sys/arch/amd64/compile/GENERIC_MM/netbsd.gdb
(gdb) file /usr/obj/sys/arch/amd64/compile/GENERIC_MM/netbsd.gdb
Reading symbols from /usr/obj/sys/arch/amd64/compile/GENERIC_MM/netbsd.gdb...done.
(gdb) target kvm netbsd.1.core
0xffffffff80606005 in cpu_reboot (howto=howto@entry=256, bootstr=bootstr@entry=0x0) at /usr/src/sys/arch/amd64/amd64/machdep.c:671
671 dumpsys();
(gdb) bt
#0 0xffffffff80606005 in cpu_reboot (howto=howto@entry=256, bootstr=bootstr@entry=0x0) at /usr/src/sys/arch/amd64/amd64/machdep.c:671
#1 0xffffffff80296cd6 in db_sync_cmd (addr=<optimized out>, have_addr=<optimized out>, count=<optimized out>, modif=<optimized out>)
at /usr/src/sys/ddb/db_command.c:1358
#2 0xffffffff80297497 in db_command (last_cmdp=last_cmdp@entry=0xffffffff80f3a000 <db_last_command>) at /usr/src/sys/ddb/db_command.c:907
#3 0xffffffff80297824 in db_command_loop () at /usr/src/sys/ddb/db_command.c:565
#4 0xffffffff8029cd9d in db_trap (type=type@entry=6, code=code@entry=0) at /usr/src/sys/ddb/db_trap.c:90
#5 0xffffffff8029a050 in kdb_trap (type=type@entry=6, code=code@entry=0, regs=regs@entry=0xfffffe8000060920) at /usr/src/sys/arch/amd64/amd64/db_interface.c:227
#6 0xffffffff8085ab2e in trap (frame=0xfffffe8000060920) at /usr/src/sys/arch/amd64/amd64/trap.c:287
#7 0xffffffff80100f46 in alltraps ()
#8 0xffffffff808e0cd4 in usb_allocmem_flags (bus=bus@entry=0xfffffe810e9ab040, size=size@entry=8, align=align@entry=0, p=p@entry=0xfffffe81a563bc00,
flags=flags@entry=1) at /usr/src/sys/dev/usb/usb_mem.c:319
#9 0xffffffff802d14c1 in ehci_allocm (bus=<optimized out>, dma=0xfffffe81a563bc00, size=8) at /usr/src/sys/dev/usb/ehci.c:1355
#10 0xffffffff808e3798 in usbd_transfer (xfer=xfer@entry=0xfffffe81a563bb88) at /usr/src/sys/dev/usb/usbdi.c:287
#11 0xffffffff808e3b11 in usbd_open_pipe_intr (iface=<optimized out>, address=<optimized out>, flags=flags@entry=4 '\004', pipe=pipe@entry=0xfffffe80b7dbf398,
priv=priv@entry=0xfffffe80b7dbf380, buffer=0xfffffe80bc465c58, len=8, cb=cb@entry=0xffffffff808bbb9d <uhidev_intr>, ival=ival@entry=-1)
at /usr/src/sys/dev/usb/usbdi.c:213
#12 0xffffffff808bbdc6 in uhidev_open (scd=scd@entry=0xfffffe81a606bac0) at /usr/src/sys/dev/usb/uhidev.c:575
#13 0xffffffff808ba7f8 in uhidopen (dev=<optimized out>, flag=<optimized out>, mode=<optimized out>, l=<optimized out>) at /usr/src/sys/dev/usb/uhid.c:334
#14 0xffffffff8080d41b in cdev_open (dev=14336, flag=1, devtype=8192, l=0xfffffe822ba785a0) at /usr/src/sys/kern/subr_devsw.c:854
#15 0xffffffff807f59e6 in spec_open (v=0xfffffe8000060c30) at /usr/src/sys/miscfs/specfs/spec_vnops.c:557
#16 0xffffffff80932ecb in VOP_OPEN (vp=vp@entry=0xfffffe813d11b7b0, mode=mode@entry=1, cred=cred@entry=0xfffffe8239a78780) at /usr/src/sys/kern/vnode_if.c:234
#17 0xffffffff80920256 in vn_open (ndp=ndp@entry=0xfffffe8000060d90, fmode=fmode@entry=1, cmode=cmode@entry=0) at /usr/src/sys/kern/vfs_vnops.c:258
#18 0xffffffff80919b93 in do_open (l=l@entry=0xfffffe822ba785a0, dvp=0x0, pb=<optimized out>, open_flags=open_flags@entry=0, open_mode=open_mode@entry=0,
fd=fd@entry=0xfffffe8000060e94) at /usr/src/sys/kern/vfs_syscalls.c:1579
#19 0xffffffff80919ce7 in do_sys_openat (l=0xfffffe822ba785a0, fdat=fdat@entry=-100, path=<optimized out>, flags=0, mode=0, fd=fd@entry=0xfffffe8000060e94)
at /usr/src/sys/kern/vfs_syscalls.c:1659
#20 0xffffffff80919db3 in sys_open (l=<optimized out>, uap=<optimized out>, retval=0xfffffe8000060eb8) at /usr/src/sys/kern/vfs_syscalls.c:1679
#21 0xffffffff8083318a in sy_call (rval=0xfffffe8000060eb8, uap=0xfffffe8000060f00, l=0xfffffe822ba785a0, sy=0xffffffff80f8e970 <sysent+80>)
at /usr/src/sys/sys/syscallvar.h:61
#22 sy_invoke (code=5, rval=0xfffffe8000060eb8, uap=0xfffffe8000060f00, l=0xfffffe822ba785a0, sy=0xffffffff80f8e970 <sysent+80>)
at /usr/src/sys/sys/syscallvar.h:85
#23 syscall (frame=0xfffffe8000060f00) at /usr/src/sys/arch/x86/x86/syscall.c:156
#24 0xffffffff80100691 in Xsyscall ()
(gdb) frame 8
#8 0xffffffff808e0cd4 in usb_allocmem_flags (bus=bus@entry=0xfffffe810e9ab040, size=size@entry=8, align=align@entry=0, p=p@entry=0xfffffe81a563bc00,
flags=flags@entry=1) at /usr/src/sys/dev/usb/usb_mem.c:319
319 if (f->block->tag == tag)
(gdb) list
314 /* Check for free fragments. */
315 LIST_FOREACH(f, &usb_frag_freelist, next) {
316 KDASSERTMSG(usb_valid_block_p(f->block, &usb_blk_fraglist),
317 "%s: usb frag %p: unknown block pointer %p",
318 __func__, f, f->block);
319 if (f->block->tag == tag)
320 break;
321 }
322 if (f == NULL) {
323 DPRINTFN(1, ("usb_allocmem: adding fragments\n"));
(gdb) info all registers
rax 0xffff800090a06880 -140735061923712
rbx 0xffffffff80f99460 -2131127200
rcx 0xfffffe822ba785a0 -1639945108064
rdx 0xffffc00081878e2b -70366571033045
rsi 0x8 8
rdi 0xffffffff81038440 -2130475968
rbp 0xfffffe8000060a48 0xfffffe8000060a48
rsp 0xfffffe8000060a10 0xfffffe8000060a10
r8 0x1 1
r9 0xffff800090a1fe00 -140735061819904
r10 0xfffffe8115af1d10 -1644608676592
r11 0x0 0
r12 0x8 8
r13 0xfffffe81a563bc00 -1642197697536
r14 0x1 1
r15 0x0 0
rip 0xffffffff808e0cd4 0xffffffff808e0cd4 <usb_allocmem_flags+263>
eflags 0x10282 [ SF IF RF ]
cs 0x8 8
ss 0x10 16
ds 0x39c3 14787
es 0xb5b0 46512
fs 0xb008 45064
gs 0x3 3
st0 <unavailable>
st1 <unavailable>
st2 <unavailable>
st3 <unavailable>
st4 <unavailable>
st5 <unavailable>
st6 <unavailable>
st7 <unavailable>
fctrl <unavailable>
fstat <unavailable>
ftag <unavailable>
fiseg <unavailable>
fioff <unavailable>
foseg <unavailable>
fooff <unavailable>
fop <unavailable>
xmm0 {v4_float = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_double = {<unavailable>, <unavailable>}, v16_int8 = {
<unavailable> <repeats 16 times>}, v8_int16 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>,
<unavailable>}, v4_int32 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_int64 = {<unavailable>, <unavailable>}, uint128 = <unavailable>}
xmm1 {v4_float = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_double = {<unavailable>, <unavailable>}, v16_int8 = {
<unavailable> <repeats 16 times>}, v8_int16 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>,
<unavailable>}, v4_int32 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_int64 = {<unavailable>, <unavailable>}, uint128 = <unavailable>}
xmm2 {v4_float = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_double = {<unavailable>, <unavailable>}, v16_int8 = {
<unavailable> <repeats 16 times>}, v8_int16 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>,
<unavailable>}, v4_int32 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_int64 = {<unavailable>, <unavailable>}, uint128 = <unavailable>}
xmm3 {v4_float = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_double = {<unavailable>, <unavailable>}, v16_int8 = {
<unavailable> <repeats 16 times>}, v8_int16 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>,
<unavailable>}, v4_int32 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_int64 = {<unavailable>, <unavailable>}, uint128 = <unavailable>}
xmm4 {v4_float = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_double = {<unavailable>, <unavailable>}, v16_int8 = {
<unavailable> <repeats 16 times>}, v8_int16 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>,
<unavailable>}, v4_int32 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_int64 = {<unavailable>, <unavailable>}, uint128 = <unavailable>}
xmm5 {v4_float = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_double = {<unavailable>, <unavailable>}, v16_int8 = {
<unavailable> <repeats 16 times>}, v8_int16 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>,
<unavailable>}, v4_int32 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_int64 = {<unavailable>, <unavailable>}, uint128 = <unavailable>}
xmm6 {v4_float = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_double = {<unavailable>, <unavailable>}, v16_int8 = {
<unavailable> <repeats 16 times>}, v8_int16 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>,
<unavailable>}, v4_int32 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_int64 = {<unavailable>, <unavailable>}, uint128 = <unavailable>}
xmm7 {v4_float = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_double = {<unavailable>, <unavailable>}, v16_int8 = {
<unavailable> <repeats 16 times>}, v8_int16 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>,
<unavailable>}, v4_int32 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_int64 = {<unavailable>, <unavailable>}, uint128 = <unavailable>}
xmm8 {v4_float = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_double = {<unavailable>, <unavailable>}, v16_int8 = {
<unavailable> <repeats 16 times>}, v8_int16 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>,
<unavailable>}, v4_int32 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_int64 = {<unavailable>, <unavailable>}, uint128 = <unavailable>}
xmm9 {v4_float = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_double = {<unavailable>, <unavailable>}, v16_int8 = {
<unavailable> <repeats 16 times>}, v8_int16 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>,
<unavailable>}, v4_int32 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_int64 = {<unavailable>, <unavailable>}, uint128 = <unavailable>}
xmm10 {v4_float = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_double = {<unavailable>, <unavailable>}, v16_int8 = {
<unavailable> <repeats 16 times>}, v8_int16 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>,
<unavailable>}, v4_int32 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_int64 = {<unavailable>, <unavailable>}, uint128 = <unavailable>}
xmm11 {v4_float = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_double = {<unavailable>, <unavailable>}, v16_int8 = {
<unavailable> <repeats 16 times>}, v8_int16 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>,
<unavailable>}, v4_int32 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_int64 = {<unavailable>, <unavailable>}, uint128 = <unavailable>}
xmm12 {v4_float = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_double = {<unavailable>, <unavailable>}, v16_int8 = {
<unavailable> <repeats 16 times>}, v8_int16 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>,
<unavailable>}, v4_int32 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_int64 = {<unavailable>, <unavailable>}, uint128 = <unavailable>}
xmm13 {v4_float = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_double = {<unavailable>, <unavailable>}, v16_int8 = {
<unavailable> <repeats 16 times>}, v8_int16 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>,
<unavailable>}, v4_int32 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_int64 = {<unavailable>, <unavailable>}, uint128 = <unavailable>}
xmm14 {v4_float = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_double = {<unavailable>, <unavailable>}, v16_int8 = {
<unavailable> <repeats 16 times>}, v8_int16 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>,
<unavailable>}, v4_int32 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_int64 = {<unavailable>, <unavailable>}, uint128 = <unavailable>}
xmm15 {v4_float = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_double = {<unavailable>, <unavailable>}, v16_int8 = {
<unavailable> <repeats 16 times>}, v8_int16 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>, <unavailable>,
<unavailable>}, v4_int32 = {<unavailable>, <unavailable>, <unavailable>, <unavailable>}, v2_int64 = {<unavailable>, <unavailable>}, uint128 = <unavailable>}
mxcsr <unavailable>
(gdb)
# dmesg -M netbsd.1.core
[...]
uvm_fault(0xffffffff8103b840, 0xffffc00081878000, 1) -> e
fatal page fault in supervisor mode
trap type 6 code 0 rip ffffffff808e0cd4 cs 8 rflags 10282 cr2 ffffc00081878e2b ilevel 0 rsp fffffe8000060a10
curlwp 0xfffffe822ba785a0 pid 15401.1 lowest kstack 0xfffffe800005e2c0
[...]
# ps auxs -M netbsd.1.core | grep 15401
mmondor 15401 0.0 0.0 51436 0 ttyp2 O Mon05PM 0:00.00 (joystick)
Source of above "joystick" can be obtained at:
http://git.pulsar-zone.net/?p=mmondor.git;a=tree;f=tests/sdl-joystick;hb=HEAD
Used with a Logitech Wingman Extreme Digital 3D analog joystick.
>How-To-Repeat:
With an USB HID analog joystick connected (I used a Logitech WingMan
Extreme Digital 3D), and the little SDL-based test at
http://git.pulsar-zone.net/?p=mmondor.git;a=tree;f=tests/sdl-joystick;hb=HEAD
I experienced multiple crashes when running the test several times (10+
times or so). It is possible that a loop of opening/closing the device
may trigger it too, but that is so far untested.
When it crashes, it appears to crash immediately when starting the
program, suggesting that opening the device sometimes triggers it,
possibly after a resource gets exhausted and allocating is necessary.
>Fix:
Home |
Main Index |
Thread Index |
Old Index