Re: panic in usb_detach_device / device_printf

Reply: Warner Losh : "Re: panic in usb_detach_device / device_printf"
In reply to: Warner Losh : "Re: panic in usb_detach_device / device_printf"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Bjoern A. Zeeb <bzeeb-lists_at_lists.zabbadoz.net>
Date: Sat, 10 May 2025 22:52:16 UTC
On Sat, 10 May 2025, Warner Losh wrote:

> Yes. usb is hanky in its newbus integration and always has been.
>
> How did you get this to happen? I know that it can happen in some weird
> error scenarios (that I've not been able to reproduce), but just removing the
> device is orderly enough...
>
> But it looks like jhb's cleanup may have opened the issue back up, since
> usb_detatch_device shouldn't find anything still attached. I'm guessing that
> there are devices that are children of this node that are attached and also
> somehow devices of the interface?
>
> So interesting crash, but without a lot more data about the usb configuration
> and what device is being detached, I can't help you.

Was a blind dump reboot on a ddb> prompt I didn't see.

As said I moved the XHCI between bhyve passthru and the base system or
the other direction.  Seems xhci -> ppt.

Unread portion of the kernel message buffer:
ugen0.2: <Generic EMV Smartcard Reader> at usbus0 (disconnected)
ugen0.3: <vendor 0x8087 product 0x0032> at usbus0 (disconnected)
ugen0.4: <Chicony Electronics Co.,Ltd. Integrated Camera> at usbus0 (disconnected)
ugen0.5: <vendor 0x06cb product 0x009a> at usbus0 (disconnected)
ugen0.6: <Generic USB3.0-CRW> at usbus0 (disconnected)
umass0: at uhub1, port 15, addr 5 (disconnected)
da0 at umass-sim0 bus 0 scbus1 target 0 lun 0
da0: <Generic- SD/MMC 1.00>  s/n 20120501030900000 detached
pass1 at umass-sim0 bus 0 scbus1 target 0 lun 0
pass1: <Generic- SD/MMC 1.00>  s/n 20120501030900000 detached
(pass1:umass-sim0:0:0:0): Periph destroyed
(da0:umass-sim0:0:0:0): Periph destroyed
umass0: detached
uhub1: detached
ugen0.1: <Intel XHCI root HUB> at usbus0 (disconnected)

If I manually check the bt (the source tree has changed):

#14 devclass_get_name (dc=0x7373616c63627573) at sys/kern/subr_bus.c:976
#15 device_get_name (dev=0xfffff8000158e700) at sys/kern/subr_bus.c:1908
#16 device_printf (dev=dev@entry=0xfffff8000158e700, fmt=0xffffffff81231211 "at %s, port %d, addr %d (disconnected)\n") at sys/kern/subr_bus.c:1998

(kgdb) p (*(devclass_t) 0x7373616c63627573)
Cannot access memory at address 0x7373616c63627573
(kgdb) p (*(device_t) 0xfffff8000158e700)
$3 = {ops = 0x6567753d6e656775, link = {tqe_next = 0x65646320312e306e, tqe_prev = 0x2e306e6567753d76}, devlink = {tqe_next = 0x726f646e65762031, tqe_prev = 0x203030303078303d}, parent = 0x3d746375646f7270, children = {tqh_first = 0x6420303030307830, tqh_last = 0x3d7373616c637665}, driver = 0x7665642039307830, devclass = 0x7373616c63627573, unit = 813183037, nameunit = 0x2022223d6d756e72 <error: Cannot access memory at address 0x2022223d6d756e72>, desc = 0x3d657361656c6572 <error: Cannot access memory at address 0x3d657361656c6572>, busy = 825260080, state = 1830826032, devflags = 1030055023, flags = 1953722216, order = 1953392928, ivars = 0x646e6520303d6563, softc = 0x313d73746e696f70, props = { lh_first = 0x73616c63746e6920}, sysctl_ctx = {tqh_first = 0x6920393078303d73, tqh_last = 0x616c63627573746e}, sysctl_tree = 0x20303078303d7373}


#17 0xffffffff8094ac63 in usb_detach_device_sub (udev=0xfffff800018b7000, ppdev=0xfffff80001595588, ppnpinfo=0xfffff800015955b8, flag=<optimized out>)
(kgdb) p *(struct usb_device *)0xfffff800018b7000
$6 = 
..
     0x0 <repeats 126 times>}, ugen_symlink = 0x0, ctrl_dev = 0xfffff8000189af40, pd_list = {slh_first = 0xfffff80001581180}, ugen_name = "ugen0.1", '\000' <repeats 12 times>,
   plugtime = 2146883647, state = USB_STATE_DETACHED, speed = USB_SPEED_SUPER, refcount = 1, power = 0, langid = 1, autoQuirk = {0, 0, 0, 0, 0, 0, 0, 0}, address = 1 '\001', 
..
             0}, bufsize = 0, bufsize_max = 0, hc_max_frame_size = 0, hc_max_packet_size = 0, hc_max_packet_count = 0 '\000', speed = USB_SPEED_VARIABLE, dma_tag_max = 0 '\000',
           err = USB_ERR_NORMAL_COMPLETION}}}, data = "Intel XHCI root HUB, class 9/0, rev 3.00/1.00, addr 1", '\000' <repeats 201 times>}}
(kgdb) p/x *(device_t *)0xfffff80001595588
$7 = 0x0
(kgdb) p *(char *)0xfffff800015955b8
$8 = 0 '\000'

#20 0xffffffff8094d24c in usb_free_device (udev=udev@entry=0xfffff800018b7000, flag=<optimized out>) 
(kgdb) p/x *(struct usb_device *)0xfffff800018b7000
$1 = ..
(kgdb) p/x *$1->parent_dev
$2 = {ops = 0xfffff800016e4000, link = {tqe_next = 0x0, tqe_prev = 0xfffff80001b63b30}, devlink = {tqe_next = 0xfffff80001b64200, tqe_prev = 0xfffff80001b64c18}, parent = 0xfffff80001b63b00, children = {tqh_first = 0x0, tqh_last = 0xfffff80001b64a30}, driver = 0xffffffff818952b8, devclass = 0xfffff8000170d680, unit = 0x0, nameunit = 0xfffff80001b87f30, desc = 0x0, busy = 0x0, state = 0x1e, devflags = 0x0, flags = 0x407, order = 0x0, ivars = 0xfffffe01051e0428, softc = 0x0, props = {lh_first = 0x0}, sysctl_ctx = {tqh_first = 0xfffff800018ac3a0, tqh_last = 0xfffff800018ac4c8}, sysctl_tree = 0xfffff80001b7f900}
(kgdb) p (char *)$2->nameunit
$6 = 0xfffff80001b87f30 "usbus0"
(kgdb) p *(char *)$2->devclass
$7 = 0 '\000'
(kgdb) p/x *(device_t)$2->parent
$8 = {ops = 0xfffff800016e3000, link = {tqe_next = 0xfffff80001b63a00, tqe_prev = 0xfffff80001b63c08}, devlink = {tqe_next = 0xfffff80001b63a00, tqe_prev = 0xfffff80001b63c18}, parent = 0xfffff80001b62100, children = {tqh_first = 0xfffff80001b64a00, tqh_last = 0xfffff80001b64a08}, driver = 0xffffffff81894d08, devclass = 0xfffff8000170d700, unit = 0x0, nameunit = 0xfffff80001b49140, desc = 0xffffffff81246094, busy = 0x0, state = 0x1e, devflags = 0x0, flags = 0x405, order = 0x0, ivars = 0xfffff80001b6f780, softc = 0xfffffe010505c000, props = {lh_first = 0x0}, sysctl_ctx = {tqh_first = 0xfffff800030a1880, tqh_last = 0xfffff800018ac668}, sysctl_tree = 0xfffff80001b50080}
(kgdb) p (char *)$8->nameunit
$10 = 0xfffff80001b49140 "xhci0"


> Warner
>
> On Sat, May 10, 2025 at 1:36 PM Bjoern A. Zeeb
> <bzeeb-lists@lists.zabbadoz.net> wrote:
>>
>> Hi,
>>
>> hit this twice when switching an XHCI from ppt0 back to xhci (or vice
>> versa ?) on a previous kernel (sorry I hit 4 other panics and I don't
>> have more details anymore).  That kernel may have been 3-4 weeks old,
>> so may be fixed by now?
>>
>> Fatal trap 9: general protection fault while in kernel mode
>> cpuid = 0; apic id = 00
>> instruction pointer     = 0x20:0xffffffff80b8d519
>> stack pointer           = 0x28:0xfffffe01047d4c80
>> frame pointer           = 0x28:0xfffffe01047d4dc0
>> code segment            = base 0x0, limit 0xfffff, type 0x1b
>>                          = DPL 0, pres 1, long 1, def32 0, gran 1
>> processor eflags        = interrupt enabled, resume, IOPL = 0
>> current process         = 15 (usbus0)
>> rdi: fffffe01047d4c88 rsi: ffffffff80ba9460 rdx: fffffe01047d4d18
>> rcx: 0000000000200000  r8: 0000000000000001  r9: 8080808080808080
>> rax: 7373616c63627573 rbx: ffffffff81231211 rbp: fffffe01047d4dc0
>> r10: fffff8000159d110 r11: ffffcfd1ced1cfd0 r12: fffff80001595580
>> r13: 0000000000000000 r14: fffff8000158e700 r15: fffffe01047d4c88
>> trap number             = 9
>> panic: general protection fault
>> cpuid = 0
>> time = 1746609904
>> KDB: stack backtrace:
>> db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01047d4a00
>> vpanic() at vpanic+0x136/frame 0xfffffe01047d4b30
>> panic() at panic+0x43/frame 0xfffffe01047d4b90
>> trap_fatal() at trap_fatal+0x68/frame 0xfffffe01047d4bb0
>> calltrap() at calltrap+0x8/frame 0xfffffe01047d4bb0
>> --- trap 0x9, rip = 0xffffffff80b8d519, rsp = 0xfffffe01047d4c80, rbp = 0xfffffe01047d4dc0 ---
>> device_printf() at device_printf+0x89/frame 0xfffffe01047d4dc0
>> usb_detach_device() at usb_detach_device+0xd3/frame 0xfffffe01047d4e00
>> usb_unconfigure() at usb_unconfigure+0x83/frame 0xfffffe01047d4e40
>> usb_free_device() at usb_free_device+0x15c/frame 0xfffffe01047d4e80
>> usb_bus_detach() at usb_bus_detach+0x6e/frame 0xfffffe01047d4eb0
>> usb_process() at usb_process+0xc5/frame 0xfffffe01047d4ef0
>> fork_exit() at fork_exit+0x7b/frame 0xfffffe01047d4f30
>> fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe01047d4f30
>> --- trap 0x3a8d224b, rip = 0x91722c9d5743a0fe, rsp = 0xc95674b90f67f8da, rbp = 0x84eb42daceb9d67e ---
>> KDB: enter: panic
>>
>>
>> --
>> Bjoern A. Zeeb                                                     r15:7
>>
>

-- 
Bjoern A. Zeeb                                                     r15:7