evdev-induced panic (devfs / destroy_dev race?)

Reply: Konstantin Belousov : "Re: evdev-induced panic (devfs / destroy_dev race?)"
Reply: Kyle Evans : "Re: evdev-induced panic (devfs / destroy_dev race?)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Kyle Evans <kevans_at_FreeBSD.org>
Date: Thu, 23 Oct 2025 12:41:48 UTC

Hi,

Not sure if anyone else has noticed this, but I seem to have scared up an evdev panic:

Fatal trap 9: general protection fault while in kernel mode
cpuid = 1; apic id = 01
instruction pointer = 0x20:0xffffffff80b98b5b
stack pointer           = 0x28:0xfffffe01a62b4b60
frame pointer           = 0x28:0xfffffe01a62b4c00
code segment        = base 0x0, limit 0xfffff, type 0x1b
             = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags    = interrupt enabled, resume, IOPL = 0
current process     = 7339 (moused)
rdi: fffff80001b55128 rsi: 0000000000000001 rdx: 0000000000000000
rcx: fffffe0186e5b570  r8: fffff80353686cd0  r9: fffffe01a62b5000
rax: fffff800027d7780 rbx: fffff80001b55128 rbp: fffffe01a62b4c00
r10: 0000000000002af8 r11: 000000000000298c r12: fffff80353686780
r13: deadc0dedeadc0c0 r14: 0000000000000001 r15: 0000000000000000
trap number     = 9
panic: general protection fault
cpuid = 1
time = 1761098215
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01a62b48e0
vpanic() at vpanic+0x136/frame 0xfffffe01a62b4a10
panic() at panic+0x43/frame 0xfffffe01a62b4a70
trap_fatal() at trap_fatal+0x68/frame 0xfffffe01a62b4a90
calltrap() at calltrap+0x8/frame 0xfffffe01a62b4a90
--- trap 0x9, rip = 0xffffffff80b98b5b, rsp = 0xfffffe01a62b4b60, rbp = 0xfffffe01a62b4c00 ---
_sx_xlock_hard() at _sx_xlock_hard+0x18b/frame 0xfffffe01a62b4c00
_sx_xlock() at _sx_xlock+0xac/frame 0xfffffe01a62b4c40
evdev_dtor() at evdev_dtor+0x5c/frame 0xfffffe01a62b4c70
devfs_destroy_cdevpriv() at devfs_destroy_cdevpriv+0xab/frame 0xfffffe01a62b4c90
devfs_close_f() at devfs_close_f+0x63/frame 0xfffffe01a62b4cc0
_fdrop() at _fdrop+0x1a/frame 0xfffffe01a62b4ce0
closef() at closef+0x1e3/frame 0xfffffe01a62b4d70
closefp_impl() at closefp_impl+0x71/frame 0xfffffe01a62b4db0
closefp_hl() at closefp_hl+0x70/frame 0xfffffe01a62b4e00
amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe01a62b4f30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe01a62b4f30
--- syscall (6, FreeBSD ELF64, close), rip = 0x2b5f166d5eaa, rsp = 0x2b5f133b49c8, rbp = 0x2b5f133b4ab0 ---
KDB: enter: panic

This was seemingly the result of removing my mouse's USB dongle.  Presumably detach revoked the client and
woke it up, which then triggered the above close() from moused to race with destroy_dev() for invoking the
cdevpriv dtor.

I spent a few minutes thinking about it and didn't really come to a good idea of what the fix might be,
though I suspect there's nothing evdev can really do about it at the moment and we might need to somehow
coordinate this in destroy_dev().

Kyle Evans