kern/183835: Kernel panic with VIMAGE on insertion of axe USB network interface

Sun Feb 16 10:20:01 UTC 2014

The following reply was made to PR kern/183835; it has been noted by GNATS.

From: =?ISO-2022-JP?B?SGlyb28gT25vICgbJEI+LkxuGyhCIBskQjQyQDgbKEIp?= <hiroo.ono at gmail.com>
To: bug-followup at FreeBSD.org, elakin at infohell.net
Cc:  
Subject: kern/183835: Kernel panic with VIMAGE on insertion of axe USB network interface
Date: Sun, 16 Feb 2014 19:10:16 +0900

 --bcaec51d2eb8e55f9804f2833e21
 Content-Type: text/plain; charset=ISO-8859-1

 Hello,

 Attached patch to sys/dev/usb/usb_ethernet.c should solve the problem
 of VIMAGE and USB ether.
 The problem occur when ue_attach_post_task() (in
 sys/dev/usb/net/usb_ethernet.c) is called.

 ue_attach_post_task() calls if_alloc() (in sys/net/if.c) and
 ether_attach() (in sys/net/if_ethersubr.c), which
 finally refer V_if_index. The backtrace is as follows.

 Fatal trap 12: page fault while in kernel mode
 cpuid = 1; apic id = 01
 fault virtual address	= 0x18
 fault code		= supervisor read, page not present
 instruction pointer	= 0x20:0xc0b8eae1
 stack pointer	        = 0x28:0xe8fafc18
 frame pointer	        = 0x28:0xe8fafc3c
 code segment		= base 0x0, limit 0xfffff, type 0x1b
 			= DPL 0, pres 1, def32 1, gran 1
 processor eflags	= interrupt enabled, resume, IOPL = 0
 current process		= 15 (axe0)
 Uptime: 2m53s
 Physical memory: 991 MB
 Dumping 64 MB: 49 33 17 1

 Reading symbols from /boot/kernel/if_axe.ko.symbols...done.
 Loaded symbols for /boot/kernel/if_axe.ko.symbols
 Reading symbols from /boot/kernel/uether.ko.symbols...done.
 Loaded symbols for /boot/kernel/uether.ko.symbols
 #0  doadump (textdump=1) at pcpu.h:233
 	in pcpu.h
 (kgdb) bt
 #0  doadump (textdump=1) at pcpu.h:233
 #1  0xc0aca740 in kern_reboot (howto=260)
     at /usr/src/sys/kern/kern_shutdown.c:447
 #2  0xc0acab1f in panic (fmt=<value optimized out>)
     at /usr/src/sys/kern/kern_shutdown.c:754
 #3  0xc0524225 in db_panic (addr=-1061623071, have_addr=0, count=-1,
     modif=0xe8faf894 "") at /usr/src/sys/ddb/db_command.c:482
 #4  0xc0523e57 in db_command (cmd_table=<value optimized out>)
     at /usr/src/sys/ddb/db_command.c:449
 #5  0xc0523b70 in db_command_loop () at /usr/src/sys/ddb/db_command.c:502
 #6  0xc05263b0 in db_trap (type=<value optimized out>, code=744908288)
     at /usr/src/sys/ddb/db_main.c:231
 #7  0xc0b05738 in kdb_trap (type=<value optimized out>,
     code=<value optimized out>, tf=<value optimized out>)
     at /usr/src/sys/kern/subr_kdb.c:656
 #8  0xc0fc11ba in trap_fatal (frame=0xe8fafbd8, eva=24)
     at /usr/src/sys/i386/i386/trap.c:1038
 #9  0xc0fc152d in trap_pfault (frame=0x0, usermode=<value optimized out>,
     eva=0) at /usr/src/sys/i386/i386/trap.c:859
 #10 0xc0fc0b09 in trap (frame=0xe8fafbd8) at /usr/src/sys/i386/i386/trap.c:556
 #11 0xc0faa62c in calltrap () at /usr/src/sys/i386/i386/exception.s:170
 #12 0xc0b8eae1 in if_alloc (type=<value optimized out>)
     at /usr/src/sys/net/if.c:280
 #13 0xc64b614e in ue_attach_post_task (_task=0xc5d1faac)
     at /usr/src/sys/modules/usb/uether/../../../dev/usb/net/usb_ethernet.c:210
 #14 0xc095d1c1 in usb_process (arg=0xc5d1fa20)
     at /usr/src/sys/dev/usb/usb_process.c:177
 #15 0xc0a984b3 in fork_exit (callout=0xc095d090 <usb_process>)
     at /usr/src/sys/kern/kern_fork.c:995
 #16 0xc0faa6d4 in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:279

 The problem is that curvnet is NULL when ue_attach_post_task()
 is invoked, and with VIMAGE, V_if_index is defined to
 	VNET(if_index)	=> VNET_VNET(curvnet, if_index)
 			=> (*VNET_VNET_PTR((curvnet), if_index))
 			=> (*_VNET_PTR((curvnet)->vnet_data_base, if_index))
 	and so on.

 For device attachment, the following code device_probe_and_attach()
 (in kern/subr_bus.c)

 	CURVNET_SET_QUIET(vnet0);
 	error = device_attach(dev);
 	CURVNET_RESTORE();

 should assign curvnet to vnet0, but it is not the case for ue device.
 As an example of USB ethernet device, with if_axe, device_attach(dev)
 is axe_attach() (in sys/dev/usb/net/if_axe.c).
 axe_attach() calls uether_ifattach() (in sys/dev/usb/net/usb_ethernet.c)
 (other USB ethernet devices' *_attach() also calls this function),
 which *queues* (not calls) ue_attach_post_task.
 As ue_attach_post_task is called from usb_process (not from uther_ifattach),
 it is not assured that curvnet is properly assigned.

 --bcaec51d2eb8e55f9804f2833e21
 Content-Type: text/plain; charset=US-ASCII; name="usb_ethernet.c.diff"
 Content-Disposition: attachment; filename="usb_ethernet.c.diff"
 Content-Transfer-Encoding: base64
 X-Attachment-Id: f_hrq5ia9d0

 LS0tIHVzYl9ldGhlcm5ldC5jLm9yaWcJMjAxNC0wMi0xNiAyMDowODozMi4wMDAwMDAwMDAgKzA5
 MDAKKysrIHVzYl9ldGhlcm5ldC5jCTIwMTQtMDItMTYgMjA6MTM6MjcuMDAwMDAwMDAwICswOTAw
 CkBAIC00Nyw2ICs0Nyw3IEBACiAjaW5jbHVkZSA8bmV0L2lmX3R5cGVzLmg+CiAjaW5jbHVkZSA8
 bmV0L2lmX21lZGlhLmg+CiAjaW5jbHVkZSA8bmV0L2lmX3ZsYW5fdmFyLmg+CisjaW5jbHVkZSA8
 bmV0L3ZuZXQuaD4KIAogI2luY2x1ZGUgPGRldi9taWkvbWlpLmg+CiAjaW5jbHVkZSA8ZGV2L21p
 aS9taWl2YXIuaD4KQEAgLTIwNiw2ICsyMDcsNyBAQAogCXVzYl9jYWxsb3V0X2luaXRfbXR4KCZ1
 ZS0+dWVfd2F0Y2hkb2csIHVlLT51ZV9tdHgsIDApOwogCXN5c2N0bF9jdHhfaW5pdCgmdWUtPnVl
 X3N5c2N0bF9jdHgpOwogCisJQ1VSVk5FVF9TRVRfUVVJRVQodm5ldDApOwogCWVycm9yID0gMDsK
 IAlpZnAgPSBpZl9hbGxvYyhJRlRfRVRIRVIpOwogCWlmIChpZnAgPT0gTlVMTCkgewpAQCAtMjUz
 LDYgKzI1NSw4IEBACiAJaWYgKGlmcC0+aWZfY2FwYWJpbGl0aWVzICYgSUZDQVBfVkxBTl9NVFUp
 CiAJCWlmcC0+aWZfaGRybGVuID0gc2l6ZW9mKHN0cnVjdCBldGhlcl92bGFuX2hlYWRlcik7CiAK
 KwlDVVJWTkVUX1JFU1RPUkUoKTsKKwogCXNucHJpbnRmKG51bSwgc2l6ZW9mKG51bSksICIldSIs
 IHVlLT51ZV91bml0KTsKIAl1ZS0+dWVfc3lzY3RsX29pZCA9IFNZU0NUTF9BRERfTk9ERSgmdWUt
 PnVlX3N5c2N0bF9jdHgsCiAJICAgICZTWVNDVExfTk9ERV9DSElMRFJFTihfbmV0LCB1ZSksCg==
 --bcaec51d2eb8e55f9804f2833e21--