286045 – [iicbus] panic page fault on start by devd in L635: sc->intr_handler(sc->intr_ctx, sc->intr_buf, actual);

Bug 286045 - [iicbus] panic page fault on start by devd in L635: sc->intr_handler(sc->intr_ctx, sc->intr_buf, actual);

Summary: [iicbus] panic page fault on start by devd in L635: sc->intr_handler(sc->intr...

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	15.0-CURRENT
Hardware:	amd64 Any

Importance:	--- Affects Only Me
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:	crash

Depends on:
Blocks:

Reported:	2025-04-11 21:29 UTC by Dave Cottlehuber
Modified:	2025-04-29 13:22 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
full panicmail (5.53 KB, text/plain) 2025-04-11 21:30 UTC, Dave Cottlehuber	no flags	Details
v1 (568 bytes, patch) 2025-04-11 21:40 UTC, Dave Cottlehuber	no flags	Details \| Diff
v2 (770 bytes, patch) 2025-04-11 23:37 UTC, Dave Cottlehuber	no flags	Details \| Diff
patch from ML (860 bytes, patch) 2025-04-27 15:41 UTC, Dave Cottlehuber	no flags	Details \| Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dave Cottlehuber freebsd_committer

2025-04-11 21:29:36 UTC

Started after March stabilisation week, 100% reproducible.

Dump header from device: /dev/gpt/swap0
  Architecture: amd64
  Architecture Version: 2
  Dump Length: 819712000
  Blocksize: 512
  Compression: none
  Dumptime: 2025-04-10 07:00:54 +0000
  Hostname: akai.skunkwerks.at
  Magic: FreeBSD Kernel Dump
  Version String: FreeBSD 15.0-CURRENT #0 main-n276338-98ea3178e54d: Wed Apr  9 15:34:34 UTC 2025
    root@picard:/usr/obj/usr/src/amd64.amd64/sys/GENERIC
  Panic String: page fault
  Dump Parity: 4113817190
  Bounds: 0
  Dump Status: good

## dmesg

Starting devd.
iwmbtfw: iwmbt_fw_read: open: /usr/local/share/iwmbt-firmware/ibt-12-16.sfi: No such file or directory
iwmbtfw: main: Firmware download failed!
Autoloading module: ng_ubt
Autoloading module: iichid
iichid0: <DLL075B:00 06CB:76AF I2C HID device> at addr 0x2c irq 51 on iicbus1
hidbus0: <HID bus> on iichid0


Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 02
fault virtual address   = 0x0
fault code              = supervisor read instruction, page not present
instruction pointer     = 0x20:0x0
stack pointer           = 0x28:0xfffffe00d89c7e38
frame pointer           = 0x28:0xfffffe00d89c7e60
code segment            = base rx0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 12 (irq51: iichid0)
rdi: 0000000000000000 rsi: fffff800432a8080 rdx: 000000000000003e
rcx: 0000000000000700  r8: 0000000000000000  r9: 0000000000000100
rax: 0000000000000001 rbx: fffff800015a2400 rbp: fffffe00d89c7e60
r10: 0000000000000000 r11: 000000000000003e r12: fffff80001462200
r13: fffff80039803580 r14: fffff800019b5d00 r15: fffff8000d436000
trap number             = 12
panic: page fault
cpuid = 1
time = 1744268454
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00d89c7b60
vpanic() at vpanic+0x136/frame 0xfffffe00d89c7c90
panic() at panic+0x43/frame 0xfffffe00d89c7cf0
trap_pfault() at trap_pfault+0x48e/frame 0xfffffe00d89c7d60
calltrap() at calltrap+0x8/frame 0xfffffe00d89c7d60
--- trap 0xc, rip = 0, rsp = 0xfffffe00d89c7e38, rbp = 0xfffffe00d89c7e60 ---
??() at 0/frame 0xfffffe00d89c7e60
ithread_loop() at ithread_loop+0x266/frame 0xfffffe00d89c7ef0
fork_exit() at fork_exit+0x82/frame 0xfffffe00d89c7f30
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00d89c7f30
--- trap 0xc, rip = 0x4b7fe22a61a, rsp = 0x4b813c6cf48, rbp = 0x4b813c6cf60 ---
KDB: enter: panic

## backtrace

Reading symbols from /boot/kernel/iichid.ko...
Reading symbols from /usr/lib/debug//boot/kernel/iichid.ko.debug...
__curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:57
(kgdb) #0  __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:57
#1  doadump (textdump=textdump@entry=0)
    at /usr/src/sys/kern/kern_shutdown.c:404
#2  0xffffffff804a44fa in db_dump (dummy=<optimized out>,
    dummy2=<optimized out>, dummy3=<optimized out>, dummy4=<optimized out>)
    at /usr/src/sys/ddb/db_command.c:596
#3  0xffffffff804a42ed in db_command (last_cmdp=<optimized out>,
    cmd_table=<optimized out>, dopager=true)
    at /usr/src/sys/ddb/db_command.c:508
#4  0xffffffff804a3fad in db_command_loop ()
    at /usr/src/sys/ddb/db_command.c:555
#5  0xffffffff804a7986 in db_trap (type=<optimized out>, code=<optimized out>)
    at /usr/src/sys/ddb/db_main.c:267
#6  0xffffffff80ba89ef in kdb_trap (type=type@entry=3, code=code@entry=0,
    tf=tf@entry=0xfffffe00d89c7aa0) at /usr/src/sys/kern/subr_kdb.c:790
#7  0xffffffff8109656c in trap (frame=<optimized out>)
    at /usr/src/sys/amd64/amd64/trap.c:617
#8  <signal handler called>
#9  kdb_enter (why=<optimized out>, msg=<optimized out>)
    at /usr/src/sys/kern/subr_kdb.c:556
#10 0xffffffff80b5880b in vpanic (fmt=0xffffffff8120b2c1 "%s",
    ap=ap@entry=0xfffffe00d89c7cd0) at /usr/src/sys/kern/kern_shutdown.c:967
#11 0xffffffff80b58673 in panic (
    fmt=0xffffffff81b9c3a0 <cnputs_mtx> "\306o\027\201\377\377\377\377")
    at /usr/src/sys/kern/kern_shutdown.c:892
#12 0xffffffff8109706e in trap_fatal (frame=<optimized out>,
    eva=<optimized out>) at /usr/src/sys/amd64/amd64/trap.c:974
#13 0xffffffff8109706e in trap_pfault (frame=0xfffffe00d89c7d70,
    usermode=false, signo=<optimized out>, ucode=<optimized out>)
#14 <signal handler called>
#15 0x0000000000000000 in ?? ()
#16 0xffffffff83ae2812 in iichid_intr (context=0xfffff800015a2400)
    at /usr/src/sys/dev/iicbus/iichid.c:635
#17 0xffffffff80b0e896 in intr_event_execute_handlers (ie=0xfffff80001462200,
    p=<optimized out>) at /usr/src/sys/kern/kern_intr.c:1191
#18 ithread_execute_handlers (ie=0xfffff80001462200, p=<optimized out>)
    at /usr/src/sys/kern/kern_intr.c:1204
#19 ithread_loop (arg=arg@entry=0xfffff800015857c0)
    at /usr/src/sys/kern/kern_intr.c:1297
#20 0xffffffff80b0ac12 in fork_exit (
    callout=0xffffffff80b0e630 <ithread_loop>, arg=0xfffff800015857c0,
    frame=0xfffffe00d89c7f40) at /usr/src/sys/kern/kern_fork.c:1152
#21 <signal handler called>
#22 0x000004b7fe22a61a in ?? ()
Backtrace stopped: Cannot access memory at address 0x4b813c6cf48
(kgdb)


THREAD_SLEEPING_OK();
	error = iichid_cmd_read(sc, sc->intr_buf, sc->intr_bufsize, &actual);
	THREAD_NO_SLEEPING();
	if (error == 0) {
		if (sc->power_on) {
			if (actual != 0)
L#635				sc->intr_handler(sc->intr_ctx, sc->intr_buf,
				    actual);
			else
				DPRINTF(sc, "no data received\n");
		}
	} else
		DPRINTF(sc, "read error occurred: %d\n", error);

	iicbus_release_bus(parent, sc->dev);
}

Comment 1 Dave Cottlehuber freebsd_committer

2025-04-11 21:30:26 UTC

Created attachment 259478 [details]
full panicmail

Comment 2 Dave Cottlehuber freebsd_committer

2025-04-11 21:40:56 UTC

Created attachment 259479 [details]
v1

will try this attached patch first.

Comment 3 Dave Cottlehuber freebsd_committer

2025-04-11 23:37:17 UTC

Created attachment 259480 [details]
v2

thanks Darius for the suggestion

Comment 4 Vladimir Kondratyev freebsd_committer

2025-04-26 16:10:06 UTC

I think it is regression from daa098cc37b9

Test this patch:

diff --git a/sys/dev/iicbus/iichid.c b/sys/dev/iicbus/iichid.c
index eeabf817616..d82beb52d58 100644
--- a/sys/dev/iicbus/iichid.c
+++ b/sys/dev/iicbus/iichid.c
@@ -630,7 +630,7 @@ iichid_intr(void *context)
 	error = iichid_cmd_read(sc, sc->intr_buf, sc->intr_bufsize, &actual);
 	THREAD_NO_SLEEPING();
 	if (error == 0) {
-		if (sc->power_on) {
+		if (sc->power_on && sc->open) {
 			if (actual != 0)
 				sc->intr_handler(sc->intr_ctx, sc->intr_buf,
 				    actual);

Comment 5 Dave Cottlehuber freebsd_committer

2025-04-27 15:41:25 UTC

Created attachment 259919 [details]
patch from ML

improved / actual fix from wulf@

Comment 6 commit-hook freebsd_committer

2025-04-28 21:40:25 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=2abdb305bd0c105226f6a71a8d3dc89698c9ef6b

commit 2abdb305bd0c105226f6a71a8d3dc89698c9ef6b
Author:     Vladimir Kondratyev <wulf@FreeBSD.org>
AuthorDate: 2025-04-28 21:39:28 +0000
Commit:     Vladimir Kondratyev <wulf@FreeBSD.org>
CommitDate: 2025-04-28 21:39:28 +0000

    iichid(4): Do not send packets read in interrupt handler to hidbus

    if no hidbus and hidbus clients were attached and opened by users.

    iichid(4) enables interrupts before hidbus is attached and sending
    packets to it at this time leads to panic at boot time.

    Fixes: daa098cc37b9 ("Wait for RESET command response while attaching")

    Tested by:      dch
    PR:             286045
    MFC with:       daa098cc37b9

 sys/dev/iicbus/iichid.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)