Bug 218252 - VIMAGE + ppp over uplcom or vboxnet = panic
Summary: VIMAGE + ppp over uplcom or vboxnet = panic
Status: Closed DUPLICATE of bug 242406
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-virtualization (Nobody)
URL:
Keywords: vimage
Depends on:
Blocks:
 
Reported: 2017-03-31 09:31 UTC by bsd
Modified: 2020-06-08 16:43 UTC (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description bsd 2017-03-31 09:31:12 UTC
Unread portion of the kernel message buffer:
     Kernel page fault with the following non-sleepable locks held:
     exclusive sleep mutex uplcom (uplcom) r = 0 (0xfffff8002a5504c0) locked @ /usr/src/sys/dev/usb/usb_transfer.c:2264
     stack backtrace:
     #0 0xffffffff80584590 at witness_debugger+0x70
     #1 0xffffffff805858b7 at witness_warn+0x457
     #2 0xffffffff8082b7e7 at trap_pfault+0x57
     #3 0xffffffff8082b000 at trap+0x280
     #4 0xffffffff80812ab1 at calltrap+0x8
     #5 0xffffffff8243b630 at ng_iface_rcvdata+0x110
     #6 0xffffffff8242a756 at ng_apply_item+0x146
     #7 0xffffffff8242a3cf at ng_snd_item+0x37f
     #8 0xffffffff8244114d at ng_ppp_rcvdata+0x23d
     #9 0xffffffff8242a756 at ng_apply_item+0x146
     #10 0xffffffff8242a3cf at ng_snd_item+0x37f
     #11 0xffffffff8242a756 at ng_apply_item+0x146
     #12 0xffffffff8242a3cf at ng_snd_item+0x37f
     #13 0xffffffff8244d776 at nga_rcvdata+0x326
     #14 0xffffffff8242a756 at ng_apply_item+0x146
     #15 0xffffffff8242a3cf at ng_snd_item+0x37f
     #16 0xffffffff82448925 at ngt_rint_bypass+0x1a5
     #17 0xffffffff8176a18d at ucom_put_data+0x11d
     
     
     Fatal trap 12: page fault while in kernel mode
     cpuid = 1; apic id = 02
     fault virtual address   = 0x28
     fault code              = supervisor read data, page not present
     instruction pointer     = 0x20:0xffffffff8061f56c
     stack pointer           = 0x28:0xfffffe02f7e77370
     frame pointer           = 0x28:0xfffffe02f7e773c0
     code segment            = base rx0, limit 0xfffff, type 0x1b
                             = DPL 0, pres 1, long 1, def32 0, gran 1
     processor eflags        = interrupt enabled, resume, IOPL = 0
     current process         = 217 (usbus0)
     


(kgdb) fr 14
#14 0xffffffff8061f56c in netisr_dispatch_src (proto=1, source=0, m=0xfffff8035e803800) at /usr/src/sys/net/netisr.c:1098
1098            if (V_netisr_enable[proto] == 0) {
Current language:  auto; currently minimal
(kgdb) list
1093            npp = &netisr_proto[proto];
1094            KASSERT(npp->np_handler != NULL, ("%s: invalid proto %u", __func__,
1095                proto));
1096
1097    #ifdef VIMAGE
1098            if (V_netisr_enable[proto] == 0) {
1099                    m_freem(m);
1100                    return (ENOPROTOOPT);
1101            }
1102    #endif




     (kgdb) #0  doadump (textdump=0) at pcpu.h:232
     #1  0xffffffff8031e39c in db_fncall (dummy1=<value optimized out>, 
         dummy2=<value optimized out>, dummy3=<value optimized out>, 
         dummy4=<value optimized out>) at /usr/src/sys/ddb/db_command.c:581
     #2  0xffffffff8031df1f in db_command (cmd_table=<value optimized out>)
         at /usr/src/sys/ddb/db_command.c:453
     #3  0xffffffff80322858 in db_script_exec (scriptname=<value optimized out>, 
         warnifnotfound=<value optimized out>) at /usr/src/sys/ddb/db_script.c:302
     #4  0xffffffff8031df1f in db_command (cmd_table=<value optimized out>)
         at /usr/src/sys/ddb/db_command.c:453
     #5  0xffffffff80322858 in db_script_exec (scriptname=<value optimized out>, 
         warnifnotfound=<value optimized out>) at /usr/src/sys/ddb/db_script.c:302
     #6  0xffffffff8031df1f in db_command (cmd_table=<value optimized out>)
         at /usr/src/sys/ddb/db_command.c:453
     #7  0xffffffff8031dc94 in db_command_loop ()
         at /usr/src/sys/ddb/db_command.c:506
     #8  0xffffffff80320bbf in db_trap (type=<value optimized out>, 
         code=<value optimized out>) at /usr/src/sys/ddb/db_main.c:248
     #9  0xffffffff8056b893 in kdb_trap (type=<value optimized out>, 
         code=<value optimized out>, tf=<value optimized out>)
         at /usr/src/sys/kern/subr_kdb.c:654
     #10 0xffffffff8082b742 in trap_fatal (frame=0xfffffe02f7e772b0, eva=40)
         at /usr/src/sys/amd64/amd64/trap.c:796
     #11 0xffffffff8082b968 in trap_pfault (frame=0xfffffe02f7e772b0, usermode=0)
         at /usr/src/sys/amd64/amd64/trap.c:658
     #12 0xffffffff8082b000 in trap (frame=0xfffffe02f7e772b0)
         at /usr/src/sys/amd64/amd64/trap.c:421
     #13 0xffffffff80812ab1 in calltrap ()
         at /usr/src/sys/amd64/amd64/exception.S:236
     #14 0xffffffff8061f56c in netisr_dispatch_src (proto=1, source=0, 
         m=0xfffff8035e803800) at /usr/src/sys/net/netisr.c:1098
     #15 0xffffffff8243b630 in ng_iface_rcvdata (hook=<value optimized out>, 
         item=<value optimized out>) at /usr/src/sys/netgraph/ng_iface.c:710
     #16 0xffffffff8242a756 in ng_apply_item (node=0xfffff8003175d400, 
         item=0xfffff8027bc42080, rw=0) at /usr/src/sys/netgraph/ng_base.c:2403
     #17 0xffffffff8242a3cf in ng_snd_item (item=<value optimized out>, 
         flags=<value optimized out>) at /usr/src/sys/netgraph/ng_base.c:2320
     #18 0xffffffff8244114d in ng_ppp_rcvdata (hook=<value optimized out>, 
         item=0xfffff8027bc42080) at /usr/src/sys/netgraph/ng_ppp.c:1536
     #19 0xffffffff8242a756 in ng_apply_item (node=0xfffff802bb3fb600, 
         item=0xfffff8027bc42080, rw=0) at /usr/src/sys/netgraph/ng_base.c:2403
     #20 0xffffffff8242a3cf in ng_snd_item (item=<value optimized out>, 
         flags=<value optimized out>) at /usr/src/sys/netgraph/ng_base.c:2320
     #21 0xffffffff8242a756 in ng_apply_item (node=0xfffff80315019900, 
         item=0xfffff8027bc42080, rw=0) at /usr/src/sys/netgraph/ng_base.c:2403
     #22 0xffffffff8242a3cf in ng_snd_item (item=<value optimized out>, 
         flags=<value optimized out>) at /usr/src/sys/netgraph/ng_base.c:2320
     #23 0xffffffff8244d776 in nga_rcvdata (hook=<value optimized out>, 
         item=<value optimized out>) at /usr/src/sys/netgraph/ng_async.c:548
     #24 0xffffffff8242a756 in ng_apply_item (node=0xfffff80191980b00, 
         item=0xfffff8027bc42080, rw=1) at /usr/src/sys/netgraph/ng_base.c:2403
     #25 0xffffffff8242a3cf in ng_snd_item (item=<value optimized out>, 
         flags=<value optimized out>) at /usr/src/sys/netgraph/ng_base.c:2320
     #26 0xffffffff82448925 in ngt_rint_bypass (tp=<value optimized out>, 
         buf=0xfffff8002a024000, len=<value optimized out>)
         at /usr/src/sys/netgraph/ng_tty.c:446
     #27 0xffffffff8176a18d in ucom_put_data (sc=<value optimized out>, 
         pc=<value optimized out>, offset=0, len=<value optimized out>)
         at /usr/src/sys/dev/usb/serial/usb_serial.c:1476
     #28 0xffffffff8176595c in uplcom_read_callback (xfer=0xfffff8002a4ce278, 
         error=USB_ERR_NORMAL_COMPLETION)
         at /usr/src/sys/dev/usb/serial/uplcom.c:911
     #29 0xffffffff812fe67d in usbd_transfer_unsetup (pxfer=<value optimized out>, 
         n_setup=<value optimized out>) at /usr/src/sys/dev/usb/usb_transfer.c:1363
     #30 0xffffffff812ff80d in usbd_transfer_stop (xfer=0xfffff8002a4ce060)
         at /usr/src/sys/dev/usb/usb_transfer.c:1979
     #31 0xffffffff812fe81e in usbd_transfer_drain (xfer=0xfffff8002a4ce000)
         at /usr/src/sys/dev/usb/usb_transfer.c:2042
     #32 0xffffffff812f98b5 in usb_proc_drain (up=0xfffff8002a4ce088)
         at /usr/src/sys/dev/usb/usb_process.c:443
     #33 0xffffffff804f8d91 in fork_exit (callout=0xfffffe0007643520, 
         arg=0xfffffe0007643500, frame=0xffffffff812f97e0)
         at /usr/src/sys/kern/kern_fork.c:1038
     #34 0xffffffff80812fee in fork_trampoline ()
         at /usr/src/sys/amd64/amd64/exception.S:611
     #35 0x0000000000000000 in ?? ()
     Current language:  auto; currently minimal
     (kgdb)
Comment 1 bsd 2017-03-31 10:16:56 UTC
To reproduce:

1) Use mpd5 to create serial sync link over uplcom usb device
2) Ping or setup TCP to another side
3) panic

OR
1) Load vboxnet
2) Run virtualbox or "vboxmanage list vms" or try to start ANY vm (not even using vboxnet)
3) panic
Comment 2 Bjoern A. Zeeb freebsd_committer 2017-04-04 15:38:40 UTC
vboxnet is not too unsurprising to me;  I am not expecting the kernel module to be vnet-aware (unless someone fixed it), so simply loading it and possibly getting the interface up, or triggering an ioctl, might be enough to panic the kernel.
External (from ports) kernel modules are a well known issue.

As to when it comes to the mpd case, can you say a bit more:

(1) at the time of running the recipe to reproduce, is it enough to do that just on the base system or are there jails/vnets running at that time?

(2) also are all USB bits compiled into the kernel for you or loaded as modules?  If the latter, could you try to see if compiling them into the kernel makes a difference?
Comment 3 bsd 2017-04-05 02:01:16 UTC
Thank you for reply!

(1) Bare base system without any running jails is enough

(2) Entire usb subsystem is loaded by modules (sometimes it helps to "reboot" the usb without the system reboot, but USB SX Locks are often preventing to do this successfully).
I will try to compile them into kernel on test machine.
Comment 4 Bjoern A. Zeeb freebsd_committer 2018-11-02 14:39:36 UTC
Hi,

is this still relevant on a recent HEAD or stable/12?
Comment 5 Mark Johnston freebsd_committer 2020-06-08 16:43:35 UTC
This is the same as bug 242406, for which I posted a patch.  If you are still interested in testing, please give that patch a try.  I am sorry that this bug has not been addressed sooner.

*** This bug has been marked as a duplicate of bug 242406 ***