This is not reliably triggerable, but occasionally happens when unplugging mouse. The kernel is a regular GENERIC kernel with INVARIANTS, etc. enabled. This particular crashdump was captured with -CURRENT as of r360001. Fatal trap 12: page fault while in kernel mode cpuid = 1; apic id = 01 fault virtual address = 0xffffffffffffffff fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff8064a1b9 stack pointer = 0x28:0xfffffe003ce98840 frame pointer = 0x28:0xfffffe003ce98850 code segment = base rx0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 17 (usbus0) trap number = 12 Dumping 3413 out of 32439 MB:..1%..11%..21%..31%..41%..51%..61%..71%..81%..91% No symbol "zombproc" in current context. Backtrace: #0 doadump (textdump=0) at src/sys/amd64/include/pcpu_aux.h:55 55 __asm("movq %%gs:%P1,%0" : "=r" (td) : "n" (offsetof(struct pcpu, (kgdb) #0 doadump (textdump=0) at src/sys/amd64/include/pcpu_aux.h:55 #1 0xffffffff84e5ea51 in vt_kms_postswitch (arg=0xfffff800039bad40) at /p51/home/delphij/kms-drm/drivers/gpu/drm/linux_fb.c:89 #2 0xffffffff80a2d7c2 in vt_window_switch (vw=0xffffffff818e5b58) at /usr/src/sys/dev/vt/vt_core.c:603 #3 0xffffffff80a2ad3f in vtterm_cngrab (tm=<value optimized out>) at /usr/src/sys/dev/vt/vt_core.c:1612 #4 0xffffffff80b5cac6 in cngrab () at /usr/src/sys/kern/kern_cons.c:397 #5 0xffffffff80bc0d4c in vpanic (fmt=0xffffffff8111d06c "%s", ap=0xfffffe003ce98580) at /usr/src/sys/kern/kern_shutdown.c:887 #6 0xffffffff80bc0b93 in panic (fmt=<value optimized out>) at /usr/src/sys/kern/kern_shutdown.c:839 #7 0xffffffff81065277 in trap_fatal (frame=<value optimized out>, eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:919 #8 0xffffffff81065319 in trap_pfault (frame=0xfffffe003ce98780, usermode=<value optimized out>, signo=<value optimized out>, ucode=<value optimized out>) at src/sys/amd64/include/pcpu_aux.h:55 #9 0xffffffff81064915 in trap (frame=0xfffffe003ce98780) at /usr/src/sys/amd64/amd64/trap.c:400 #10 0xffffffff8103abe8 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:289 #11 0xffffffff8064a1b9 in evdev_revoke_client (client=0xffffffffffffffff) at /usr/src/sys/dev/evdev/cdev.c:718 #12 0xffffffff8064b948 in evdev_unregister (evdev=0xfffff8000f929c00) at /usr/src/sys/dev/evdev/evdev.c:372 #13 0xffffffff8064b8bc in evdev_free (evdev=0xfffff8000f929c00) at /usr/src/sys/dev/evdev/evdev.c:110 #14 0xffffffff84ee4d33 in ums_detach (self=<value optimized out>) at /usr/src/sys/dev/usb/input/ums.c:779 #15 0xffffffff80bf876e in device_detach (dev=0xfffff80006b28b00) at device_if.h:234 #16 0xffffffff80bf8445 in device_delete_child (dev=0xfffff80006a67b00, child=0xfffff80006b28b00) at /usr/src/sys/kern/subr_bus.c:1979 #17 0xffffffff809ef8cf in usb_detach_device (udev=0xfffff8000f8b9000, iface_index=<value optimized out>) at /usr/src/sys/dev/usb/usb_device.c:1240 #18 0xffffffff809ee8f4 in usb_unconfigure (udev=0xfffff8000f8b9000, flag=2 '\002') at /usr/src/sys/dev/usb/usb_device.c:627 #19 0xffffffff809f1efe in usb_free_device (udev=0xfffff8000f8b9000) at /usr/src/sys/dev/usb/usb_device.c:2303 #20 0xffffffff809f9bed in uhub_explore (udev=<value optimized out>) at /usr/src/sys/dev/usb/usb_hub.c:631 #21 0xffffffff809e3807 in usb_bus_explore (pm=<value optimized out>) at /usr/src/sys/dev/usb/controller/usb_controller.c:414 #22 0xffffffff809ff213 in usb_process (arg=0xfffffe003d19c538) at /usr/src/sys/dev/usb/usb_process.c:179 #23 0xffffffff80b7e3c0 in fork_exit (callout=0xffffffff809ff110 <usb_process>, arg=0xfffffe003d19c538, frame=0xfffffe003ce98b00) at /usr/src/sys/kern/kern_fork.c:1051 #24 0xffffffff8103bc2e in fork_trampoline () at /usr/src/sys/amd64/amd64/exception.S:1080 #25 0x0000000000000000 in ?? ()
Actually the bug was pretty obvious. https://reviews.freebsd.org/D24500
A commit references this bug: Author: delphij Date: Sun Apr 19 17:28:43 UTC 2020 New revision: 360104 URL: https://svnweb.freebsd.org/changeset/base/360104 Log: Use LIST_FOREACH_SAFE instead of LIST_FOREACH as we are removing elements in the middle. This fixes a panic when detaching USB mouse. PR: 245732 Reviewed by: wulf MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D24500 Changes: head/sys/dev/evdev/evdev.c
This should be merged to both stable branches. Note that the panic do NOT necessarily affect these branches as we don't build INVARIANTS kernel by default (see explanation in the review), but it's still worth fixing.
A commit references this bug: Author: delphij Date: Wed Apr 22 05:08:42 UTC 2020 New revision: 360184 URL: https://svnweb.freebsd.org/changeset/base/360184 Log: MFC r360104: Use LIST_FOREACH_SAFE instead of LIST_FOREACH as we are removing elements in the middle. This fixes a panic when detaching USB mouse. PR: 245732 Reviewed by: wulf Changes: _U stable/12/ stable/12/sys/dev/evdev/evdev.c
A commit references this bug: Author: delphij Date: Wed Apr 22 05:14:53 UTC 2020 New revision: 360185 URL: https://svnweb.freebsd.org/changeset/base/360185 Log: MFC r360104: Use LIST_FOREACH_SAFE instead of LIST_FOREACH as we are removing elements in the middle. This fixes a panic when detaching USB mouse. PR: 245732 Reviewed by: wulf Changes: _U stable/11/ stable/11/sys/dev/evdev/evdev.c