ng_ubt fatal trap 12 on RELENG_9 and CURRENT

From: Matt Mullins <mokomull_at_gmail.com>
Date: Mon, 31 Oct 2011 01:22:40 -0700
I ran into a somewhat interesting snag while trying out FreeBSD 9 on
my laptop.  I built a kernel from the RELENG_9 branch, and get a
"fatal trap 12" during the initialization sequence.  For testing, I
rebuilt the same kernel from the CURRENT branch, with the same problem
-- this is the one that I'm debugging now.

The kernel was built with the following options in addition to the
generic config:
options         VIMAGE
device          epair
nooptions       GEOM_PART_EBR_COMPAT

The errors as retrieved from the core dump:
ubt0: <vendor 0x413c product 0x8140, class 224/1, rev 2.00/43.15, addr
2> on usbus0

Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address   = 0x28
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff8164475d
stack pointer           = 0x28:0xffffff80f7180970
frame pointer           = 0x28:0xffffff80f71809a0
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 15 (usbus0)
trap number             = 12
panic: page fault
cpuid = 1
KDB: stack backtrace:
#0 0xffffffff8086b45e at kdb_backtrace+0x5e
#1 0xffffffff80835da7 at panic+0x187
#2 0xffffffff80b2ccc0 at trap_fatal+0x290
#3 0xffffffff80b2d009 at trap_pfault+0x1f9
#4 0xffffffff80b2d4cf at trap+0x3df
#5 0xffffffff80b17a1f at calltrap+0x8
#6 0xffffffff8163620e at ubt_attach+0x5e
#7 0xffffffff80864799 at device_attach+0x69
#8 0xffffffff806d8389 at usb_probe_and_attach+0x1f9
#9 0xffffffff806e078c at uhub_explore+0x46c
#10 0xffffffff806cab5e at usb_bus_explore+0x9e
#11 0xffffffff806e4783 at usb_process+0xd3
#12 0xffffffff8080927f at fork_exit+0x11f
#13 0xffffffff80b17f4e at fork_trampoline+0xe

Relevant information pulled from kgdb:
(kgdb) bt
#0  doadump (textdump=Variable "textdump" is not available.
) at pcpu.h:224
#1  0xffffffff808358e5 in kern_reboot (howto=260) at
/usr/src/sys/kern/kern_shutdown.c:442
#2  0xffffffff80835d91 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:607
#3  0xffffffff80b2ccc0 in trap_fatal (frame=0xc, eva=Variable "eva" is
not available.
) at /usr/src/sys/amd64/amd64/trap.c:818
#4  0xffffffff80b2d009 in trap_pfault (frame=0xffffff80f71808c0,
usermode=0) at /usr/src/sys/amd64/amd64/trap.c:734
#5  0xffffffff80b2d4cf in trap (frame=0xffffff80f71808c0) at
/usr/src/sys/amd64/amd64/trap.c:473
#6  0xffffffff80b17a1f in calltrap () at
/usr/src/sys/amd64/amd64/exception.S:228
#7  0xffffffff8164475d in ng_make_node_common
(type=0xffffffff81638fc0, nodepp=0xfffffe0005b93910) at
/usr/src/sys/modules/netgraph/netgraph/../../../netgraph/ng_base.c:655
#8  0xffffffff8163620e in ubt_attach (dev=0xfffffe0005e65100) at
/usr/src/sys/modules/netgraph/bluetooth/ubt/../../../../netgraph/bluetooth/drivers/ubt/ng_ubt.c:455
#9  0xffffffff80864799 in device_attach (dev=0xfffffe0005e65100) at
device_if.h:180
#10 0xffffffff806d8389 in usb_probe_and_attach
(udev=0xfffffe000534e000, iface_index=Variable "iface_index" is not
available.
) at /usr/src/sys/dev/usb/usb_device.c:1195
#11 0xffffffff806e078c in uhub_explore (udev=0xfffffe00052d3000) at
/usr/src/sys/dev/usb/usb_hub.c:269
#12 0xffffffff806cab5e in usb_bus_explore (pm=Variable "pm" is not available.
) at /usr/src/sys/dev/usb/controller/usb_controller.c:259
#13 0xffffffff806e4783 in usb_process (arg=Variable "arg" is not available.
) at /usr/src/sys/dev/usb/usb_process.c:165
#14 0xffffffff8080927f in fork_exit (callout=0xffffffff806e46b0
<usb_process>, arg=0xffffff8000726e88, frame=0xffffff80f7180c50) at
/usr/src/sys/kern/kern_fork.c:995
#15 0xffffffff80b17f4e in fork_trampoline () at
/usr/src/sys/amd64/amd64/exception.S:602

(kgdb) list *0xffffffff8164475d
0xffffffff8164475d is in ng_make_node_common
(/usr/src/sys/modules/netgraph/netgraph/../../../netgraph/ng_base.c:655).
650             /* Initialize hook list for new node */
651             LIST_INIT(&node->nd_hooks);
652
653             /* Link us into the name hash. */
654             mtx_lock(&ng_namehash_mtx);
655             LIST_INSERT_HEAD(&V_ng_name_hash[0], node, nd_nodes);
656             mtx_unlock(&ng_namehash_mtx);
657
658             /* get an ID and put us in the hash chain */
659             mtx_lock(&ng_idhash_mtx);

This is my first time looking at FreeBSD kernel code, so to verify
that I'm reading these #defines correctly and not looking at nonsense
objects:
(kgdb) print ((struct pcpu*) __pcpu)->pc_curthread->td_proc->p_comm
$16 = "usb\000el", '\0' <repeats 13 times>

Time to get dirty and figure out what address V_ng_name_hash points
to.  First, find the value of curvnet in net/vnet.h:
(kgdb) print ((struct pcpu*) __pcpu)->pc_curthread->td_vnet
$17 = (struct vnet *) 0x0

That looks like a null pointer... not good.

It's late, so I'm going to come back to this later.  Any ideas on
where I should go from here?
Received on Mon Oct 31 2011 - 07:52:53 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:19 UTC