Opened 3 years ago
Last modified 6 weeks ago
#17348 new bug
OHCI: Use-after-free crash during boot (race condition?)
| Reported by: | waddlesplash | Owned by: | mmlr |
|---|---|---|---|
| Priority: | normal | Milestone: | Unscheduled |
| Component: | Drivers/USB/OHCI | Version: | R1/beta3 |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Platform: | All |
Description
Saw this while booting up one time in QEMU. It occurred just after packagefs finished initializing (i.e. the previous thing in the log is the "StringPool usage" information.) Unfortunately I have not run into it since, it seems to be pretty rare.
PANIC: vm_page_fault: unhandled page fault in kernel space at 0xdeadbeefdeadbeef, ip 0xffffffff815e994d
Welcome to Kernel Debugging Land...
Thread 16 "main2" running on CPU 1
stack trace for thread 16 "main2"
kernel stack: 0xffffffff811b4000 to 0xffffffff811b9000
frame caller <image>:function + offset
0 ffffffff811b6eb8 (+ 24) ffffffff8015212c <kernel_x86_64> arch_debug_call_with_fault_handler() + 0x16
1 ffffffff811b6ed0 (+ 80) ffffffff800aeb78 <kernel_x86_64> debug_call_with_fault_handler() + 0x88
2 ffffffff811b6f20 (+ 96) ffffffff800b0501 <kernel_x86_64> _ZL20kernel_debugger_loopPKcS0_P13__va_list_tagi() + 0xf1
3 ffffffff811b6f80 (+ 80) ffffffff800b07fe <kernel_x86_64> _ZL24kernel_debugger_internalPKcS0_P13__va_list_tagi() + 0x6e
4 ffffffff811b6fd0 (+ 240) ffffffff800b0b67 <kernel_x86_64> panic() + 0xb7
5 ffffffff811b70c0 (+ 240) ffffffff8013bee0 <kernel_x86_64> vm_page_fault() + 0x260
6 ffffffff811b71b0 (+ 64) ffffffff8015d650 <kernel_x86_64> x86_page_fault_exception() + 0x160
7 ffffffff811b71f0 (+ 552) ffffffff80153a1c <kernel_x86_64> int_bottom() + 0x80
kernel iframe at 0xffffffff811b7418 (end = 0xffffffff811b74e0)
rax 0xdeadbeefdeadbeef rbx 0xffffffff8226ac98 rcx 0x10
rdx 0xffffffff824d8f50 rsi 0x0 rdi 0xffffffff823fa830
rbp 0xffffffff811b7540 r8 0xffffffff811b929c r9 0x1
r10 0x1 r11 0xffffffff85b8ec40 r12 0xffffffff8225a708
r13 0x0 r14 0x0 r15 0xffffffff824d8af0
rip 0xffffffff815e994d rsp 0xffffffff811b74e0 rflags 0x10282
vector: 0xe, error code: 0x1
8 ffffffff811b7418 (+ 296) ffffffff815e994d <ohci> _ZN4OHCI15_SubmitTransferEP8Transfer.localalias.29() + 0xed
9 ffffffff811b7540 (+ 80) ffffffff8193ef92 <usb> _ZN8BulkPipe9QueueBulkEPvmPFvS0_iS0_mES0_() + 0x82
10 ffffffff811b7590 (+ 64) ffffffff8193a0b7 <usb> _Z10queue_bulkjPvmPFvS_iS_mES_.localalias.3() + 0x57
11 ffffffff811b75d0 (+ 48) ffffffff8194b1fc <usb_disk> _Z22usb_disk_transfer_dataP13disk_device_sbPvm.localalias.12() + 0x3c
12 ffffffff811b7600 (+ 32) ffffffff8194b33e <usb_disk> _Z25usb_disk_receive_csw_bulkP13disk_device_sP35usb_massbulk_command_status_wrapper.localalias.10() + 0x1e
13 ffffffff811b7620 (+ 144) ffffffff8194b6d7 <usb_disk> _Z23usb_disk_operation_bulkP12device_lun_sPhmPvPmbP7err_act.localalias.8() + 0x107
14 ffffffff811b76b0 (+ 112) ffffffff8194bc1e <usb_disk> _ZL19usb_disk_block_readP12device_lun_sjtPvPm() + 0xfe
15 ffffffff811b7720 (+ 96) ffffffff8194bcb3 <usb_disk> _ZL31usb_disk_prepare_partial_bufferP12device_lun_slmRPvS2_RjRt.constprop.30() + 0x83
16 ffffffff811b7780 (+ 128) ffffffff8194be33 <usb_disk> _ZL13usb_disk_readPvlS_Pm() + 0x113
17 ffffffff811b7800 (+ 112) ffffffff800ff5d5 <kernel_x86_64> _ZL14synchronous_ioP9IORequestR4DoIO() + 0x65
18 ffffffff811b7870 (+ 48) ffffffff80111c9b <kernel_x86_64> vfs_synchronous_io() + 0x2b
19 ffffffff811b78a0 (+ 80) ffffffff800d0cee <kernel_x86_64> _ZL8devfs_ioP9fs_volumeP8fs_vnodePvP9IORequest() + 0x10e
20 ffffffff811b78f0 (+ 80) ffffffff80111956 <kernel_x86_64> vfs_vnode_io() + 0x36
21 ffffffff811b7940 (+ 240) ffffffff80111be2 <kernel_x86_64> _ZL26do_iterative_fd_io_iteratePvP9IORequestPb() + 0x232
22 ffffffff811b7a30 (+ 96) ffffffff80111fe2 <kernel_x86_64> do_iterative_fd_io() + 0xe2
23 ffffffff811b7a90 (+ 80) ffffffff80111956 <kernel_x86_64> vfs_vnode_io() + 0x36
24 ffffffff811b7ae0 (+ 368) ffffffff8011214e <kernel_x86_64> vfs_read_pages() + 0x9e
25 ffffffff811b7c50 (+ 80) ffffffff8005383e <kernel_x86_64> file_cache_read() + 0x8e
26 ffffffff811b7ca0 (+ 80) ffffffff800f36da <kernel_x86_64> _kern_read() + 0xba
27 ffffffff811b7cf0 (+ 32) ffffffff8017092f <kernel_x86_64> pread() + 0x1f
28 ffffffff811b7d10 (+ 16) ffffffff81662b68 <packagefs> _ZN5BFdIO6ReadAtElPvm.localalias.6() + 0x18
29 ffffffff811b7d20 (+ 80) ffffffff80173773 <kernel_x86_64> _ZN11BPositionIO13ReadAtExactlyElPvmPm() + 0x53
30 ffffffff811b7d70 (+ 64) ffffffff8165e92d <packagefs> _ZN11BPackageKit5BHPKG8BPrivate27PackageFileHeapAccessorBase12ReadFileDataEmPvm.localalias.0() + 0x2d
31 ffffffff811b7db0 (+ 64) ffffffff8165e9b0 <packagefs> _ZN11BPackageKit5BHPKG8BPrivate27PackageFileHeapAccessorBase26ReadAndDecompressChunkDataEmmmPvS3_() + 0x30
32 ffffffff811b7df0 (+ 96) ffffffff8165e39e <packagefs> _ZN11BPackageKit5BHPKG8BPrivate27PackageFileHeapAccessorBase16ReadDataToOutputElmP7BDataIO.localalias.4() + 0xde
33 ffffffff811b7e50 (+ 112) ffffffff8163ecd7 <packagefs> _ZN16CachedDataReader14_ReadIntoPagesEPP7vm_pagemm.localalias.2() + 0x77
34 ffffffff811b7ec0 (+ 464) ffffffff8163fbc4 <packagefs> _ZN16CachedDataReader14_ReadCacheLineElmlmP7BDataIO.localalias.6() + 0x654
35 ffffffff811b8090 (+ 64) ffffffff8163ffb3 <packagefs> _ZN16CachedDataReader16ReadDataToOutputElmP7BDataIO.localalias.9() + 0x83
36 ffffffff811b80d0 (+ 112) ffffffff81649820 <packagefs> _ZN11PackageFile4ReadEP9IORequest.localalias.7() + 0xc0
37 ffffffff811b8140 (+ 32) ffffffff81641cd6 <packagefs> _ZL12packagefs_ioP9fs_volumeP8fs_vnodePvP9IORequest() + 0x26
38 ffffffff811b8160 (+ 80) ffffffff80111956 <kernel_x86_64> vfs_vnode_io() + 0x36
39 ffffffff811b81b0 (+ 368) ffffffff8011214e <kernel_x86_64> vfs_read_pages() + 0x9e
40 ffffffff811b8320 (+ 944) ffffffff80051b7c <kernel_x86_64> _ZL15read_into_cacheP14file_cache_refPvlimmbP19vm_page_reservationm() + 0x1ac
41 ffffffff811b86d0 (+ 208) ffffffff80052c43 <kernel_x86_64> _ZL8cache_ioPvS_lmPmb() + 0x7a3
42 ffffffff811b87a0 (+ 64) ffffffff800537f6 <kernel_x86_64> file_cache_read() + 0x46
43 ffffffff811b87e0 (+ 80) ffffffff800f36da <kernel_x86_64> _kern_read() + 0xba
44 ffffffff811b8830 (+ 160) ffffffff8005b94d <kernel_x86_64> load_kernel_add_on() + 0x17d
45 ffffffff811b88d0 (+ 112) ffffffff80063bf4 <kernel_x86_64> _ZL16get_module_imagePKcPP12module_image() + 0x94
46 ffffffff811b8940 (+ 272) ffffffff800678c6 <kernel_x86_64> read_next_module_name() + 0x426
47 ffffffff811b8a50 (+ 112) ffffffff800e9f2e <kernel_x86_64> _ZN8BPrivate10DiskDevice18KDiskDeviceManager18_RescanDiskSystemsERNS1_13DiskSystemMapEb() + 0xee
48 ffffffff811b8ac0 (+ 112) ffffffff800ea3b5 <kernel_x86_64> _ZN8BPrivate10DiskDevice18KDiskDeviceManager17RescanDiskSystemsEv() + 0x55
49 ffffffff811b8b30 (+1072) ffffffff80112e49 <kernel_x86_64> vfs_mount_boot_file_system() + 0x389
50 ffffffff811b8f60 (+ 80) ffffffff80063499 <kernel_x86_64> _ZL5main2Pv() + 0x99
51 ffffffff811b8fb0 (+ 32) ffffffff8008b6c7 <kernel_x86_64> _ZL19common_thread_entryPv() + 0x37
52 ffffffff811b8fd0 (+2128900144) ffffffff811b8fe0 194:main2_16_kstack@0xffffffff811b4000 + 0x4fe0
Note:
See TracTickets
for help on using tickets.
May be fixed with hrev58221.