Kernel panic when USB modem is detached: free: size too small

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Kernel panic when USB modem is detached: free: size too small

Natacha Porté
Hello,

Context:

I have a Thinkpad X220 with an integrated WWAN modem "Lenovo F5521gw",
which presents itself as USB devices umodem0-2, ucom0-2, and ugen0 on
uhub3. I don't really know whether uhub3 is part of the modem or part of
the motherboard where the modem is plugged.

In my day-to-day use of the modem, it sometimes randomly vanishes from
the USB bus, leaving only uhub3. I never bother to find out what really
happened, it came back by itself when I re-started pppd.


Problem Summary:

Since a recent update in CURRENT, whenever the modem disappears from
the USB bus, I get a kernel panic.

While the random vanishing are infrequent, I can reliably trigger the
same panic when requesting hibernation (either with ampd running and
calling ZZZ, or without ampd using the keyboard shortcut), presumably
because hibernation somehow turns off the modem.

So in effect, hibernation is now broken for me.


Problem Details:

The oldest affected version is:
OpenBSD 6.4-current (GENERIC.MP) #446: Sat Nov 17 17:41:16 MST 2018
    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP

The newest non-affected version is:
OpenBSD 6.3-current (GENERIC.MP) #91: Sat Jun  9 20:57:09 MDT 2018
    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
(I'm not very good with regular updates on this machine, mostly because
I don't often have network access other than the WWAN with a small data
plan)

The full panic message is:
panic: free: size too small 16 <= 128 / 2 (0xffff80000056bc00) type USB

The number above is the same in all instances, even across kernel
re-linking and even snapshot updates.

Here is a transcription of the reproducible parts of the remaining of
the panic screen:

Stopped at      db_enter+0x12:  popq     %r11
    TID    PID    UID     PRFLAGS      PFLAGS  CPU  COMMAND
<some random process which seems unrelated>
i*??????  ?????     0     0x14000       0x200    2K usbtask
db_enter() at db_enter+0x12
panic() at panic+0x120
free(<random hex>,ffff80000051c800,ffff800000565500) at free+0x3cf
usb_free_device(0) at usb_free_device+0xf6
usbd_detach(<random hex>,<random hex>) at usbd_detach+0x81

The rest of the stack trace varies from instance to instance, but
usb_detach is called at least from uhub_port_connect (coming from
uhub_explore and usb_explore) or from config_detach (coming from
uhub_detach, then another usbd_detach, and uhub_detact).

In one instance (with config_detach), I checked the dmesg from ddb, and
it ends with:
uhub2 detached
uhub0 detached
ucom0 detached
umodem0 detached
ucom1 detached
umodem1 detached
ucom2 detached
umodem2 detached
ugen0 detached

I can provide photos or transcripts of specific instances if that can
help.


Here is a full dmesg of the latest boot after reproducing the issue
(note that this is a newer OpenBSD than when I first noticed the
problem):

OpenBSD 6.4-current (GENERIC.MP) #454: Mon Nov 19 21:00:13 MST 2018
    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4156157952 (3963MB)
avail mem = 4020903936 (3834MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xdae9c000 (65 entries)
bios0: vendor LENOVO version "8DET58WW (1.28 )" date 02/14/2012
bios0: LENOVO 4287CTO
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SLIC SSDT SSDT SSDT HPET APIC MCFG ECDT ASF! TCPA SSDT SSDT UEFI UEFI UEFI
acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP4(S4) EXP7(S4) EHC1(S3) EHC2(S3) HDEF(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz, 2492.30 MHz, 06-2a-07
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz, 2491.91 MHz, 06-2a-07
cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz, 2491.91 MHz, 06-2a-07
cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 1, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz, 2491.91 MHz, 06-2a-07
cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 24 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xf8000000, bus 0-63
acpiec0 at acpi0
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG_)
acpiprt2 at acpi0: bus 2 (EXP1)
acpiprt3 at acpi0: bus 3 (EXP2)
acpiprt4 at acpi0: bus 5 (EXP4)
acpiprt5 at acpi0: bus 13 (EXP5)
acpiprt6 at acpi0: bus -1 (EXP7)
acpicpu0 at acpi0: C3(350@104 io@0x415), C1(1000@1 halt), PSS
acpicpu1 at acpi0: C3(350@104 io@0x415), C1(1000@1 halt), PSS
acpicpu2 at acpi0: C3(350@104 io@0x415), C1(1000@1 halt), PSS
acpicpu3 at acpi0: C3(350@104 io@0x415), C1(1000@1 halt), PSS
acpipwrres0 at acpi0: PUBS, resource for EHC1, EHC2
acpitz0 at acpi0: critical temperature is 99 degC
acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
acpipci0 at acpi0 PCI0: 0x00000000 0x00000011 0x00000001
acpicmos0 at acpi0
tpm0 at acpi0: TPM_ addr 0xfed40000/0x5000: device 0x0000104a rev 0x4e
acpibat0 at acpi0: BAT0 model "42T4861" serial 12194 type LION oem "SANYO"
acpiac0 at acpi0: AC unit online
acpithinkpad0 at acpi0
"PNP0C14" at acpi0 not configured
"PNP0C14" at acpi0 not configured
acpidock0 at acpi0: GDCK not docked (0)
acpivideo0 at acpi0: VID_
acpivout at acpivideo0 not configured
acpivideo1 at acpi0: VID_
cpu0: Enhanced SpeedStep 2492 MHz: speeds: 2501, 2500, 2200, 2000, 1800, 1600, 1400, 1200, 1000, 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 2G Host" rev 0x09
inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics 3000" rev 0x09
drm0 at inteldrm0
inteldrm0: msi
inteldrm0: 1366x768, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel 6 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured
em0 at pci0 dev 25 function 0 "Intel 82579LM" rev 0x04: msi, address f0:de:f1:f3:16:ab
ehci0 at pci0 dev 26 function 0 "Intel 6 Series USB" rev 0x04: apic 2 int 16
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
azalia0 at pci0 dev 27 function 0 "Intel 6 Series HD Audio" rev 0x04: msi
azalia0: codecs: Conexant CX20590, Intel/0x2805, using Conexant CX20590
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 6 Series PCIE" rev 0xb4: msi
pci1 at ppb0 bus 2
ppb1 at pci0 dev 28 function 1 "Intel 6 Series PCIE" rev 0xb4: msi
pci2 at ppb1 bus 3
iwn0 at pci2 dev 0 function 0 "Intel WiFi Link 1000" rev 0x00: msi, MIMO 1T2R, BGS, address 74:e5:0b:f3:73:8a
ppb2 at pci0 dev 28 function 3 "Intel 6 Series PCIE" rev 0xb4: msi
pci3 at ppb2 bus 5
ppb3 at pci0 dev 28 function 4 "Intel 6 Series PCIE" rev 0xb4: msi
pci4 at ppb3 bus 13
sdhc0 at pci4 dev 0 function 0 "Ricoh 5U823 SD/MMC" rev 0x04: apic 2 int 16
sdhc0: SDHC 3.0, 50 MHz base clock
sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed, dma
ehci1 at pci0 dev 29 function 0 "Intel 6 Series USB" rev 0x04: apic 2 int 23
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
pcib0 at pci0 dev 31 function 0 "Intel QM67 LPC" rev 0x04
ahci0 at pci0 dev 31 function 2 "Intel 6 Series AHCI" rev 0x04: msi, AHCI 1.3
ahci0: port 0: 6.0Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0: <ATA, ST1000LM035-1RK1, SDM1> SCSI3 0/direct fixed naa.5000c5009cd96696
sd0: 953869MB, 512 bytes/sector, 1953525168 sectors
ichiic0 at pci0 dev 31 function 3 "Intel 6 Series SMBus" rev 0x04: apic 2 int 18
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 4GB DDR3 SDRAM PC3-10600 SO-DIMM
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
aps0 at isa0 port 0x1600/31
uhub2 at uhub0 port 1 configuration 1 interface 0 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2
uhub3 at uhub1 port 1 configuration 1 interface 0 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2
umodem0 at uhub3 port 4 configuration 1 interface 1 "Lenovo F5521gw" rev 2.00/0.00 addr 3
umodem0: data interface 2, has CM over data, has break
umodem0: status change notification available
ucom0 at umodem0
umodem1 at uhub3 port 4 configuration 1 interface 3 "Lenovo F5521gw" rev 2.00/0.00 addr 3
umodem1: data interface 4, has CM over data, has break
umodem1: status change notification available
ucom1 at umodem1
umodem2 at uhub3 port 4 configuration 1 interface 9 "Lenovo F5521gw" rev 2.00/0.00 addr 3
umodem2: data interface 10, has CM over data, has break
umodem2: status change notification available
ucom2 at umodem2
ugen0 at uhub3 port 4 configuration 1 "Lenovo F5521gw" rev 2.00/0.00 addr 3
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
softraid0: sd1 was not shutdown properly
sd1 at scsibus3 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006> SCSI2 0/direct fixed
sd1: 953866MB, 512 bytes/sector, 1953519473 sectors
root on sd1a (63848a4fade4a944.a) swap on sd1b dump on sd1b
WARNING: / was not properly unmounted
umass0 at uhub3 port 2 configuration 1 interface 0 "General UDisk" rev 2.00/1.00 addr 4
umass0: using SCSI over Bulk-Only
scsibus4 at umass0: 2 targets, initiator 0
sd2 at scsibus4 targ 1 lun 0: <General, UDisk, 5.00> SCSI2 0/direct removable
sd2: 15360MB, 512 bytes/sector, 31457280 sectors
sd2 detached
scsibus4 detached
umass0 detached
drm:
OpenBSD 6.4-current (GENERIC.MP) #454: Mon Nov 19 21:00:13 MST 2018
    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4156157952 (3963MB)
avail mem = 4020916224 (3834MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xdae9c000 (65 entries)
bios0: vendor LENOVO version "8DET58WW (1.28 )" date 02/14/2012
bios0: LENOVO 4287CTO
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SLIC SSDT SSDT SSDT HPET APIC MCFG ECDT ASF! TCPA SSDT SSDT UEFI UEFI UEFI
acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP4(S4) EXP7(S4) EHC1(S3) EHC2(S3) HDEF(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz, 2492.32 MHz, 06-2a-07
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz, 2491.91 MHz, 06-2a-07
cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz, 2491.91 MHz, 06-2a-07
cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 1, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz, 2491.91 MHz, 06-2a-07
cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 24 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xf8000000, bus 0-63
acpiec0 at acpi0
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG_)
acpiprt2 at acpi0: bus 2 (EXP1)
acpiprt3 at acpi0: bus 3 (EXP2)
acpiprt4 at acpi0: bus 5 (EXP4)
acpiprt5 at acpi0: bus 13 (EXP5)
acpiprt6 at acpi0: bus -1 (EXP7)
acpicpu0 at acpi0: C3(350@104 io@0x415), C1(1000@1 halt), PSS
acpicpu1 at acpi0: C3(350@104 io@0x415), C1(1000@1 halt), PSS
acpicpu2 at acpi0: C3(350@104 io@0x415), C1(1000@1 halt), PSS
acpicpu3 at acpi0: C3(350@104 io@0x415), C1(1000@1 halt), PSS
acpipwrres0 at acpi0: PUBS, resource for EHC1, EHC2
acpitz0 at acpi0: critical temperature is 99 degC
acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
acpipci0 at acpi0 PCI0: 0x00000000 0x00000011 0x00000001
acpicmos0 at acpi0
tpm0 at acpi0: TPM_ addr 0xfed40000/0x5000: device 0x0000104a rev 0x4e
acpibat0 at acpi0: BAT0 model "42T4861" serial 12194 type LION oem "SANYO"
acpiac0 at acpi0: AC unit online
acpithinkpad0 at acpi0
"PNP0C14" at acpi0 not configured
"PNP0C14" at acpi0 not configured
acpidock0 at acpi0: GDCK not docked (0)
acpivideo0 at acpi0: VID_
acpivout at acpivideo0 not configured
acpivideo1 at acpi0: VID_
cpu0: Enhanced SpeedStep 2492 MHz: speeds: 2501, 2500, 2200, 2000, 1800, 1600, 1400, 1200, 1000, 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 2G Host" rev 0x09
inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics 3000" rev 0x09
drm0 at inteldrm0
inteldrm0: msi
inteldrm0: 1366x768, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel 6 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured
em0 at pci0 dev 25 function 0 "Intel 82579LM" rev 0x04: msi, address f0:de:f1:f3:16:ab
ehci0 at pci0 dev 26 function 0 "Intel 6 Series USB" rev 0x04: apic 2 int 16
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
azalia0 at pci0 dev 27 function 0 "Intel 6 Series HD Audio" rev 0x04: msi
azalia0: codecs: Conexant CX20590, Intel/0x2805, using Conexant CX20590
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 6 Series PCIE" rev 0xb4: msi
pci1 at ppb0 bus 2
ppb1 at pci0 dev 28 function 1 "Intel 6 Series PCIE" rev 0xb4: msi
pci2 at ppb1 bus 3
iwn0 at pci2 dev 0 function 0 "Intel WiFi Link 1000" rev 0x00: msi, MIMO 1T2R, BGS, address 74:e5:0b:f3:73:8a
ppb2 at pci0 dev 28 function 3 "Intel 6 Series PCIE" rev 0xb4: msi
pci3 at ppb2 bus 5
ppb3 at pci0 dev 28 function 4 "Intel 6 Series PCIE" rev 0xb4: msi
pci4 at ppb3 bus 13
sdhc0 at pci4 dev 0 function 0 "Ricoh 5U822 SD/MMC" rev 0x07: apic 2 int 16
sdhc0: SDHC 3.0, 50 MHz base clock
sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed, dma
ehci1 at pci0 dev 29 function 0 "Intel 6 Series USB" rev 0x04: apic 2 int 23
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
pcib0 at pci0 dev 31 function 0 "Intel QM67 LPC" rev 0x04
ahci0 at pci0 dev 31 function 2 "Intel 6 Series AHCI" rev 0x04: msi, AHCI 1.3
ahci0: port 0: 6.0Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0: <ATA, ST1000LM035-1RK1, SDM1> SCSI3 0/direct fixed naa.5000c5009cd96696
sd0: 953869MB, 512 bytes/sector, 1953525168 sectors
ichiic0 at pci0 dev 31 function 3 "Intel 6 Series SMBus" rev 0x04: apic 2 int 18
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 4GB DDR3 SDRAM PC3-10600 SO-DIMM
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
aps0 at isa0 port 0x1600/31
uhub2 at uhub0 port 1 configuration 1 interface 0 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2
uhub3 at uhub1 port 1 configuration 1 interface 0 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2
umodem0 at uhub3 port 4 configuration 1 interface 1 "Lenovo F5521gw" rev 2.00/0.00 addr 3
umodem0: data interface 2, has CM over data, has break
umodem0: status change notification available
ucom0 at umodem0
umodem1 at uhub3 port 4 configuration 1 interface 3 "Lenovo F5521gw" rev 2.00/0.00 addr 3
umodem1: data interface 4, has CM over data, has break
umodem1: status change notification available
ucom1 at umodem1
umodem2 at uhub3 port 4 configuration 1 interface 9 "Lenovo F5521gw" rev 2.00/0.00 addr 3
umodem2: data interface 10, has CM over data, has break
umodem2: status change notification available
ucom2 at umodem2
ugen0 at uhub3 port 4 configuration 1 "Lenovo F5521gw" rev 2.00/0.00 addr 3
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
softraid0: sd1 was not shutdown properly
sd1 at scsibus3 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006> SCSI2 0/direct fixed
sd1: 953866MB, 512 bytes/sector, 1953519473 sectors
root on sd1a (63848a4fade4a944.a) swap on sd1b dump on sd1b
WARNING: / was not properly unmounted

Reply | Threaded
Open this post in threaded view
|

Re: Kernel panic when USB modem is detached: free: size too small

Anton Lindqvist-2
On Tue, Nov 20, 2018 at 09:39:52AM +0000, Natasha Kerensikova wrote:

> Hello,
>
> Context:
>
> I have a Thinkpad X220 with an integrated WWAN modem "Lenovo F5521gw",
> which presents itself as USB devices umodem0-2, ucom0-2, and ugen0 on
> uhub3. I don't really know whether uhub3 is part of the modem or part of
> the motherboard where the modem is plugged.
>
> In my day-to-day use of the modem, it sometimes randomly vanishes from
> the USB bus, leaving only uhub3. I never bother to find out what really
> happened, it came back by itself when I re-started pppd.
>
>
> Problem Summary:
>
> Since a recent update in CURRENT, whenever the modem disappears from
> the USB bus, I get a kernel panic.
>
> While the random vanishing are infrequent, I can reliably trigger the
> same panic when requesting hibernation (either with ampd running and
> calling ZZZ, or without ampd using the keyboard shortcut), presumably
> because hibernation somehow turns off the modem.
>
> So in effect, hibernation is now broken for me.
>
>
> Problem Details:
>
> The oldest affected version is:
> OpenBSD 6.4-current (GENERIC.MP) #446: Sat Nov 17 17:41:16 MST 2018
>     [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> The newest non-affected version is:
> OpenBSD 6.3-current (GENERIC.MP) #91: Sat Jun  9 20:57:09 MDT 2018
>     [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> (I'm not very good with regular updates on this machine, mostly because
> I don't often have network access other than the WWAN with a small data
> plan)
>
> The full panic message is:
> panic: free: size too small 16 <= 128 / 2 (0xffff80000056bc00) type USB
>
> The number above is the same in all instances, even across kernel
> re-linking and even snapshot updates.
>
> Here is a transcription of the reproducible parts of the remaining of
> the panic screen:
>
> Stopped at      db_enter+0x12:  popq     %r11
>     TID    PID    UID     PRFLAGS      PFLAGS  CPU  COMMAND
> <some random process which seems unrelated>
> i*??????  ?????     0     0x14000       0x200    2K usbtask
> db_enter() at db_enter+0x12
> panic() at panic+0x120
> free(<random hex>,ffff80000051c800,ffff800000565500) at free+0x3cf
> usb_free_device(0) at usb_free_device+0xf6
> usbd_detach(<random hex>,<random hex>) at usbd_detach+0x81
>
> The rest of the stack trace varies from instance to instance, but
> usb_detach is called at least from uhub_port_connect (coming from
> uhub_explore and usb_explore) or from config_detach (coming from
> uhub_detach, then another usbd_detach, and uhub_detact).
>
> In one instance (with config_detach), I checked the dmesg from ddb, and
> it ends with:
> uhub2 detached
> uhub0 detached
> ucom0 detached
> umodem0 detached
> ucom1 detached
> umodem1 detached
> ucom2 detached
> umodem2 detached
> ugen0 detached
>
> I can provide photos or transcripts of specific instances if that can
> help.

Ran into the same problem. Looks like one nsubdev assignment is
happening outside the branch where the actual allocation is performed.
With the diff below, suspend works again. Note, the diff is generated
prior to the revert for clarity.

diff --git sys/dev/usb/usb_subr.c sys/dev/usb/usb_subr.c
index 1e09fe3dd22..efa1fe9e51f 100644
--- sys/dev/usb/usb_subr.c
+++ sys/dev/usb/usb_subr.c
@@ -992,8 +992,8 @@ generic:
  err = USBD_NOMEM;
  goto fail;
  }
+ dev->nsubdev = 2;
  }
- dev->nsubdev = 2;
  dev->subdevs[dev->ndevs++] = dv;
  dev->subdevs[dev->ndevs] = 0;
  err = USBD_NORMAL_COMPLETION;

Reply | Threaded
Open this post in threaded view
|

Re: Kernel panic when USB modem is detached: free: size too small

Martin Pieuchot
On 20/11/18(Tue) 18:29, Anton Lindqvist wrote:

> On Tue, Nov 20, 2018 at 09:39:52AM +0000, Natasha Kerensikova wrote:
> > Hello,
> >
> > Context:
> >
> > I have a Thinkpad X220 with an integrated WWAN modem "Lenovo F5521gw",
> > which presents itself as USB devices umodem0-2, ucom0-2, and ugen0 on
> > uhub3. I don't really know whether uhub3 is part of the modem or part of
> > the motherboard where the modem is plugged.
> >
> > In my day-to-day use of the modem, it sometimes randomly vanishes from
> > the USB bus, leaving only uhub3. I never bother to find out what really
> > happened, it came back by itself when I re-started pppd.
> >
> >
> > Problem Summary:
> >
> > Since a recent update in CURRENT, whenever the modem disappears from
> > the USB bus, I get a kernel panic.
> >
> > While the random vanishing are infrequent, I can reliably trigger the
> > same panic when requesting hibernation (either with ampd running and
> > calling ZZZ, or without ampd using the keyboard shortcut), presumably
> > because hibernation somehow turns off the modem.
> >
> > So in effect, hibernation is now broken for me.
> >
> >
> > Problem Details:
> >
> > The oldest affected version is:
> > OpenBSD 6.4-current (GENERIC.MP) #446: Sat Nov 17 17:41:16 MST 2018
> >     [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> >
> > The newest non-affected version is:
> > OpenBSD 6.3-current (GENERIC.MP) #91: Sat Jun  9 20:57:09 MDT 2018
> >     [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> > (I'm not very good with regular updates on this machine, mostly because
> > I don't often have network access other than the WWAN with a small data
> > plan)
> >
> > The full panic message is:
> > panic: free: size too small 16 <= 128 / 2 (0xffff80000056bc00) type USB
> >
> > The number above is the same in all instances, even across kernel
> > re-linking and even snapshot updates.
> >
> > Here is a transcription of the reproducible parts of the remaining of
> > the panic screen:
> >
> > Stopped at      db_enter+0x12:  popq     %r11
> >     TID    PID    UID     PRFLAGS      PFLAGS  CPU  COMMAND
> > <some random process which seems unrelated>
> > i*??????  ?????     0     0x14000       0x200    2K usbtask
> > db_enter() at db_enter+0x12
> > panic() at panic+0x120
> > free(<random hex>,ffff80000051c800,ffff800000565500) at free+0x3cf
> > usb_free_device(0) at usb_free_device+0xf6
> > usbd_detach(<random hex>,<random hex>) at usbd_detach+0x81
> >
> > The rest of the stack trace varies from instance to instance, but
> > usb_detach is called at least from uhub_port_connect (coming from
> > uhub_explore and usb_explore) or from config_detach (coming from
> > uhub_detach, then another usbd_detach, and uhub_detact).
> >
> > In one instance (with config_detach), I checked the dmesg from ddb, and
> > it ends with:
> > uhub2 detached
> > uhub0 detached
> > ucom0 detached
> > umodem0 detached
> > ucom1 detached
> > umodem1 detached
> > ucom2 detached
> > umodem2 detached
> > ugen0 detached
> >
> > I can provide photos or transcripts of specific instances if that can
> > help.
>
> Ran into the same problem. Looks like one nsubdev assignment is
> happening outside the branch where the actual allocation is performed.
> With the diff below, suspend works again. Note, the diff is generated
> prior to the revert for clarity.

Thanks for analyse Anton, here's the full diff.

Index: usb_subr.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/usb_subr.c,v
retrieving revision 1.145
diff -u -p -r1.145 usb_subr.c
--- usb_subr.c 20 Nov 2018 11:51:23 -0000 1.145
+++ usb_subr.c 21 Nov 2018 15:57:41 -0000
@@ -891,6 +891,7 @@ usbd_probe_and_attach(struct device *par
  err = USBD_NOMEM;
  goto fail;
  }
+ dev->nsubdev = 2;
  dev->subdevs[dev->ndevs++] = dv;
  dev->subdevs[dev->ndevs] = 0;
  err = USBD_NORMAL_COMPLETION;
@@ -933,6 +934,7 @@ usbd_probe_and_attach(struct device *par
  /* add 1 for possible ugen and 1 for NULL terminator */
  dev->subdevs = mallocarray(nifaces + 2, sizeof(dv), M_USB,
     M_NOWAIT | M_ZERO);
+ dev->nsubdev = nifaces + 2;
  if (dev->subdevs == NULL) {
  free(ifaces, M_USB, nifaces * sizeof(*ifaces));
  err = USBD_NOMEM;
@@ -964,8 +966,9 @@ usbd_probe_and_attach(struct device *par
  goto fail;
  }
 
- free(dev->subdevs, M_USB, (nifaces + 2) * sizeof(dv));
+ free(dev->subdevs, M_USB, dev->nsubdev * sizeof(*dev->subdevs));
  dev->subdevs = NULL;
+ dev->nsubdev = 0;
  }
  /* No interfaces were attached in any of the configurations. */
 
@@ -989,6 +992,7 @@ generic:
  err = USBD_NOMEM;
  goto fail;
  }
+ dev->nsubdev = 2;
  }
  dev->subdevs[dev->ndevs++] = dv;
  dev->subdevs[dev->ndevs] = 0;
@@ -1407,8 +1411,7 @@ usb_free_device(struct usbd_device *dev)
  }
  if (dev->cdesc != NULL)
  free(dev->cdesc, M_USB, UGETW(dev->cdesc->wTotalLength));
- if (dev->subdevs != NULL)
- free(dev->subdevs, M_USB, 0);
+ free(dev->subdevs, M_USB, dev->nsubdev * sizeof(*dev->subdevs));
  dev->bus->devices[dev->address] = NULL;
 
  if (dev->vendor != NULL)
Index: usbdivar.h
===================================================================
RCS file: /cvs/src/sys/dev/usb/usbdivar.h,v
retrieving revision 1.78
diff -u -p -r1.78 usbdivar.h
--- usbdivar.h 20 Nov 2018 11:51:23 -0000 1.78
+++ usbdivar.h 21 Nov 2018 15:58:13 -0000
@@ -158,6 +158,7 @@ struct usbd_device {
  const struct usbd_quirks     *quirks;  /* device quirks, always set */
  struct usbd_hub       *hub;           /* only if this is a hub */
  struct device         **subdevs;       /* sub-devices, 0 terminated */
+ int nsubdev;       /* size of the `subdevs' array */
  int ndevs;       /* # of subdevs */
 
  char                   *serial;        /* serial number, can be NULL */