Opened 12 years ago
Closed 8 years ago
#10535 closed defect (obsolete)
ehci_handle_endpoint_reclaimation panic in Solaris guest VM on VirtualBox 4.1.15
| Reported by: | jayce | Owned by: | |
|---|---|---|---|
| Component: | other | Version: | VirtualBox 4.1.14 |
| Keywords: | solaris usb ehci panic | Cc: | jason.banham@… |
| Guest type: | Solaris | Host type: | Mac OS X |
Description
Problem Description
I was trying to attach a Kingston USB memory stick into the guest VM (Solaris 11) when the guest VM panic'd.
Host O/S is MacOS 10.6.8 and running VirtualBox 4.1.15 after recent host O/S panic's upon guest O/S (Linux) reboots. VirtualBox was upgraded to 4.1.15 as per:
Ticket #9897 Synopsis: Frequent panics on Mac OS X when shutting down/starting VMs.
Extension pack is: Oracle VM VirtualBox Extension Pack 4.1.4r77440
... I didn't see a 4.1.15 extension pack.
Core Dump Analysis
The panic string is this:
> $C
ffffff0003ea7af0 ddi_get32+0x12()
ffffff0003ea7b30 ehci_handle_endpoint_reclaimation+0x91(ffffff0149379000)
ffffff0003ea7b70 ehci_intr+0x184(ffffff0149379000, 0)
ffffff0003ea7bc0 av_dispatch_autovect+0x74(13)
ffffff0003ea7c00 dispatch_hardint+0x33(13, 0)
ffffff0003e05a50 switch_sp_and_call+0x13()
ffffff0003e05aa0 do_interrupt+0xb6(ffffff0003e05ab0, 1)
ffffff0003e05ab0 _interrupt+0xba()
ffffff0003e05ba0 mach_cpu_idle+6()
ffffff0003e05bd0 cpu_idle+0xb2()
ffffff0003e05c00 idle+0x116()
ffffff0003e05c10 thread_start+8()
From msgbuf we see:
2012 May 9 09:07:13 ffffff0161aa3ac0
WARNING: /pci@0,0/pci8086,265c@b (ehci0): Connecting device on port 1 failed
2012 May 9 09:08:07 ffffff0161ab3e00
panic[cpu0]/thread=ffffff0003ea7c20:
2012 May 9 09:08:07 ffffff0161aa3640
BAD TRAP: type=e (#pf Page fault) rp=ffffff0003ea79c0 addr=ffffff023772af00
2012 May 9 09:08:07 ffffff015b93fa00
2012 May 9 09:08:07 ffffff0167d940c0 sched:
2012 May 9 09:08:07 ffffff0168024a00 #pf Page fault
2012 May 9 09:08:07 ffffff0161aa3100 Bad kernel fault at addr=0xffffff023772af00
2012 May 9 09:08:08 ffffff0168080200
pid=0, pc=0xfffffffffb85ff32, sp=0xffffff0003ea7ab8, eflags=0x10246
2012 May 9 09:08:08 ffffff0161aa3e80
cr0: 8005003b<pg,wp,ne,et,ts,mp,pe> cr4: 6b8<xmme,fxsr,pge,pae,pse,de>
2012 May 9 09:08:08 ffffff0161aa3b80 cr2: ffffff023772af00
2012 May 9 09:08:08 ffffff0168080d40 cr3: 38a6000
2012 May 9 09:08:08 ffffff0168080ec0 cr8: c
2012 May 9 09:08:08 ffffff016807e840
2012 May 9 09:08:08 ffffff0168024340
rdi: ffffff014bbe5bc0 rsi: ffffff023772af00 rdx: c
2012 May 9 09:08:08 ffffff016807e300
rcx: ffffff014acfe300 r8: 2ceaf r9: 2ceaf
2012 May 9 09:08:08 ffffff0161aa3400
rax: ffffff023772af00 rbx: ffffff014bb98800 rbp: ffffff0003ea7af0
2012 May 9 09:08:08 ffffff015c7959c0
r10: fffffffffbcb9ab0 r11: fffffffffb82d0bc r12: ffffff0149379000
2012 May 9 09:08:08 ffffff0161aa3d00
r13: ffffff023772af00 r14: ffffff014bb98854 r15: ffffff01466b4c30
2012 May 9 09:08:08 ffffff0161aa31c0
fsb: 0 gsb: fffffffffbc3ebc0 ds: 4b
2012 May 9 09:08:08 ffffff0168080800
es: 4b fs: 0 gs: 1c3
2012 May 9 09:08:09 ffffff0161aa3340
trp: e err: 0 rip: fffffffffb85ff32
2012 May 9 09:08:09 ffffff0168024580
cs: 30 rfl: 10246 rsp: ffffff0003ea7ab8
2012 May 9 09:08:09 ffffff0161ab3d40 ss: 38
2012 May 9 09:08:09 ffffff0161ab3c80
2012 May 9 09:08:09 ffffff0161ab3bc0 ffffff0003ea78e0 unix:die+131 ()
2012 May 9 09:08:09 ffffff0161ab3b00 ffffff0003ea79b0 unix:trap+152b ()
2012 May 9 09:08:09 ffffff0161ab3a40 ffffff0003ea79c0 unix:cmntrap+e6 ()
2012 May 9 09:08:09 ffffff0161ab3980 ffffff0003ea7af0 unix:ddi_getl+12 ()
2012 May 9 09:08:09 ffffff0161ab38c0
ffffff0003ea7b30 ehci:ehci_handle_endpoint_reclaimation+91 ()
2012 May 9 09:08:09 ffffff0161ab3800 ffffff0003ea7b70 ehci:ehci_intr+184 ()
2012 May 9 09:08:09 ffffff0161ab3740 ffffff0003ea7bc0 unix:av_dispatch_autovect+74 ()
2012 May 9 09:08:09 ffffff0161ab3680 ffffff0003ea7c00 unix:dispatch_hardint+33 ()
2012 May 9 09:08:09 ffffff0161ab35c0 ffffff0003e05a50 unix:switch_sp_and_call+13 ()
2012 May 9 09:08:09 ffffff0161ab3500 ffffff0003e05aa0 unix:do_interrupt+b6 ()
2012 May 9 09:08:10 ffffff0161ab3440 ffffff0003e05ab0 unix:cmnint+ba ()
2012 May 9 09:08:10 ffffff0161ab3380 ffffff0003e05ba0 unix:mach_cpu_idle+6 ()
2012 May 9 09:08:10 ffffff0161ab32c0 ffffff0003e05bd0 unix:cpu_idle+b2 ()
2012 May 9 09:08:10 ffffff0161ab3200 ffffff0003e05c00 unix:idle+116 ()
2012 May 9 09:08:10 ffffff0161ab3140 ffffff0003e05c10 unix:thread_start+8 ()
2012 May 9 09:08:10 ffffff0161ab3080
2012 May 9 09:09:03 ffffff0161e85f00
panic[cpu0]/thread=ffffff0003ea7c20:
2012 May 9 09:09:03 ffffff0161e85e40
BAD TRAP: type=e (#pf Page fault) rp=fffffffffbc879d0 addr=0 occurred in module "<unknown>" due to
a NULL pointer dereference
2012 May 9 09:09:03 ffffff0161e85d80
2012 May 9 09:09:03 ffffff0161e85cc0 syncing file systems...
2012 May 9 09:09:03 ffffff0161e85c00 done
2012 May 9 09:09:04 ffffff0161e85b40
dumping to /dev/zvol/dsk/rpool/dump, offset 65536, content: kernel
2012 May 9 09:09:05 ffffff0161e85a80 NOTICE: ahci0: ahci_tran_reset_dport port 0 reset port
=> Interesting to see we couldn't attach the device on port 1
> *panic_thread::findstack -v
stack pointer for thread ffffff0003ea7c20: ffffff0003ea7730
ffffff0003ea7870 0xffffff0003ea79c0()
ffffff0003ea79c0 0x10000000e()
ffffff0003ea7af0 ddi_get32+0x12()
ffffff0003ea7b30 ehci_handle_endpoint_reclaimation+0x91(ffffff0149379000)
ffffff0003ea7b70 ehci_intr+0x184(ffffff0149379000, 0)
ffffff0003ea7bc0 av_dispatch_autovect+0x74(13)
ffffff0003ea7c00 dispatch_hardint+0x33(13, 0)
ffffff0003e05a50 switch_sp_and_call+0x13()
ffffff0003e05aa0 do_interrupt+0xb6(ffffff0003e05ab0, 1)
ffffff0003e05ab0 _interrupt+0xba()
ffffff0003e05ba0 mach_cpu_idle+6()
ffffff0003e05bd0 cpu_idle+0xb2()
ffffff0003e05c00 idle+0x116()
ffffff0003e05c10 thread_start+8()
=> Some confusion over whether we're running ddi_getl() or ddi_get32()
> ddi_get32::dis
ddi_get32: movl 0x68(%rdi),%edx
ddi_get32+3: cmpl $0xa,%edx
ddi_get32+6: jne +0x5 <ddi_get32+0xd>
ddi_get32+8: movq %rsi,%rdx
ddi_get32+0xb: inl (%dx)
ddi_get32+0xc: ret
ddi_get32+0xd: cmpl $0xc,%edx
ddi_get32+0x10: jne +0x3 <ddi_get32+0x15>
ddi_get32+0x12: movl (%rsi),%eax
ddi_get32+0x14: ret
ddi_get32+0x15: jmp *0x88(%rdi)
=> So we gell over at instruction offset 0x12 which was:
movl (%rsi),%eax
> ::regs
%rax = 0xffffff023772af00 %r9 = 0x000000000002ceaf
%rbx = 0xffffff014bb98800 %r10 = 0xfffffffffbcb9ab0 lwpsleepq+0x3570
%rcx = 0xffffff014acfe300 %r11 = 0xfffffffffb82d0bc dispatch_hardint
%rdx = 0x000000000000000c %r12 = 0xffffff0149379000
%rsi = 0xffffff023772af00 %r13 = 0xffffff023772af00
%rdi = 0xffffff014bbe5bc0 %r14 = 0xffffff014bb98854
%r8 = 0x000000000002ceaf %r15 = 0xffffff01466b4c30
%rip = 0xfffffffffb85ff32 ddi_get32+0x12
%rbp = 0xffffff0003ea7af0
%rsp = 0xffffff0003ea7ab8
%rflags = 0x00010246
id=0 vip=0 vif=0 ac=0 vm=0 rf=1 nt=0 iopl=0x0
status=<of,df,IF,tf,sf,ZF,af,PF,cf>
%cs = 0x0030 %ds = 0x004b %es = 0x004b
%trapno = 0xe %fs = 0x0000 %gs = 0x01c3
%err = 0x0
The value of %rsi is 0xffffff023772af00, we're trying to dereference that and store
it into %eax
> 0xffffff023772af00/J
mdb: failed to read data from target: no mapping for address
0xffffff023772af00:
And it sure looks bogus to me, plus it's the bogus address seen in the panic stack.
So this would have been passed upto us via ehci_handle_endpoint_reclaimation()
Looking at the illumos source code (which may be slightly different to the Solaris 11
source, which isn't publicly available):
217 /*
218 * ehci_handle_endpoint_reclamation:
219 *
220 * Reclamation of Host Controller (HC) Endpoint Descriptors (QH).
221 */
222 void
223 ehci_handle_endpoint_reclaimation(ehci_state_t *ehcip)
224 {
225 usb_frame_number_t current_frame_number;
226 usb_frame_number_t endpoint_frame_number;
227 ehci_qh_t *reclaim_qh;
228
> ffffff0149379000::print ehci_state_t
{
ehci_dip = 0xffffff01466b4c30
ehci_instance = 0
ehci_hcdi_ops = 0xffffff0148486388
ehci_cb_hdl = 0xffffff01466b4e90
ehci_flags = 0x1e
ehci_vendor_id = 0x8086
ehci_device_id = 0x265c
ehci_rev_id = 0
ehci_caps_handle = 0xffffff014bbe5d00
ehci_capsp = 0xffffff010272a000
ehci_regsp = 0xffffff010272a020
ehci_config_handle = 0xffffff014bbe5e40
ehci_frame_interval = 0
ehci_dma_attr = {
.
.
.
(truncated)
It's quite a long structure and I'm not 100% familiar with it, so not sure it's worth
reviewing it all.
Can I look at the device ID?
> 0xffffff01466b4c30::print struct dev_info
{
devi_parent = 0xffffff01466b8688
devi_child = 0
devi_sibling = 0xffffff01466b4960
devi_binding_name = 0xffffff0146690b1c "pciclass,0c0320"
devi_addr = 0xffffff014bbf3c00 "b"
.
.
.
devi_hw_prop_ptr = 0xffffff014b6b6418
devi_node_name = 0xffffff0148832e48 "pci8086,265c"
devi_compat_names = 0xffffff0146690b00 "pci8086,265c.0"
Hmmm, seems so.
How about the vendor id and device id?
0x8086 Intel Corporation
Device Id Chip Description Vendor Id Vendor Name
0x265C USB 2.0 EHCI Controller 0x8086 Intel Corporation
Well the structure itself looks reasonably sound from an initial review.
So where did we hand over to ddi_get32() ??
ehci_handle_endpoint_reclaimation+0x89: movq %r12,%rsi
ehci_handle_endpoint_reclaimation+0x8c: call -0x296d <ehci_deallocate_qh>
ehci_handle_endpoint_reclaimation+0x91: movq 0x650(%r13),%r12
Interesting, the dis-assembly shows us calling ehci_deallocate_qh() and not ddi_get32()
Taking apart the stack:
> ffffff0003ea7730-0x60,100/nap
0xffffff0003ea76d0:
0xffffff0003ea76d0: 0xd1
0xffffff0003ea76d8: 0xd1
0xffffff0003ea76e0: 0xe
0xffffff0003ea76e8: 0xffffff0003ea77b0
0xffffff0003ea76f0: kvseg
0xffffff0003ea76f8: 0xffffff0003ea7778
0xffffff0003ea7700: 0xffffff0003ea7760
0xffffff0003ea7708: avl_find+0x56
0xffffff0003ea7710: vpanic+0x22
0xffffff0003ea7718: 0xfffffffffb957418
0xffffff0003ea7720: 0xffffff0003ea7830
0xffffff0003ea7728: 0xfffffffffb957698
0xffffff0003ea7730: 0xffffff0003ea7870
0xffffff0003ea7738: 0xffffff0003ea79c0
0xffffff0003ea7740: 0xffffff023772af00
0xffffff0003ea7748: 0xffffff0003ea7780
.
.
.
0xffffff0003ea7a48: 0xffffff014bbe5d00
0xffffff0003ea7a50: 0xffffff0003ea7ac0
0xffffff0003ea7a58: 0x4b
0xffffff0003ea7a60: 0x4b
0xffffff0003ea7a68: 0
0xffffff0003ea7a70: 0x1c3
0xffffff0003ea7a78: 0xe
0xffffff0003ea7a80: 0
0xffffff0003ea7a88: ddi_get32+0x12
0xffffff0003ea7a90: 0x30
0xffffff0003ea7a98: 0x10246
0xffffff0003ea7aa0: 0xffffff0003ea7ab8
0xffffff0003ea7aa8: 0x38
0xffffff0003ea7ab0: 0xffffff0003ea7af0
0xffffff0003ea7ab8: ehci_deallocate_qh+0x57
0xffffff0003ea7ac0: 0xffffffffc002cea0
0xffffff0003ea7ac8: 0xffffff0149379000
0xffffff0003ea7ad0: 0xffffff014bb98800
0xffffff0003ea7ad8: 0x23a007
0xffffff0003ea7ae0: 0xffffff014bb98800
0xffffff0003ea7ae8: 0xffffff0149379000
0xffffff0003ea7af0: 0xffffff0003ea7b30
0xffffff0003ea7af8: ehci_handle_endpoint_reclaimation+0x91
0xffffff0003ea7b00: 0xffffff01466b4c30
0xffffff0003ea7b08: 0xffffff014b6d3298
... seems we do call ehci_deallocate_qh() before getting to ddi_get32()
> ehci_deallocate_qh::dis
ehci_deallocate_qh: pushq %rbp
ehci_deallocate_qh+1: movq %rsp,%rbp
ehci_deallocate_qh+4: subq $0x10,%rsp
ehci_deallocate_qh+8: movq %rdi,-0x8(%rbp)
ehci_deallocate_qh+0xc: movq %rsi,-0x10(%rbp)
ehci_deallocate_qh+0x10: pushq %rbx
ehci_deallocate_qh+0x11: pushq %r12
ehci_deallocate_qh+0x13: pushq %r13
ehci_deallocate_qh+0x15: subq $0x8,%rsp
ehci_deallocate_qh+0x19: movq %rdi,%r12
ehci_deallocate_qh+0x1c: movq %rsi,%rbx
ehci_deallocate_qh+0x1f: movq 0x128(%r12),%rdi
ehci_deallocate_qh+0x27: leaq 0x10(%rbx),%rsi
ehci_deallocate_qh+0x2b: call +0x3ae00dc <ddi_get32>
ehci_deallocate_qh+0x30: andq $0xffffffffffffffe0,%rax
ehci_deallocate_qh+0x34: movq %r12,%rdi
ehci_deallocate_qh+0x37: movq %rax,%rsi
ehci_deallocate_qh+0x3a: call +0x1671 <ehci_qtd_iommu_to_cpu>
ehci_deallocate_qh+0x3f: movq %rax,%r13
ehci_deallocate_qh+0x42: testq %r13,%r13
ehci_deallocate_qh+0x45: je +0x35 <ehci_deallocate_qh+0x7c>
ehci_deallocate_qh+0x47: movq 0x160(%r12),%rdi
ehci_deallocate_qh+0x4f: movq %r13,%rsi
ehci_deallocate_qh+0x52: call +0x3ae00b5 <ddi_get32>
ehci_deallocate_qh+0x57: movl %eax,%esi
ehci_deallocate_qh+0x59: movq %r12,%rdi
... and the stack shows the call to ddi_get32() at ehci_deallocate_qh+0x57
It seems we're looking for an offset from %rbx to get our %rsi for the first
call to ddi_get32() then it's the value of %r13 being moved into %esi where
we then fall over.
In the source I see we're doing this:
1330 first_dummy_qtd = ehci_qtd_iommu_to_cpu(ehcip,
1331 (Get_QH(old_qh->qh_next_qtd) & EHCI_QH_NEXT_QTD_PTR));
Where Get_QH() decodes as:
870 #define Get_QH(addr) ddi_get32(ehcip->ehci_qh_pool_mem_handle, \
871 (uint32_t *)&addr)
... so this is where the ddi_get32() comes into play.
Alas there are a number of calls to Get_QH() in this ehci_deallocate_qh() function.
Summary
I suspect the failure to connect to the device port is causing some form of bogus/NULL address to appear in a structure here and we're tripping over it.
Change History (5)
comment:1 by , 12 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:2 by , 12 years ago
Hello there,
As I pointed out at the beginning of the bug report, I'm running 4.1.15 *because* I was hitting panic's on my Mac when rebooting my guest virtual machine. Since I put that on I haven't had a panic under MacOS 10.6.8.
I would have installed guest extensions 4.1.15 but they do not appear to be available on your download web page. If this is available I'll happily try installing that and seeing if the panic's in the guest OS (Solaris 11) are reproducible.
I know 4.1.15 vbox binaries and the 4.1.14 extension pack are not a good/supported option and I clearly mentioned this at the beginning being open and honest. You can see I performed a fair amount of work looking at the Solaris 11 dump, so I have to say I'm somewhat disappointed this has been closed without anyone actually discussing the matter with me.
If there is a problem in this code area come the next version then potentially you'll have a bunch of Solaris 11 boxes panicing, which I'd like to help prevent. Of course it's highly likely that the version number mismatch is the problem, so if I could install that and the problem goes away then hey we know that was the root cause. It's a pretty quick test and has very little impact on you guys if this is the fix.
On the other hand if I demonstrate the problem again then maybe there is something that needs investigating?
Just trying to work with you guys, see if someone can meet me half way here.
Thanks,
Jason
comment:3 by , 12 years ago
| Resolution: | invalid |
|---|---|
| Status: | closed → reopened |
Could you try the 4.1.15 Mac OS X test build together with this Extension Pack?
comment:4 by , 12 years ago
Hi Frank,
I tried the 4.1.15 extension pack and had mixed results. The virtual machine did appear to hang with a USB stick however X wouldn't start. Technically the gdm service was running and Xorg was running but I had no login box I could see, the display had an odd red/yellow flashing output in the miniature display in the main Virtualbox window.
I had to revert back to 4.1.14 to see if that problem went away and I could get X back - I could. So I'll try upgrading to 4.1.15 (binaries and extension pack) again to see if the problem is reproducible.
Thanks,
Jason.
comment:5 by , 8 years ago
| Resolution: | → obsolete |
|---|---|
| Status: | reopened → closed |
Please reopen if still relevant with a recent VirtualBox release.
Note:
See TracTickets
for help on using tickets.
Sorry, we do not accept bug reports against mismatched VirtualBox <-> Extension Pack versions. Unless you're running one of the Mountain Lion DPs, there is no point in running a 4.1.15 test build. In fact you should not use a test build unless specifically directed to do so; if you do, expect trouble (and no help).
Please go back to the official release (4.1.14) and the accompanying extension pack. If the error persists, then open a ticket against that combination.