From owner-freebsd-bugs@FreeBSD.ORG Tue Sep 21 05:50:13 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24C3D16A4CE for ; Tue, 21 Sep 2004 05:50:13 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09E2343D53 for ; Tue, 21 Sep 2004 05:50:13 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i8L5oCkU086713 for ; Tue, 21 Sep 2004 05:50:12 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i8L5oCO3086694; Tue, 21 Sep 2004 05:50:12 GMT (envelope-from gnats) Resent-Date: Tue, 21 Sep 2004 05:50:12 GMT Resent-Message-Id: <200409210550.i8L5oCO3086694@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Sang Woo Shim Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 73DC216A4CE for ; Tue, 21 Sep 2004 05:43:31 +0000 (GMT) Received: from neo.redjade.org (neo.redjade.org [219.254.21.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id B76DD43D2D for ; Tue, 21 Sep 2004 05:43:30 +0000 (GMT) (envelope-from ssw@neo.redjade.org) Received: from neo.redjade.org (localhost [127.0.0.1]) by neo.redjade.org (8.13.1/8.13.1) with ESMTP id i8L5hKHU017623; Tue, 21 Sep 2004 14:43:20 +0900 (KST) (envelope-from ssw@neo.redjade.org) Received: (from ssw@localhost) by neo.redjade.org (8.13.1/8.13.1/Submit) id i8L5hJsj017622; Tue, 21 Sep 2004 14:43:19 +0900 (KST) (envelope-from ssw) Message-Id: <200409210543.i8L5hJsj017622@neo.redjade.org> Date: Tue, 21 Sep 2004 14:43:19 +0900 (KST) From: Sang Woo Shim To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 cc: imp@bsdimp.com Subject: kern/71956: Panic in kobj_delete when a USB hub is detached. X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Sang Woo Shim List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Sep 2004 05:50:13 -0000 >Number: 71956 >Category: kern >Synopsis: Panic in kobj_delete when a USB hub is detached. >Confidential: no >Severity: critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Sep 21 05:50:12 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Sang Woo Shim >Release: FreeBSD 6.0-CURRENT i386 >Organization: Icrosstech >Environment: System: FreeBSD odin 6.0-CURRENT FreeBSD 6.0-CURRENT #1: Fri Sep 17 13:32:39 KST 2004 root@odin:/usr/obj/usr/src/sys/ODIN i386 This is Pentium-4 2.4C, with HTT turned off. >Description: If you detach usb-hub with some devices attached under, the system panic occurs reliably. I've reproduced the panic with my usb keyboard. It is constituted by an usb-hub, and internally usb keyboard is attached under the hub. In the boot process, all of my usb devices are detached and reattached. (don't know why.) And the panic occurs after detaching. So I cannot boot with my keyboard attached. The panic isn't induced before version 1.63 of uhub.c. The following is the tr output in the DDB. (hand-writen) instruction ptr. 0x8:0xc04c6b73 kobj_delete() device_delete_child() usb_disconnect_port() uhub_detach() device_detach() device_delete_child() usb_disconnect_port() uhub_explore() usb_discover() usb_event_thread() fork_exit() fork_trampoline() Grepped output of instruction pointer. odin:/usr/obj/usr/src/sys/ODIN $ nm kernel.debug | grep c04c6b c04c6b68 T kobj_delete odin:/usr/obj/usr/src/sys/ODIN $ kgdb output. (kgdb) l *0xc04c6b73 0xc04c6b73 is in kobj_delete (/usr/src/sys/kern/subr_kobj.c:323). 318 } 319 320 void 321 kobj_delete(kobj_t obj, struct malloc_type *mtype) 322 { 323 kobj_class_t cls = obj->ops->cls; 324 int refs; 325 326 /* 327 * Consider freeing the compiled method table for the class (kgdb) fr 24 #24 0xc04c23dc in device_delete_child (dev=0x0, child=0xc1ffba00) at /usr/src/sys/kern/subr_bus.c:1489 1489 kobj_delete((kobj_t) child, M_BUS); (kgdb) p *child $3 = {ops = 0x0, link = {tqe_next = 0x0, tqe_prev = 0xc1ffbd98}, devlink = { tqe_next = 0x0, tqe_prev = 0xc1ffbd8c}, parent = 0xc1ffbd80, children = { tqh_first = 0x0, tqh_last = 0xc1ffba18}, driver = 0x0, devclass = 0x0, unit = -1, nameunit = 0x0, desc = 0x0, busy = 0, state = DS_NOTPRESEN >How-To-Repeat: As stated, unplug usb-hub with some devices attached to it. >Fix: >Release-Note: >Audit-Trail: >Unformatted: