From owner-freebsd-usb@FreeBSD.ORG  Tue Oct  8 01:50:00 2013
Return-Path: <owner-freebsd-usb@FreeBSD.ORG>
Delivered-To: freebsd-usb@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id D386D719
 for <freebsd-usb@smarthost.ysv.freebsd.org>;
 Tue,  8 Oct 2013 01:50:00 +0000 (UTC)
 (envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 97296269B
 for <freebsd-usb@smarthost.ysv.freebsd.org>;
 Tue,  8 Oct 2013 01:50:00 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r981o07S024211
 for <freebsd-usb@freefall.freebsd.org>; Tue, 8 Oct 2013 01:50:00 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r981o0qt024209;
 Tue, 8 Oct 2013 01:50:00 GMT (envelope-from gnats)
Resent-Date: Tue, 8 Oct 2013 01:50:00 GMT
Resent-Message-Id: <201310080150.r981o0qt024209@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-usb@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
 Alexander Vysokovskih <av@ural.org>
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 1E597F11
 for <freebsd-gnats-submit@FreeBSD.org>; Tue,  8 Oct 2013 01:41:35 +0000 (UTC)
 (envelope-from nobody@FreeBSD.org)
Received: from oldred.freebsd.org (oldred.freebsd.org [8.8.178.121])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id E494E25E6
 for <freebsd-gnats-submit@FreeBSD.org>; Tue,  8 Oct 2013 01:41:34 +0000 (UTC)
Received: from oldred.freebsd.org ([127.0.1.6])
 by oldred.freebsd.org (8.14.5/8.14.7) with ESMTP id r981fYf5039190
 for <freebsd-gnats-submit@FreeBSD.org>; Tue, 8 Oct 2013 01:41:34 GMT
 (envelope-from nobody@oldred.freebsd.org)
Received: (from nobody@localhost)
 by oldred.freebsd.org (8.14.5/8.14.5/Submit) id r981fYX8039161;
 Tue, 8 Oct 2013 01:41:34 GMT (envelope-from nobody)
Message-Id: <201310080141.r981fYX8039161@oldred.freebsd.org>
Date: Tue, 8 Oct 2013 01:41:34 GMT
From: Alexander Vysokovskih <av@ural.org>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Subject: usb/182820: usbusX if destroy page fault panic
X-BeenThere: freebsd-usb@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: FreeBSD support for USB <freebsd-usb.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-usb>,
 <mailto:freebsd-usb-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-usb>
List-Post: <mailto:freebsd-usb@freebsd.org>
List-Help: <mailto:freebsd-usb-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-usb>,
 <mailto:freebsd-usb-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Oct 2013 01:50:01 -0000


>Number:         182820
>Category:       usb
>Synopsis:       usbusX if destroy page fault panic
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-usb
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 08 01:50:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Alexander Vysokovskih
>Release:        10.0-ALPHA4 r255933
>Organization:
>Environment:
FreeBSD sandbox-10.ural.org 10.0-ALPHA4 FreeBSD 10.0-ALPHA4 #0 r255933: Sun Sep 29 02:50:54 UTC 2013    root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC   amd64
>Description:
KDB: debugger backends: ddb
KDB: current backend: ddb
Copyright (c) 1992-2013 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
	The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 10.0-ALPHA4 #0 r255933: Sun Sep 29 02:50:54 UTC 2013
    root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64
FreeBSD clang version 3.3 (tags/RELEASE_33/final 183502) 20130610
WARNING: WITNESS option enabled, expect reduced performance.
CPU: Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz (2471.71-MHz K8-class CPU)
  Origin = "GenuineIntel"  Id = 0x306a9  Family = 0x6  Model = 0x3a  Stepping = 9
  Features=0x1783fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE,SSE2,HTT>
  Features2=0x201<SSE3,SSSE3>
  AMD Features=0x28100800<SYSCALL,NX,RDTSCP,LM>
  AMD Features2=0x1<LAHF>
real memory  = 2147418112 (2047 MB)
avail memory = 2049912832 (1954 MB)
Event timer "LAPIC" quality 400
ACPI APIC Table: <VBOX   VBOXAPIC>
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
FreeBSD/SMP: 1 package(s) x 2 core(s)
 cpu0 (BSP): APIC ID:  0
 cpu1 (AP): APIC ID:  1
random device not loaded; using insecure entropy
ioapic0 <Version 1.1> irqs 0-23 on motherboard
random: <Software, Yarrow> initialized
kbd1 at kbdmux0
acpi0: <VBOX VBOXXSDT> on motherboard
acpi0: Power Button (fixed)
acpi0: Sleep Button (fixed)
cpu0: <ACPI CPU> on acpi0
cpu1: <ACPI CPU> on acpi0
attimer0: <AT timer> port 0x40-0x43,0x50-0x53 on acpi0
Timecounter "i8254" frequency 1193182 Hz quality 0
Event timer "i8254" frequency 1193182 Hz quality 100
Timecounter "ACPI-fast" frequency 3579545 Hz quality 900
acpi_timer0: <32-bit timer at 3.579545MHz> port 0x4008-0x400b on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
isab0: <PCI-ISA bridge> at device 1.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel PIIX4 UDMA33 controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xd000-0xd00f at device 1.1 on pci0
ata0: <ATA channel> at channel 0 on atapci0
ata1: <ATA channel> at channel 1 on atapci0
vgapci0: <VGA-compatible display> mem 0xe0000000-0xe07fffff irq 18 at device 2.0 on pci0
virtio_pci0: <VirtIO PCI Network adapter> port 0xd020-0xd03f irq 19 at device 3.0 on pci0
vtnet0: <VirtIO Networking Adapter> on virtio_pci0
virtio_pci0: host features: 0x410fdda3 <NotifyOnEmpty,VLanFilter,RxMode,ControlVq,Status,MrgRxBuf,TxUFO,TxTSOv6,TxTSOv4,RxUFO,RxTSOv6,RxTSOv4,MacAddress,RxChecksum,TxChecksum>
virtio_pci0: negotiated features: 0xf99a3 <VLanFilter,RxMode,ControlVq,Status,MrgRxBuf,TxTSOv6,TxTSOv4,RxTSOv6,RxTSOv4,MacAddress,RxChecksum,TxChecksum>
vtnet0: Ethernet address: 08:00:27:9e:bb:21
pci0: <base peripheral> at device 4.0 (no driver attached)
ohci0: <OHCI (generic) USB controller> mem 0xf0404000-0xf0404fff irq 22 at device 6.0 on pci0
usbus0 on ohci0
pci0: <bridge> at device 7.0 (no driver attached)
ehci0: <Intel 82801FB (ICH6) USB 2.0 controller> mem 0xf0405000-0xf0405fff irq 19 at device 11.0 on pci0
usbus1: EHCI version 1.0
usbus1 on ehci0
 uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
uart0: console (9600,n,8,1)
battery0: <ACPI Control Method Battery> on acpi0
acpi_acad0: <AC Adapter> on acpi0
atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: [GIANT-LOCKED]
psm0: model IntelliMouse Explorer, device ID 4
orm0: <ISA Option ROMs> at iomem 0xc0000-0xc7fff,0xe2000-0xe2fff on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
atrtc0: <AT realtime clock> at port 0x70 irq 8 on isa0
Event timer "RTC" frequency 32768 Hz quality 0
ppc0: cannot reserve I/O port range
Timecounters tick every 10.000 msec
usbus0: 12Mbps Full Speed USB v1.0
usbus1: 480Mbps High Speed USB v2.0
ugen0.1: <Apple> at usbus0
uhub0: <Apple OHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus0
ugen1.1: <Intel> at usbus1
uhub1: <Intel EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus1
ada0 at ata0 bus 0 scbus0 target 0 lun 0
ada0: <VBOX HARDDISK 1.0> ATA-6 device
ada0: 33.300MB/s transfers (UDMA2, PIO 65536bytes)
ada0: 8710MB (17839056 512 byte sectors: 16H 63S/T 16383C)
ada0: Previously was known as ad0
cd0 at ata1 bus 0 scbus1 target 0 lun 0
cd0: <VBOX CD-ROM 1.0> Removable CD-ROM SCSI-0 device 
cd0: 33.300MB/s transfers (UDMA2, ATAPI 12bytes, PIO 65534bytes)
cd0: Attempt to query device size failed: NOT READY, Medium not present
Netvsc initializing... SMP: AP CPU #1 Launched!
WARNING: WITNESS option enabled, expect reduced performance.
uhub0: 8 ports with 8 removable, self powered
Root mount waiting for: usbus1 usbus0
Root mount waiting for: usbus1 usbus0
ugen0.2: <PixArt> at usbus0
Root mount waiting for: usbus1
Root mount waiting for: usbus1
uhub1: 8 ports with 8 removable, self powered
Trying to mount root from ufs:/dev/ada0p2 [rw]...
WARNING: / was not properly dismounted
WARNING: /: mount pending error: blocks 0 files 4
vtnet0: link state changed to UP
ums0: <PixArt Microsoft USB Optical Mouse, class 0/0, rev 1.10/1.00, addr 2> on usbus0
ums0: 3 buttons and [XYZ] coordinates ID=0

---

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x10
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff80a8c5ec
stack pointer           = 0x28:0xfffffe007b7727e0
frame pointer           = 0x28:0xfffffe007b772800
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 847 (ifconfig)

Reading symbols from /boot/kernel/ums.ko.symbols...done.
Loaded symbols for /boot/kernel/ums.ko.symbols
#0  doadump (textdump=0) at pcpu.h:218
218     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) bt
#0  doadump (textdump=0) at pcpu.h:218
#1  0xffffffff8034136e in db_dump (dummy=<value optimized out>, dummy2=0,
    dummy3=0, dummy4=0x0) at /usr/src/sys/ddb/db_command.c:543
#2  0xffffffff80340e0d in db_command (cmd_table=<value optimized out>)
    at /usr/src/sys/ddb/db_command.c:449
#3  0xffffffff80340b84 in db_command_loop ()
    at /usr/src/sys/ddb/db_command.c:502
#4  0xffffffff80343530 in db_trap (type=<value optimized out>, code=0)
    at /usr/src/sys/ddb/db_main.c:231
#5  0xffffffff808ef433 in kdb_trap (type=12, code=0, tf=<value optimized out>)
    at /usr/src/sys/kern/subr_kdb.c:654
#6  0xffffffff80cae62a in trap_fatal (frame=0xfffffe007b772730,
    eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:868
#7  0xffffffff80cae8e4 in trap_pfault (frame=0x0, usermode=0)
    at /usr/src/sys/amd64/amd64/trap.c:699
#8  0xffffffff80cae0e0 in trap (frame=0xfffffe007b772730)
    at /usr/src/sys/amd64/amd64/trap.c:463
#9  0xffffffff80c95ec2 in calltrap ()
    at /usr/src/sys/amd64/amd64/exception.S:232
#10 0xffffffff80a8c5ec in nd6_purge (ifp=0xfffff8000256f800)
    at /usr/src/sys/netinet6/nd6.c:823
#11 0xffffffff80a778b9 in in6_ifdetach (ifp=0xfffff8000256f800)
    at /usr/src/sys/netinet6/in6_ifattach.c:813
---Type <return> to continue, or q <return> to quit---
#12 0xffffffff8097b3d3 in if_detach (ifp=0xfffff8000256f800)
    at /usr/src/sys/net/if.c:871
#13 0xffffffff8075ebb2 in usbpf_clone_destroy (ifc=0xfffff800027d4d80,
    ifp=0xfffff8000256f800) at /usr/src/sys/dev/usb/usb_pf.c:225
#14 0xffffffff80980ae2 in if_clone_destroyif (ifc=0xfffff800027d4d80,
    ifp=0xfffff8000256f800) at /usr/src/sys/net/if_clone.c:333
#15 0xffffffff8098097e in if_clone_destroy (name=<value optimized out>)
    at /usr/src/sys/net/if_clone.c:291
#16 0xffffffff8097d806 in ifioctl (so=0xfffff80002c6f570,
    cmd=<value optimized out>, data=0xfffff8000279f660 "usbus0",
    td=0xfffff80002c02490) at /usr/src/sys/net/if.c:2513
#17 0xffffffff8090e94a in kern_ioctl (td=0xfffff80002c02490,
    fd=<value optimized out>, com=8) at file.h:319
#18 0xffffffff8090e62f in sys_ioctl (td=0xfffff80002c02490,
    uap=0xfffffe007b772b80) at /usr/src/sys/kern/sys_generic.c:698
#19 0xffffffff80caee35 in amd64_syscall (td=0xfffff80002c02490, traced=0)
    at subr_syscall.c:134
#20 0xffffffff80c961ab in Xfast_syscall ()
    at /usr/src/sys/amd64/amd64/exception.S:391
#21 0x000000080119b9ca in ?? ()
Previous frame inner to this frame (corrupt stack?)
Current language:  auto; currently minimal
(kgdb)
(kgdb) fr 15
#15 0xffffffff8098097e in if_clone_destroy (name=<value optimized out>)
    at /usr/src/sys/net/if_clone.c:291
291             err = if_clone_destroyif(ifc, ifp);
(kgdb) fr 14
#14 0xffffffff80980ae2 in if_clone_destroyif (ifc=0xfffff800027d4d80,
    ifp=0xfffff8000256f800) at /usr/src/sys/net/if_clone.c:333
333                     err = (*ifc->ifc_destroy)(ifc, ifp);
(kgdb) fr 13
#13 0xffffffff8075ebb2 in usbpf_clone_destroy (ifc=0xfffff800027d4d80,
    ifp=0xfffff8000256f800) at /usr/src/sys/dev/usb/usb_pf.c:225
225             if_detach(ifp);
(kgdb) fr 12
#12 0xffffffff8097b3d3 in if_detach (ifp=0xfffff8000256f800)
    at /usr/src/sys/net/if.c:871
871             in6_ifdetach(ifp);
(kgdb) fr 11
#11 0xffffffff80a778b9 in in6_ifdetach (ifp=0xfffff8000256f800)
    at /usr/src/sys/netinet6/in6_ifattach.c:813
813             nd6_purge(ifp);
(kgdb) fr 10
#10 0xffffffff80a8c5ec in nd6_purge (ifp=0xfffff8000256f800)
    at /usr/src/sys/netinet6/nd6.c:823
823             if (ND_IFINFO(ifp)->flags & ND6_IFF_ACCEPT_RTADV) {
(kgdb) print ifp
$1 = (struct ifnet *) 0xfffff8000256f800
(kgdb) print *ifp
$2 = {if_softc = 0xfffffe00008bb320, if_l2com = 0x0, if_vnet = 0x0, if_link = {
    tqe_next = 0x0, tqe_prev = 0xfffff80002570018},
  if_xname = "usbus0\000\000\000\000\000\000\000\000\000",
  if_dname = 0xffffffff80ee5a5c "usbus", if_dunit = 0, if_refcount = 2,
  if_addrhead = {tqh_first = 0xfffff8000241d600,
    tqh_last = 0xfffff8000241d6c0}, if_pcount = 0, if_carp = 0x0,
  if_bpf = 0xfffff800027a3500, if_index = 3, if_index_reserved = 0,
  if_vlantrunk = 0x0, if_flags = 0, if_capabilities = 0, if_capenable = 0,
  if_linkmib = 0x0, if_linkmiblen = 0, if_data = {ifi_type = 160 '&#9618;',
    ifi_physical = 0 '\0', ifi_addrlen = 0 '\0', ifi_hdrlen = 0 '\0',
    ifi_link_state = 0 '\0', ifi_vhid = 0 '\0', ifi_baudrate_pf = 0 '\0',
    ifi_datalen = 152 '\230', ifi_mtu = 0, ifi_metric = 0, ifi_baudrate = 0,
    ifi_ipackets = 0, ifi_ierrors = 0, ifi_opackets = 0, ifi_oerrors = 0,
    ifi_collisions = 0, ifi_ibytes = 0, ifi_obytes = 0, ifi_imcasts = 0,
    ifi_omcasts = 0, ifi_iqdrops = 0, ifi_noproto = 0, ifi_hwassist = 0,
    ifi_epoch = 52, ifi_lastchange = {tv_sec = 1381179412, tv_usec = 796566}},
  if_multiaddrs = {tqh_first = 0x0, tqh_last = 0xfffff8000256f938},
  if_amcount = 0, if_output = 0, if_input = 0, if_start = 0,
  if_ioctl = 0xffffffff8075f2b0 <usbpf_ioctl>, if_init = 0,
  if_resolvemulti = 0, if_qflush = 0xffffffff8097d550 <if_qflush>,
  if_transmit = 0xffffffff809800a0 <if_transmit>, if_reassign = 0,
  if_home_vnet = 0x0, if_addr = 0xfffff8000241d600, if_llsoftc = 0x0,
  if_drv_flags = 0, if_snd = {ifq_head = 0x0, ifq_tail = 0x0, ifq_len = 0,
---Type <return> to continue, or q <return> to quit---
    ifq_maxlen = 50, ifq_drops = 0, ifq_mtx = {lock_object = {
        lo_name = 0xfffff8000256f828 "usbus0", lo_flags = 16973824,
        lo_data = 0, lo_witness = 0xfffffe00006d3d80}, mtx_lock = 4},
    ifq_drv_head = 0x0, ifq_drv_tail = 0x0, ifq_drv_len = 0,
    ifq_drv_maxlen = 0, altq_type = 0, altq_flags = 0, altq_disc = 0x0,
    altq_ifp = 0xfffff8000256f800, altq_enqueue = 0, altq_dequeue = 0,
    altq_request = 0, altq_clfier = 0x0, altq_classify = 0, altq_tbr = 0x0,
    altq_cdnr = 0x0}, if_broadcastaddr = 0x0, if_bridge = 0x0, if_label = 0x0,
  if_unused = {0x0, 0x0}, if_afdata = {0x0, 0x0, 0xfffff80002426f20,
    0x0 <repeats 39 times>}, if_afdata_initialized = 2, if_afdata_lock = {
    lock_object = {lo_name = 0xffffffff80f27a92 "if_afdata",
      lo_flags = 86179840, lo_data = 0, lo_witness = 0xfffffe00006d3d00},
    rw_lock = 1}, if_linktask = {ta_link = {stqe_next = 0x0}, ta_pending = 0,
    ta_priority = 0, ta_func = 0xffffffff8097a5e0 <do_link_state_change>,
    ta_context = 0xfffff8000256f800}, if_addr_lock = {lock_object = {
      lo_name = 0xffffffff80f1ab75 "if_addr_lock", lo_flags = 86179840,
      lo_data = 0, lo_witness = 0xfffffe00006ccb80}, rw_lock = 1},
  if_clones = {le_next = 0x0, le_prev = 0xfffff800027d4da8}, if_groups = {
    tqh_first = 0xfffff80002acd020, tqh_last = 0xfffff80002acd028},
  if_pf_kif = 0x0, if_lagg = 0x0, if_description = 0x0, if_fib = 0,
  if_alloctype = 160 '&#9618;', if_hw_tsomax = 65535, if_cspare = "\000\000",
  if_ispare = {0, 0, 0, 0}, if_pspare = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
    0x0}}

---

(kgdb) print ifp->if_afdata
$3 = {0x0, 0x0, 0xfffff80002426f20, 0x0 <repeats 39 times>}
(kgdb) print ifp->if_afdata[28]
$4 = (void *) 0x0

---

There is no checks about existense of ifp scructure member used in ND_IFINFO macro in nd6_purge().

#define AF_INET6        28              /* IPv6 */
#define ND_IFINFO(ifp) \
        (((struct in6_ifextra *)(ifp)->if_afdata[AF_INET6])->nd_ifinfo)

mld6_var.h also contain same macro used in mld_ifdetach():

#define MLD_IFINFO(ifp) \
        (((struct in6_ifextra *)(ifp)->if_afdata[AF_INET6])->mld_ifinfo)


>How-To-Repeat:
In my VirtualBox just new installed FreeBSD 10.0-ALPHA4 #r255933 panicked like:

# ifconfig usbus0 create
# ifconfig usbus0 destroy

or 

# usbdump
^C
>Fix:
I think what my pretty simple patch not very smart at all. Why we should call in6_ifdetach() for usb interfaces?

>Release-Note:
>Audit-Trail:
>Unformatted: