Site Navigation

Date:      Fri, 22 Nov 2002 14:24:51 +1030 (CST)
From:      grog@lemis.com (Greg 'groggy' Lehey)
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   kern/45579: Panic from USB stack after device detach
Message-ID:  <20021122035451.1224D51915@wantadilla.lemis.com>

---

next in thread | raw e-mail | index | archive | help

---

>Number:         45579
>Category:       kern
>Synopsis:       Panic from USB stack after device detach
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 21 20:00:05 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     Greg Lehey
>Release:        FreeBSD 4.7-STABLE i386
>Organization:
LEMIS SA Pty Ltd
>Environment:
System: FreeBSD ler.ri.cox.net 4.7-STABLE FreeBSD 4.7-STABLE #8: Thu Nov 21 19:19:36 EST 2002 root@ler.ri.cox.net:/usr/o
bj/usr/src/sys/usbkern i386

        Standard install of 4.7, probably not release-specific.

>Description:
        The USB stack removes devices without checking whether they
        are still open.  If a process subsequently accesses the
        device, it will crash on dereferencing the devsw.
            
>How-To-Repeat:

        This occurs while testing the pilot-xfer port.  In the case in
        point, I set a breakpoint in code which reads from a Palm
        Pilot.  During this process, the device timed out and was
        removed.  On resumption of the program, we get the following
        backtrace:

        (kgdb) bt
        #0  dumpsys () at /usr/src/sys/kern/kern_shutdown.c:487
        #1  0xc0148f7f in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:316
        #2  0xc01493a4 in poweroff_wait (junk=0xc0276fcc, howto=-1071158545) at /usr/src/sys/kern/kern_shutdown.c:595
        #3  0xc023f026 in trap_fatal (frame=0xc610acfc, eva=20) at /usr/src/sys/i386/i386/trap.c:974
        #4  0xc023ecf9 in trap_pfault (frame=0xc610acfc, usermode=0, eva=20) at /usr/src/sys/i386/i386/trap.c:867
        #5  0xc023e8e3 in trap (frame={tf_fs = -1064173552, tf_es = 16, tf_ds = 16, tf_edi = 4, tf_esi = -1063855872,
              tf_ebp = -971985580, tf_isp = -971985624, tf_ebx = -971985540, tf_edx = -971985540, tf_ecx = 18, tf_eax =
0,
              tf_trapno = 12, tf_err = 0, tf_eip = -1072162193, tf_cs = 8, tf_eflags = 66195, tf_esp = -1063855872,
              tf_ss = 64}) at /usr/src/sys/i386/i386/trap.c:466
        #6  0xc0181a6f in spec_poll (ap=0xc610ad7c) at /usr/src/sys/miscfs/specfs/spec_vnops.c:323
        #7  0xc0181775 in spec_vnoperate (ap=0xc610ad7c) at /usr/src/sys/miscfs/specfs/spec_vnops.c:119
        #8  0xc01f5315 in ufs_vnoperatespec (ap=0xc610ad7c) at /usr/src/sys/ufs/ufs/ufs_vnops.c:2440
        #9  0xc017e09b in vn_poll (fp=0xc09e8680, events=64, cred=0xc09cf800, p=0xc5736a00) at vnode_if.h:458
        #10 0xc0158a53 in selscan (p=0xc5736a00, ibits=0xc610ae1c, obits=0xc610ae10, nfd=5) at /usr/src/sys/sys/file.h:1
92
        #11 0xc01587ad in select (p=0xc5736a00, uap=0xc610af80) at /usr/src/sys/kern/sys_generic.c:746
        #12 0xc023f2d5 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = 10, tf_esi = 0, tf_ebp = -107794
1216,
              tf_isp = -971984940, tf_ebx = 671701380, tf_edx = 5, tf_ecx = 0, tf_eax = 93, tf_trapno = 10, tf_err = 2,
              tf_eip = 672352128, tf_cs = 31, tf_eflags = 519, tf_esp = -1077941452, tf_ss = 47})
            at /usr/src/sys/i386/i386/trap.c:1175

        (kgdb) f 6
        #6  0xc0181a6f in spec_poll (ap=0xc610ad7c) at /usr/src/sys/miscfs/specfs/spec_vnops.c:323
        323             return (*devsw(dev)->d_poll)(dev, ap->a_events, ap->a_p);
        (kgdb) p/x *dev
        $4 = {
          si_flags = 0x0,
          si_udev = 0x8a80,
          si_hash = {
            le_next = 0xc0964400,
            le_prev = 0xc02a23fc
          },
          si_hlist = {
            slh_first = 0xc6064600
          },
          si_name = {0x75, 0x63, 0x6f, 0x6d, 0x30, 0x0 <repeats 11 times>},
          si_drv1 = 0x0,
          si_drv2 = 0x0,
          si_devsw = 0x0,
          si_iosize_max = 0x10000,
          __si_u = {
            __si_tty = {
              __sit_tty = 0xc09f8900
            },
            __si_disk = {
              __sid_disk = 0xc09f8900,
              __sid_mountpoint = 0x0,
              __sid_bsize_phys = 0x0,
              __sid_bsize_best = 0x0
            }
          }
        }

>Fix:
        Maintain a per-device open flag and check it before detaching
        the devices.  Set sc_dying in any case, and check this flag
        before any I/O operation.
>Release-Note:
>Audit-Trail:
>Unformatted:
 Panic from USB stack after device detach
 From: Greg Lehey <groggy>
 Reply-To: Greg Lehey <grog@lemis.coM>
 cc:
 X-send-pr-version: 3.113
 X-GNATS-Notify:
 
   

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021122035451.1224D51915>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact