From owner-freebsd-bugs Thu Nov 21 20: 0:10 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C28B337B404 for ; Thu, 21 Nov 2002 20:00:06 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1026743E97 for ; Thu, 21 Nov 2002 20:00:06 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id gAM405x3055445 for ; Thu, 21 Nov 2002 20:00:05 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id gAM40519055444; Thu, 21 Nov 2002 20:00:05 -0800 (PST) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 87BCE37B401 for ; Thu, 21 Nov 2002 19:54:56 -0800 (PST) Received: from wantadilla.lemis.com (wantadilla.lemis.com [192.109.197.80]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0776843E6E for ; Thu, 21 Nov 2002 19:54:54 -0800 (PST) (envelope-from grog@lemis.com) Received: by wantadilla.lemis.com (Postfix, from userid 1004) id 1224D51915; Fri, 22 Nov 2002 14:24:51 +1030 (CST) Message-Id: <20021122035451.1224D51915@wantadilla.lemis.com> Date: Fri, 22 Nov 2002 14:24:51 +1030 (CST) From: grog@lemis.com (Greg 'groggy' Lehey) To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/45579: Panic from USB stack after device detach Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 45579 >Category: kern >Synopsis: Panic from USB stack after device detach >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 21 20:00:05 PST 2002 >Closed-Date: >Last-Modified: >Originator: Greg Lehey >Release: FreeBSD 4.7-STABLE i386 >Organization: LEMIS SA Pty Ltd >Environment: System: FreeBSD ler.ri.cox.net 4.7-STABLE FreeBSD 4.7-STABLE #8: Thu Nov 21 19:19:36 EST 2002 root@ler.ri.cox.net:/usr/o bj/usr/src/sys/usbkern i386 Standard install of 4.7, probably not release-specific. >Description: The USB stack removes devices without checking whether they are still open. If a process subsequently accesses the device, it will crash on dereferencing the devsw. >How-To-Repeat: This occurs while testing the pilot-xfer port. In the case in point, I set a breakpoint in code which reads from a Palm Pilot. During this process, the device timed out and was removed. On resumption of the program, we get the following backtrace: (kgdb) bt #0 dumpsys () at /usr/src/sys/kern/kern_shutdown.c:487 #1 0xc0148f7f in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:316 #2 0xc01493a4 in poweroff_wait (junk=0xc0276fcc, howto=-1071158545) at /usr/src/sys/kern/kern_shutdown.c:595 #3 0xc023f026 in trap_fatal (frame=0xc610acfc, eva=20) at /usr/src/sys/i386/i386/trap.c:974 #4 0xc023ecf9 in trap_pfault (frame=0xc610acfc, usermode=0, eva=20) at /usr/src/sys/i386/i386/trap.c:867 #5 0xc023e8e3 in trap (frame={tf_fs = -1064173552, tf_es = 16, tf_ds = 16, tf_edi = 4, tf_esi = -1063855872, tf_ebp = -971985580, tf_isp = -971985624, tf_ebx = -971985540, tf_edx = -971985540, tf_ecx = 18, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1072162193, tf_cs = 8, tf_eflags = 66195, tf_esp = -1063855872, tf_ss = 64}) at /usr/src/sys/i386/i386/trap.c:466 #6 0xc0181a6f in spec_poll (ap=0xc610ad7c) at /usr/src/sys/miscfs/specfs/spec_vnops.c:323 #7 0xc0181775 in spec_vnoperate (ap=0xc610ad7c) at /usr/src/sys/miscfs/specfs/spec_vnops.c:119 #8 0xc01f5315 in ufs_vnoperatespec (ap=0xc610ad7c) at /usr/src/sys/ufs/ufs/ufs_vnops.c:2440 #9 0xc017e09b in vn_poll (fp=0xc09e8680, events=64, cred=0xc09cf800, p=0xc5736a00) at vnode_if.h:458 #10 0xc0158a53 in selscan (p=0xc5736a00, ibits=0xc610ae1c, obits=0xc610ae10, nfd=5) at /usr/src/sys/sys/file.h:1 92 #11 0xc01587ad in select (p=0xc5736a00, uap=0xc610af80) at /usr/src/sys/kern/sys_generic.c:746 #12 0xc023f2d5 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = 10, tf_esi = 0, tf_ebp = -107794 1216, tf_isp = -971984940, tf_ebx = 671701380, tf_edx = 5, tf_ecx = 0, tf_eax = 93, tf_trapno = 10, tf_err = 2, tf_eip = 672352128, tf_cs = 31, tf_eflags = 519, tf_esp = -1077941452, tf_ss = 47}) at /usr/src/sys/i386/i386/trap.c:1175 (kgdb) f 6 #6 0xc0181a6f in spec_poll (ap=0xc610ad7c) at /usr/src/sys/miscfs/specfs/spec_vnops.c:323 323 return (*devsw(dev)->d_poll)(dev, ap->a_events, ap->a_p); (kgdb) p/x *dev $4 = { si_flags = 0x0, si_udev = 0x8a80, si_hash = { le_next = 0xc0964400, le_prev = 0xc02a23fc }, si_hlist = { slh_first = 0xc6064600 }, si_name = {0x75, 0x63, 0x6f, 0x6d, 0x30, 0x0 }, si_drv1 = 0x0, si_drv2 = 0x0, si_devsw = 0x0, si_iosize_max = 0x10000, __si_u = { __si_tty = { __sit_tty = 0xc09f8900 }, __si_disk = { __sid_disk = 0xc09f8900, __sid_mountpoint = 0x0, __sid_bsize_phys = 0x0, __sid_bsize_best = 0x0 } } } >Fix: Maintain a per-device open flag and check it before detaching the devices. Set sc_dying in any case, and check this flag before any I/O operation. >Release-Note: >Audit-Trail: >Unformatted: Panic from USB stack after device detach From: Greg Lehey Reply-To: Greg Lehey cc: X-send-pr-version: 3.113 X-GNATS-Notify: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message