From owner-freebsd-stable@FreeBSD.ORG  Sat Jan 24 15:22:34 2009
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@FreeBSD.ORG
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BF9D8106566C
	for <freebsd-stable@FreeBSD.ORG>; Sat, 24 Jan 2009 15:22:34 +0000 (UTC)
	(envelope-from avg@icyb.net.ua)
Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140])
	by mx1.freebsd.org (Postfix) with ESMTP id EF8C98FC0C
	for <freebsd-stable@FreeBSD.ORG>; Sat, 24 Jan 2009 15:22:33 +0000 (UTC)
	(envelope-from avg@icyb.net.ua)
Received: from odyssey.starpoint.kiev.ua (alpha-e.starpoint.kiev.ua
	[212.40.38.101])
	by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id RAA25146
	for <freebsd-stable@FreeBSD.ORG>; Sat, 24 Jan 2009 17:22:31 +0200 (EET)
	(envelope-from avg@icyb.net.ua)
Message-ID: <497B3237.4000708@icyb.net.ua>
Date: Sat, 24 Jan 2009 17:22:31 +0200
From: Andriy Gapon <avg@icyb.net.ua>
User-Agent: Thunderbird 2.0.0.19 (X11/20090110)
MIME-Version: 1.0
To: freebsd-stable@FreeBSD.ORG
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: 
Subject: panic in destroy_devl: null si_devsw
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Jan 2009 15:22:35 -0000


System: FreeBSD 7.1-PRERELEASE amd64 somewhere from the beginning of
Decemeber

I am not sure how I managed to get to this panic - I believe my code is
correct - but I got a panic in destroy_devl on NULL si_devsw.

Backtrace:
--- trap 0xc, rip = 0xffffffff80271c3f, rsp = 0xffffffffdb3e8510, rbp =
0xffffffffdb3e8550 ---
destroy_devl() at 0xffffffff80271c3f = destroy_devl+0x316
destroy_dev() at 0xffffffff80271e2c = destroy_dev+0x19
heci_deallocate_resources() at 0xffffffffdb63e0e6 =
heci_deallocate_resources+0x20
heci_detach() at 0xffffffffdb63e183 = heci_detach+0x11
heci_pci_attach() at 0xffffffffdb63f921 = heci_pci_attach+0x123
device_attach() at 0xffffffff802caa21 = device_attach+0x327
device_probe_and_attach() at 0xffffffff802cb8ef =
device_probe_and_attach+0xe2
pci_driver_added() at 0xffffffff80212e82 = pci_driver_added+0xf9
devclass_add_driver() at 0xffffffff802c98fa = devclass_add_driver+0xd7
driver_module_handler() at 0xffffffff802ca641 = driver_module_handler+0x74
module_register_init() at 0xffffffff8029901d = module_register_init+0xf7
linker_load_module() at 0xffffffff80292582 = linker_load_module+0xa01
kern_kldload() at 0xffffffff80292aa2 = kern_kldload+0xd4
kldload() at 0xffffffff80292b66 = kldload+0x61
syscall() at 0xffffffff8043d58d = syscall+0x347
Xfast_syscall() at 0xffffffff80423a5b = Xfast_syscall+0xab
--- syscall (304, FreeBSD ELF64, kldload), rip = 0x80067ff3c, rsp =
0x7fffffffe5b8, rbp = 0 ---

Debug:
(kgdb) fr 7
#7  0xffffffff80271c3f in destroy_devl (dev=0xffffff0075d45800) at
/usr/src/sys/kern/kern_conf.c:906
906                     if (LIST_EMPTY(&csw->d_devs)) {
(kgdb) list
901             if (!(dev->si_flags & SI_ALIAS)) {
902                     /* Remove from cdevsw list */
903                     LIST_REMOVE(dev, si_list);
904
905                     /* If cdevsw has no more struct cdev *'s, clean
it */
906                     if (LIST_EMPTY(&csw->d_devs)) {
907                             fini_cdevsw(csw);
908                             wakeup(&csw->d_devs);
909                     }
910             }
(kgdb) p csw
$1 = (struct cdevsw *) 0x0

Perhaps I screwed up something myself, but here is a question - why do
we have a check for NULL csw here:
 873         csw = dev->si_devsw;
 874         dev->si_devsw = NULL;   /* already NULL for SI_ALIAS */
 875         while (csw != NULL && csw->d_purge != NULL &&
dev->si_threadcount) {

and don't have any check where the panic occurred?

About the code that called destroy_dev(): it created cdev probably too
early, failed to allocate some system resource, so it went to destroy
the newly created cdev. Non-null cdevsw was definitely provided to make_dev.

-- 
Andriy Gapon