Date: Fri, 22 Nov 2002 14:24:51 +1030 (CST) From: grog@lemis.com (Greg 'groggy' Lehey) To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/45579: Panic from USB stack after device detach Message-ID: <20021122035451.1224D51915@wantadilla.lemis.com>
next in thread | raw e-mail | index | archive | help
>Number: 45579 >Category: kern >Synopsis: Panic from USB stack after device detach >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 21 20:00:05 PST 2002 >Closed-Date: >Last-Modified: >Originator: Greg Lehey >Release: FreeBSD 4.7-STABLE i386 >Organization: LEMIS SA Pty Ltd >Environment: System: FreeBSD ler.ri.cox.net 4.7-STABLE FreeBSD 4.7-STABLE #8: Thu Nov 21 19:19:36 EST 2002 root@ler.ri.cox.net:/usr/o bj/usr/src/sys/usbkern i386 Standard install of 4.7, probably not release-specific. >Description: The USB stack removes devices without checking whether they are still open. If a process subsequently accesses the device, it will crash on dereferencing the devsw. >How-To-Repeat: This occurs while testing the pilot-xfer port. In the case in point, I set a breakpoint in code which reads from a Palm Pilot. During this process, the device timed out and was removed. On resumption of the program, we get the following backtrace: (kgdb) bt #0 dumpsys () at /usr/src/sys/kern/kern_shutdown.c:487 #1 0xc0148f7f in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:316 #2 0xc01493a4 in poweroff_wait (junk=0xc0276fcc, howto=-1071158545) at /usr/src/sys/kern/kern_shutdown.c:595 #3 0xc023f026 in trap_fatal (frame=0xc610acfc, eva=20) at /usr/src/sys/i386/i386/trap.c:974 #4 0xc023ecf9 in trap_pfault (frame=0xc610acfc, usermode=0, eva=20) at /usr/src/sys/i386/i386/trap.c:867 #5 0xc023e8e3 in trap (frame={tf_fs = -1064173552, tf_es = 16, tf_ds = 16, tf_edi = 4, tf_esi = -1063855872, tf_ebp = -971985580, tf_isp = -971985624, tf_ebx = -971985540, tf_edx = -971985540, tf_ecx = 18, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1072162193, tf_cs = 8, tf_eflags = 66195, tf_esp = -1063855872, tf_ss = 64}) at /usr/src/sys/i386/i386/trap.c:466 #6 0xc0181a6f in spec_poll (ap=0xc610ad7c) at /usr/src/sys/miscfs/specfs/spec_vnops.c:323 #7 0xc0181775 in spec_vnoperate (ap=0xc610ad7c) at /usr/src/sys/miscfs/specfs/spec_vnops.c:119 #8 0xc01f5315 in ufs_vnoperatespec (ap=0xc610ad7c) at /usr/src/sys/ufs/ufs/ufs_vnops.c:2440 #9 0xc017e09b in vn_poll (fp=0xc09e8680, events=64, cred=0xc09cf800, p=0xc5736a00) at vnode_if.h:458 #10 0xc0158a53 in selscan (p=0xc5736a00, ibits=0xc610ae1c, obits=0xc610ae10, nfd=5) at /usr/src/sys/sys/file.h:1 92 #11 0xc01587ad in select (p=0xc5736a00, uap=0xc610af80) at /usr/src/sys/kern/sys_generic.c:746 #12 0xc023f2d5 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = 10, tf_esi = 0, tf_ebp = -107794 1216, tf_isp = -971984940, tf_ebx = 671701380, tf_edx = 5, tf_ecx = 0, tf_eax = 93, tf_trapno = 10, tf_err = 2, tf_eip = 672352128, tf_cs = 31, tf_eflags = 519, tf_esp = -1077941452, tf_ss = 47}) at /usr/src/sys/i386/i386/trap.c:1175 (kgdb) f 6 #6 0xc0181a6f in spec_poll (ap=0xc610ad7c) at /usr/src/sys/miscfs/specfs/spec_vnops.c:323 323 return (*devsw(dev)->d_poll)(dev, ap->a_events, ap->a_p); (kgdb) p/x *dev $4 = { si_flags = 0x0, si_udev = 0x8a80, si_hash = { le_next = 0xc0964400, le_prev = 0xc02a23fc }, si_hlist = { slh_first = 0xc6064600 }, si_name = {0x75, 0x63, 0x6f, 0x6d, 0x30, 0x0 <repeats 11 times>}, si_drv1 = 0x0, si_drv2 = 0x0, si_devsw = 0x0, si_iosize_max = 0x10000, __si_u = { __si_tty = { __sit_tty = 0xc09f8900 }, __si_disk = { __sid_disk = 0xc09f8900, __sid_mountpoint = 0x0, __sid_bsize_phys = 0x0, __sid_bsize_best = 0x0 } } } >Fix: Maintain a per-device open flag and check it before detaching the devices. Set sc_dying in any case, and check this flag before any I/O operation. >Release-Note: >Audit-Trail: >Unformatted: Panic from USB stack after device detach From: Greg Lehey <groggy> Reply-To: Greg Lehey <grog@lemis.coM> cc: X-send-pr-version: 3.113 X-GNATS-Notify: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021122035451.1224D51915>