From nobody@FreeBSD.org  Tue Apr 22 05:33:46 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5D1C51065670
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 22 Apr 2008 05:33:46 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 4F21E8FC1A
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 22 Apr 2008 05:33:46 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m3M5XOj0025921
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 22 Apr 2008 05:33:24 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m3M5XOci025919;
	Tue, 22 Apr 2008 05:33:24 GMT
	(envelope-from nobody)
Message-Id: <200804220533.m3M5XOci025919@www.freebsd.org>
Date: Tue, 22 Apr 2008 05:33:24 GMT
From: Arthur Hartwig <arthur.hartwig@nokia.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: System hang on removal of USB serial device (tty) 
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         122977
>Category:       kern
>Synopsis:       [ucom] System hang on removal of USB serial device (tty)
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    kib
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 22 05:40:03 UTC 2008
>Closed-Date:    Fri Oct 31 14:01:57 UTC 2008
>Last-Modified:  Fri Oct 31 14:01:57 UTC 2008
>Originator:     Arthur Hartwig
>Release:        6.3
>Organization:
Nokia
>Environment:
>Description:
Custom USB serial port driver in system which interfaces to ucom (USB tty) driver.

User logs in as root on ttyU0. syslogd is configured to send system messages to root. USB device is removed. System hang results.

On console terminal <break>ddb is used to enter ddb. Analysis shows kernel is looping in devfs_allocv() with vget() repeated called and returning 2 (ENOENT). Examination of the struct vnode pointer passed to vget() shows the VI_DOOMED bit is set. ddb shows syslogd as current process and syslogd attempting to open /dev/ttyU0, presumably to output the message which says that ucom0 (the 'port' for /dev/ttyU0) has been removed.


>How-To-Repeat:
See above description. 

All my tests have been done on a UP system. I haven't tested this theory but its possible that different behaviour might be observed on a MP system: on a MP system other threads may get to run and cause some other change of state such that after a sufficient time, in devfs_allocv() not only does vget() return an error code but  devfs_allocv_drop_refs() also returns an error code resulting in a break out of the loop in devfs_allocv().
>Fix:
In sys/fs/devfs/devfs_vnops.c, function devfs_allocv() change

 loop:
	DEVFS_DE_HOLD(de);
	DEVFS_DMP_HOLD(dmp);
	mtx_lock(&devfs_de_interlock);
	vp = de->de_vnode;
	if (vp != NULL) {
		VI_LOCK(vp);
		mtx_unlock(&devfs_de_interlock);
		sx_xunlock(&dmp->dm_lock);
		error = vget(vp, LK_EXCLUSIVE | LK_INTERLOCK, td);
		sx_xlock(&dmp->dm_lock);
		if (devfs_allocv_drop_refs(0, dmp, de)) {
			if (error == 0)
				vput(vp);
			return (ENOENT);
		}
		else if (error)
			goto loop;
		sx_xunlock(&dmp->dm_lock);
		*vpp = vp;
		return (0);
	}

to

 loop:
	DEVFS_DE_HOLD(de);
	DEVFS_DMP_HOLD(dmp);
	mtx_lock(&devfs_de_interlock);
	vp = de->de_vnode;
	if (vp != NULL) {
		VI_LOCK(vp);
		mtx_unlock(&devfs_de_interlock);
		sx_xunlock(&dmp->dm_lock);
		error = vget(vp, LK_EXCLUSIVE | LK_INTERLOCK, td);
		sx_xlock(&dmp->dm_lock);
		if (devfs_allocv_drop_refs(0, dmp, de)) {
			if (error == 0)
				vput(vp);
			return (ENOENT);
		}
                else if (error == ENOENT) {
                        /* Don't loop if vget() returned ENOENT */
                        sx_xunlock(&dmp->dm_lock);
                        return error;
                }
		else if (error)
			goto loop;
		sx_xunlock(&dmp->dm_lock);
		*vpp = vp;
		return (0);
	}


>Release-Note:
>Audit-Trail:

From: Arthur Hartwig <Arthur.Hartwig@nokia.com>
To: bug-followup@FreeBSD.org, arthur.hartwig@nokia.com
Cc:  
Subject: Re: kern/122977: [ucom] System hang on removal of USB serial device
 (tty)
Date: Mon, 19 May 2008 18:30:22 +1000

 Is there any status update on this PR? Has my analysis been accepted?
 
 
Responsible-Changed-From-To: freebsd-bugs->kib-bugs 
Responsible-Changed-By: kib 
Responsible-Changed-When: Mon May 19 10:25:48 UTC 2008 
Responsible-Changed-Why:  
Take 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122977 
Responsible-Changed-From-To: kib-bugs->kib 
Responsible-Changed-By: kib 
Responsible-Changed-When: Mon May 19 11:17:35 UTC 2008 
Responsible-Changed-Why:  
Correctly spell my uid. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122977 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/122977: commit references a PR
Date: Fri, 23 May 2008 16:36:45 +0000 (UTC)

 kib         2008-05-23 16:36:40 UTC
 
   FreeBSD src repository
 
   Modified files:
     sys/fs/devfs         devfs_vnops.c 
   Log:
   When vget() fails (because the vnode has been reclaimed), there is no
   sense to loop trying to vget() the vnode again.
   
   PR:     122977
   Submitted by:   Arthur Hartwig <arthur.hartwig nokia com>
   Tested by:      pho
   Reviewed by:    jhb
   MFC after:      1 week
   
   Revision  Changes    Path
   1.159     +4 -3      src/sys/fs/devfs/devfs_vnops.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: gavin 
State-Changed-When: Wed Jun 11 12:55:26 UTC 2008 
State-Changed-Why:  
This is fixed in HEAD and RELENG_7, but not yet merged to RELENG_6 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122977 
State-Changed-From-To: patched->closed 
State-Changed-By: kib 
State-Changed-When: Fri Oct 31 14:00:13 UTC 2008 
State-Changed-Why:  
Closed; I see no sense in committing this to 6. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122977 
>Unformatted:
