From nobody@FreeBSD.org  Fri Nov 11 01:43:54 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5B00C16A41F
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 11 Nov 2005 01:43:54 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 182FD43D48
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 11 Nov 2005 01:43:54 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id jAB1hr4r040582
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 11 Nov 2005 01:43:53 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id jAB1hrAT040581;
	Fri, 11 Nov 2005 01:43:53 GMT
	(envelope-from nobody)
Message-Id: <200511110143.jAB1hrAT040581@www.freebsd.org>
Date: Fri, 11 Nov 2005 01:43:53 GMT
From: ale <per.qu@email.it>
To: freebsd-gnats-submit@FreeBSD.org
Subject: atapicam - kernel trap 12
X-Send-Pr-Version: www-2.3

>Number:         88823
>Category:       kern
>Synopsis:       [modules] [atapicam] [patch] atapicam - kernel trap 12 on loading and unloading
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    trasz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Nov 11 01:50:15 GMT 2005
>Closed-Date:    Thu Jan 08 17:28:00 UTC 2009
>Last-Modified:  Thu Jan 08 17:28:00 UTC 2009
>Originator:     ale
>Release:        6.0-RELEASE
>Organization:
>Environment:
FreeBSD regulus.leo 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov  3 09:36:13 UTC 2005     root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
Loading and unloading atapicam in a rapid sequence cause a kernel trap 12.
This doesn't happen waiting some seconds between the two operations.
>How-To-Repeat:
kldload atapicam;kldunload atapicam
>Fix:
              
>Release-Note:
>Audit-Trail:

From: Thomas Quinot <thomas@FreeBSD.ORG>
To: ale <per.qu@email.it>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/88823: atapicam - kernel trap 12
Date: Fri, 11 Nov 2005 11:18:33 +0100

 * ale, 2005-11-11 :
 
 > >Description:
 >               Loading and unloading atapicam in a rapid sequence cause a kernel trap 12. This doesn't happen waiting some seconds between the two operations.
 > >How-To-Repeat:
 >               kldload atapicam;kldunload atapicam
 
 Please provide a backtrace of the trap.
 
 Thomas.
 

From: ale <per.qu@email.it>
To: Thomas Quinot <thomas@FreeBSD.ORG>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/88823: atapicam - kernel trap 12
Date: Sat, 12 Nov 2005 15:07:27 +0100

 Is this what you want?
 If not, please tell me what I have to do to satisfy your request.
 --------------------------------------------------------------------------------------
 #0  doadump () at pcpu.h:165
 #1  0xc0638202 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:399
 #2  0xc0638498 in panic (fmt=0xc084e5a2 "%s")
     at /usr/src/sys/kern/kern_shutdown.c:555
 #3  0xc0807c30 in trap_fatal (frame=0xe5050c5c, eva=3264131372)
     at /usr/src/sys/i386/i386/trap.c:831
 #4  0xc080799b in trap_pfault (frame=0xe5050c5c, usermode=0, eva=3264131372)
     at /usr/src/sys/i386/i386/trap.c:742
 #5  0xc08075d9 in trap (frame=
       {tf_fs = -452657144, tf_es = -1067188184, tf_ds = -1064173528, tf_edi
 = 4, tf_esi = -1034584760, tf_ebp = -452653900, tf_isp = -452653944, tf_ebx
 = 0, tf_edx = -1037116032, tf_ecx = 0, tf_eax = 80, tf_trapno = 12, tf_err =
 0, tf_eip = -1030835924, tf_cs = 32, tf_eflags = 590466, tf_esp =
 -1068688558, tf_ss = -1034584760}) at /usr/src/sys/i386/i386/trap.c:432
 #6  0xc07f6dca in calltrap () at /usr/src/sys/i386/i386/exception.s:139
 #7  0xc28eb12c in ?? ()
 --------------------------------------------------------------------------------------
 
 P.S.
 I booted /boot/kernel/kernel.debug: am I supposed to find kernel.debug.n in
 /var/crash?
 
 P.P.S.
 I did a fresh install again and I can replicate the problem.
 
 Thanks
 Ale
  
  --
  Email.it, the professional e-mail, gratis per te: http://www.email.it/f
  
  Sponsor:
  Sei single e stai cercando lamore? Entra subito in Meetic, iscriviti
 gratis, consulta i profili di milioni di single e chatta con loro
  Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=4051&d=20051112
 
 
State-Changed-From-To: open->feedback 
State-Changed-By: linimon 
State-Changed-When: Thu Apr 19 06:26:45 UTC 2007 
State-Changed-Why:  
Is this still a problem with recent versions of FreeBSD such as 6.2? 


Responsible-Changed-From-To: freebsd-bugs->linimon 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Apr 19 06:26:45 UTC 2007 
Responsible-Changed-Why:  

http://www.freebsd.org/cgi/query-pr.cgi?pr=88823 

From: linimon@lonesome.com (Mark Linimon)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/88823: [modules] atapicam - kernel trap 12 on loading and unloading
Date: Sat, 21 Apr 2007 17:43:10 -0500

 Forwarding from private email received from per qu <per.qu@email.it>:
 
 I'm running FreeBSD 6.2-STABLE and I can confirm that the problem still
 exists.
 
 This is what I've got after updating the sources and doing a buildworld
 cycle last night.
 I don't know if there is a way to go deeper in the trace or to get more
 useful information, so if there is something that I can do, feel free to
 ask!
 
 # kgdb /usr/obj/usr/src/sys/REGULUS/kernel.debug /var/crash/vmcore.12
 kgdb: kvm_nlist(_stopped_cpus): 
 kgdb: kvm_nlist(_stoppcbs): 
 [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so:
 Undefined symbol "ps_pglobal_lookup"]
 GNU gdb 6.1.1 [FreeBSD]
 Copyright 2004 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain
 conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "i386-marcel-freebsd".
 
 Unread portion of the kernel message buffer:
 acd0: FAILURE - INQUIRY ILLEGAL REQUEST asc=0x24 ascq=0x00 
 cd0 at ata0 bus 0 target 1 lun 0
 cd0: <PIONEER DVD-ROM DVD-117 1.07> Removable CD-ROM SCSI-0 device 
 cd0: 66.000MB/s transfers
 cd0: Attempt to query device size failed: NOT READY, Medium not present
 (cd0:ata0:0:1:0): lost device
 atapicam0: detached
 (cd1:dead_sim0:0:1:0): lost device
 (cd1:dead_sim0:0:1:0): removing device entry
 atapicam1: detached
 atapicam2: detached
 atapicam3: detached
 
 
 Fatal trap 12: page fault while in kernel mode
 fault virtual address   = 0xc61db390
 fault code              = supervisor read, page not present
 instruction pointer     = 0x20:0xc61db390
 stack pointer           = 0x28:0xe62d1c44
 frame pointer           = 0x28:0xe62d1c78
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, def32 1, gran 1
 processor eflags        = interrupt enabled, resume, IOPL = 0
 current process         = 19 (swi6: task queue)
 trap number             = 12
 panic: page fault
 Uptime: 6m18s
 Dumping 1534 MB (2 chunks)
   chunk 0: 1MB (159 pages) ... ok
   chunk 1: 1535MB (392752 pages) 1519 1503 1487 1471 1455 1439 1423 1407
 1391 1375 1359 1343 1327 1311 1295 1279 1263 1247 1231 1215 1199 1183 1167
 1151 1135 1119 1103 1087 1071 1055 1039 1023 1007 991 975 959 943 927 911
 895 879 863 847 831 815 799 783 767 751 735 719 703 687 671 655 639 623 607
 591 575 559 543 527 511 495 479 463 447 431 415 399 383 367 351 335 319 303
 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15
 
 #0  doadump () at pcpu.h:165
 165     pcpu.h: No such file or directory.
         in pcpu.h
 (kgdb) bt
 #0  doadump () at pcpu.h:165
 #1  0xc053489a in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
 #2  0xc0534ba4 in panic (fmt=0xc0719028 "%s")
     at /usr/src/sys/kern/kern_shutdown.c:565
 #3  0xc06f2285 in trap_fatal (frame=0xe62d1c04, eva=0)
     at /usr/src/sys/i386/i386/trap.c:837
 #4  0xc06f1fa5 in trap_pfault (frame=0xe62d1c04, usermode=0, eva=3323835280)
     at /usr/src/sys/i386/i386/trap.c:745
 #5  0xc06f1b8f in trap (frame=
       {tf_fs = -1052508152, tf_es = -966655960, tf_ds = 40, tf_edi =
 -966645360, tf_esi = 0, tf_ebp = -433251208, tf_isp = -433251280, tf_ebx =
 -976369664, tf_edx = -977300352, tf_ecx = 4, tf_eax = 2, tf_trapno = 12,
 tf_err = 0, tf_eip = -971132016, tf_cs = 32, tf_eflags = 66182, tf_esp =
 -1069102524, tf_ss = -966645360}) at /usr/src/sys/i386/i386/trap.c:435
 #6  0xc06ddf2a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
 #7  0xc61db390 in ?? ()
 Previous frame inner to this frame (corrupt stack?)
 (kgdb) thread apply all bt
 
 Thread 63 (Thread 100082):
 #0  sched_switch (td=0xc60cf780, newtd=0xc5b2c300, flags=2)
     at /usr/src/sys/kern/sched_4bsd.c:980
 #1  0xc053c451 in mi_switch (flags=2, newtd=0x0)
     at /usr/src/sys/kern/kern_synch.c:420
 #2  0xc0548fd2 in critical_exit () at kern_switch.c:642
 #3  0xc06e799a in spinlock_exit () at /usr/src/sys/i386/i386/machdep.c:2357
 #4  0xc055ab1a in turnstile_unpend (ts=0x0)
     at /usr/src/sys/kern/subr_turnstile.c:836
 #5  0xc052a5c6 in _mtx_unlock_sleep (m=0xc0788160, opts=0, file=0x0, line=0)
     at /usr/src/sys/kern/kern_mutex.c:704
 #6  0xc052409e in kern_kldunload (td=0xc651d700, fileid=0, flags=0)
     at /usr/src/sys/kern/kern_linker.c:864
 #7  0xc05240f7 in kldunloadf (td=0x0, uap=0x0)
     at /usr/src/sys/kern/kern_linker.c:888
 #8  0xc06f263b in syscall (frame=
       {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 7, tf_esi = -1077940702,
 tf_ebp = -1077940968, tf_isp = -127890076, tf_ebx = 1, tf_edx = -1077940702,
 tf_ecx = 1, tf_eax = 444, tf_trapno = 12, tf_err = 2, tf_eip = 671871479,
 tf_cs = 51, tf_eflags = 582, tf_esp = -1077942100, tf_ss = 59})
     at /usr/src/sys/i386/i386/trap.c:983
 #9  0xc06ddf7f in Xint0x80_syscall () at
 /usr/src/sys/i386/i386/exception.s:200
 #10 0x00000033 in ?? ()
 Previous frame inner to this frame (corrupt stack?)
 165     in pcpu.h
 
State-Changed-From-To: feedback->analyzed 
State-Changed-By: linimon 
State-Changed-When: Sat Apr 21 23:14:49 UTC 2007 
State-Changed-Why:  
Submitter notes that this is still a problem. 


Responsible-Changed-From-To: linimon->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Apr 21 23:14:49 UTC 2007 
Responsible-Changed-Why:  

http://www.freebsd.org/cgi/query-pr.cgi?pr=88823 

From: per qu <per.qu@email.it>
To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/88823: [modules] atapicam - kernel trap 12 on loading and unloading
Date: Wed, 25 Apr 2007 03:00:46 +0200

 Is this giving more info?
 
 acd0: FAILURE - INQUIRY ILLEGAL REQUEST asc=0x24 ascq=0x00 
 cd0 at ata0 bus 0 target 1 lun 0
 cd0: <PIONEER DVD-ROM DVD-117 1.07> Removable CD-ROM SCSI-0 device 
 cd0: 66.000MB/s transfers
 cd0: Attempt to query device size failed: NOT READY, Medium not present
 acd1: FAILURE - INQUIRY ILLEGAL REQUEST asc=0x24 ascq=0x00 sks=0x48 0x00
 0x01
 (cd0:ata0:0:1:0): lost device
 (cd0:ata0:0:1:0): removing device entry
 atapicam0: detached
 lock order reversal: (sleepable after non-sleepable)
  1st 0xc5e29a3c ATAPICAM lock (ATAPICAM lock) @
 /usr/src/sys/modules/ata/atapicam/../../../dev/ata/atapi-cam.c:872
  2nd 0xc143e344 user map (user map) @ /usr/src/sys/vm/vm_map.c:3074
 KDB: stack backtrace:
 kdb_backtrace(c072507f,c143e344,c0738393,c0738393,c0738413,...) at
 kdb_backtrace+0x2f
 witness_checkorder(c143e344,9,c0738413,c02,13e,...) at
 witness_checkorder+0x6db
 _sx_xlock(c143e344,c0738413,c02,c22,f8614a08,...) at _sx_xlock+0x7f
 _vm_map_lock_read(c143e300,c0738413,c02,1000000,deadc000,...) at
 _vm_map_lock_read+0x4a
 vm_map_lookup(f8614aa0,deadc000,1,f8614aa4,f8614a94,...) at
 vm_map_lookup+0x2e
 vm_fault(c144b000,deadc000,1,0,c61aad80,...) at vm_fault+0x7e
 trap_pfault(f8614b6c,0,deadc0de,1a1,deadc0de,...) at trap_pfault+0x162
 trap(c0780008,c5cd0028,28,c5e29a3c,19,...) at trap+0x35e
 calltrap() at calltrap+0x5
 --- trap 0xc, eip = 0xc5c2b3bb, esp = 0xf8614bac, ebp = 0xf8614bb8 ---
 free_hcb_and_ccb_done(c5e29a3c,0,c5c2bc3b,368,c5e29800,...) at
 free_hcb_and_ccb_done+0x12
 free_softc(c5e29a3c,0,c5c2bc3b,100,c5e62980,...) at free_softc+0x4d
 atapi_cam_detach(c5e62980,1,c0722c31,96f,c5e2d810,...) at
 atapi_cam_detach+0xc7
 device_detach(c5e62980,0,c5e62980,c5b6e880,c5c2ce88,...) at
 device_detach+0x8f
 devclass_delete_driver(c5b6e880,c5c2ce9c,1,c5c20800,c5c20800,...) at
 devclass_delete_driver+0x8e
 driver_module_handler(c5c20800,1,c5c2ce88) at driver_module_handler+0xe7
 module_unload(c5c20800,0,219,0,0,...) at module_unload+0x61
 linker_file_unload(c6602d00,0,c071ec76,345,0,...) at linker_file_unload+0x89
 kern_kldunload(c61aad80,6,0,f8614d30,c06e1962,...) at kern_kldunload+0x96
 kldunloadf(c61aad80,f8614d04,8,420,2,...) at kldunloadf+0x2c
 syscall(bfbf003b,bfbf003b,bfbf003b,6,bfbfef12,...) at syscall+0x295
 Xint0x80_syscall() at Xint0x80_syscall+0x1f
 --- syscall (444, FreeBSD ELF32, kldunloadf), eip = 0x280bf1f7, esp =
 0xbfbfe9dc, ebp = 0xbfbfee48 ---
 panic: vm_fault: fault on nofault entry, addr: deadc000
 KDB: enter: panic
 panic: from debugger
 Uptime: 6m18s
 Physical memory: 1522 MB
 Dumping 73 MB: 58 42 26 10
 
 #0  doadump () at pcpu.h:165
 165     pcpu.h: No such file or directory.
         in pcpu.h
 (kgdb) bt
 #0  doadump () at pcpu.h:165
 #1  0xc0535163 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
 #2  0xc0535481 in panic (fmt=0xc070dcbd "from debugger")
     at /usr/src/sys/kern/kern_shutdown.c:565
 #3  0xc0454e37 in db_panic (addr=-1068164582, have_addr=0, count=-1, 
     modif=0xf8614848 "") at /usr/src/sys/ddb/db_command.c:438
 #4  0xc0454db0 in db_command (last_cmdp=0xc0786644, cmd_table=0x0, 
     aux_cmd_tablep=0xc07463a4, aux_cmd_tablep_end=0xc07463a8)
     at /usr/src/sys/ddb/db_command.c:350
 #5  0xc0454ea1 in db_command_loop () at /usr/src/sys/ddb/db_command.c:458
 #6  0xc0456db9 in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_main.c:222
 #7  0xc0551ca4 in kdb_trap (type=0, code=0, tf=0xf8614994)
     at /usr/src/sys/kern/subr_kdb.c:473
 #8  0xc06e10aa in trap (frame=
       {tf_fs = -1066205176, tf_es = 40, tf_ds = -127860696, tf_edi = 1,
 tf_esi = -1066172763, tf_ebp = -127841828, tf_isp = -127841856, tf_ebx =
 -127841772, tf_edx = 1, tf_ecx = -1052684288, tf_eax = 18, tf_trapno = 3,
 tf_err = 0, tf_eip = -1068164582, tf_cs = 32, tf_eflags = 642, tf_esp =
 -1066257592, tf_ss = -1066266397}) at /usr/src/sys/i386/i386/trap.c:594
 #9  0xc06cc95a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
 #10 0xc0551a1a in kdb_enter (msg=0x12 <Address 0x12 out of bounds>)
     at cpufunc.h:60
 #11 0xc0535419 in panic (
 ---Type <return> to continue, or q <return> to quit---
     fmt=0xc0737ea5 "vm_fault: fault on nofault entry, addr: %lx")
     at /usr/src/sys/kern/kern_shutdown.c:549
 #12 0xc06882fe in vm_fault (map=0xc144b000, vaddr=3735928832, 
     fault_type=1 '\001', fault_flags=0) at /usr/src/sys/vm/vm_fault.c:279
 #13 0xc06e12f2 in trap_pfault (frame=0xf8614b6c, usermode=0, eva=3735929054)
     at /usr/src/sys/i386/i386/trap.c:734
 #14 0xc06e0f2a in trap (frame=
       {tf_fs = -1065877496, tf_es = -976420824, tf_ds = 40, tf_edi =
 -975005124, tf_esi = 25, tf_ebp = -127841352, tf_isp = -127841384, tf_ebx =
 -559038242, tf_edx = 25, tf_ecx = 2, tf_eax = -559038242, tf_trapno = 12,
 tf_err = 0, tf_eip = -977095749, tf_cs = 32, tf_eflags = 66182, tf_esp =
 -976387072, tf_ss = -559038242}) at /usr/src/sys/i386/i386/trap.c:435
 #15 0xc06cc95a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
 #16 0xc5c2b3bb in ?? ()
 Previous frame inner to this frame (corrupt stack?)
  
  --
  Email.it, the professional e-mail, gratis per te: http://www.email.it/f
  
  Sponsor:
  Analisi di Bilancio: come capire correttamente un bilancio aziendale
 Esempi, modelli pratici, software utili
  Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=6199&d=20070425
 
 

From: Jaakko Heinonen <jh@saunalahti.fi>
To: bug-followup@FreeBSD.org, per.qu@email.it
Cc: freebsd-scsi@FreeBSD.org
Subject: Re: kern/88823: [modules] [atapicam] atapicam - kernel trap 12 on
	loading and unloading
Date: Wed, 3 Dec 2008 17:32:58 +0200

 Hi,
 
 There is a CAM(4)/pass(4) bug which causes passcleanup() (in
 sys/cam/scsi/scsi_pass.c) to call destroy_dev(9) with the device mutex
 held. It's not allowed to call destroy_dev() with sleepable locks held.
 
 Here's the call trace:
 
 destroy_dev(c7b28400,0,c569f754,c7b15080,f46c6a38,...) at destroy_dev+0x10
 passcleanup(c7b15080,c0b8f83b,c0bdf975,c585d058,c0e5afe0,...) at passcleanup+0x2e
 camperiphfree(c7b15080,0,f46c6a58,c0477b7d,c7b15080,...) at camperiphfree+0xc2
 cam_periph_invalidate(c7b15080,c59328d0,f46c6a8c,c0492b4a,c7b15080,...) at cam_periph_invalidate+0x3e
 cam_periph_async(c7b15080,100,f46c6b18,0,0,...) at cam_periph_async+0x2d
 passasync(c7b15080,100,f46c6b18,0,c7ae0000,...) at passasync+0xca
 xpt_async_bcast(0,4,c0b6dbbf,11a5,c7b428c0,...) at xpt_async_bcast+0x32
 xpt_async(100,f46c6b18,0,10,c575ccb8,...) at xpt_async+0x194
 xpt_bus_deregister(0,0,c7b75b30,378,c577fc00,...) at xpt_bus_deregister+0x4e
 free_softc(c577fe64,0,c7b75b30,103,c7b18100,...) at free_softc+0xe1
 atapi_cam_detach(c7b18100,c7b30858,c0caa340,9a4,1,...) at atapi_cam_detach+0x7f
 device_detach(c7b18100,c081bf09,c7691840,1,c7b760f8,...) at device_detach+0x8c
 devclass_delete_driver(c554b6c0,c7b7610c,c0bd0dfd,2d,0,...) at devclass_delete_driver+0x91
 driver_module_handler(c7692040,1,c7b760f8,ef,c7692040,...) at driver_module_handler+0xdf
 module_unload(c7692040,0,253,250,f46c6c40,...) at module_unload+0x75
 linker_file_unload(c7ab9d00,0,c0bcf326,400,c7b73000,...) at linker_file_unload+0xc9
 kern_kldunload(c5957460,6,0,f46c6d2c,c0b11ff3,...) at kern_kldunload+0xd5
 kldunloadf(c5957460,f46c6cf8,8,c0bd96d0,c0cad660,...) at kldunloadf+0x2b
 
 Calling xpt_bus_deregister() in atapicam results this code path.
 xpt_bus_deregister() must be called with the device mutex held.
 Following change fixes the atapicam problem; however the patch may be
 incorrect because I am not sure if passcleanup() is always called with
 the lock held. I have tried the patch with atapicam(4) and umass(4)
 (both use pass(4)).
 
 %%%
 Index: sys/cam/scsi/scsi_pass.c
 ===================================================================
 --- sys/cam/scsi/scsi_pass.c	(revision 185331)
 +++ sys/cam/scsi/scsi_pass.c	(working copy)
 @@ -167,7 +167,9 @@ passcleanup(struct cam_periph *periph)
  
  	devstat_remove_entry(softc->device_stats);
  
 +	mtx_unlock(periph->sim->mtx);
  	destroy_dev(softc->dev);
 +	mtx_lock(periph->sim->mtx);
  
  	if (bootverbose) {
  		xpt_print(periph->path, "removing device entry\n");
 %%%
 
 There are also other bugs involved in unloading the atapicam module.
 
 * If there are pending hcbs kernel will panic on unload. There's an
   obvious bug in free_softc(): it uses TAILQ_FOREACH() instead of
   TAILQ_FOREACH_SAFE(). However fixing that is not enough. There are
   additional problem(s) and I don't have a fix for them.  Here's a patch
   that changes it to refuse to detach if there are pending hcbs:
 
 %%%
 Index: sys/dev/ata/atapi-cam.c
 ===================================================================
 --- sys/dev/ata/atapi-cam.c	(revision 185519)
 +++ sys/dev/ata/atapi-cam.c	(working copy)
 @@ -254,6 +254,13 @@ atapi_cam_detach(device_t dev)
      struct atapi_xpt_softc *scp = device_get_softc(dev);
  
      mtx_lock(&scp->state_lock);
 +    /*
 +     * XXX: Detaching when pending hcbs exist is broken.
 +     */
 +    if (!TAILQ_EMPTY(&scp->pending_hcbs)) {
 +	mtx_unlock(&scp->state_lock);
 +	return (EBUSY);
 +    }
      xpt_freeze_simq(scp->sim, 1 /*count*/);
      scp->flags |= DETACHING;
      mtx_unlock(&scp->state_lock);
 @@ -882,11 +889,11 @@ free_hcb(struct atapi_hcb *hcb)
  static void
  free_softc(struct atapi_xpt_softc *scp)
  {
 -    struct atapi_hcb *hcb;
 +    struct atapi_hcb *hcb, *tmp_hcb;
  
      if (scp != NULL) {
  	mtx_lock(&scp->state_lock);
 -	TAILQ_FOREACH(hcb, &scp->pending_hcbs, chain) {
 +	TAILQ_FOREACH_SAFE(hcb, &scp->pending_hcbs, chain, tmp_hcb) {
  	    free_hcb_and_ccb_done(hcb, CAM_UNREC_HBA_ERROR);
  	}
  	if (scp->path != NULL) {
 %%%
 
 * cd(4) doesn't tolerate well disappearing devices. There's code in
   cdinvalidate() to invalidate further I/O operations but calling for
   example d_close causes a crash. Thus you can't unmount a file system
   after the device has disappeared. This patch makes it to survive
   unmounting.
 
 %%%
 Index: sys/cam/scsi/scsi_cd.c
 ===================================================================
 --- sys/cam/scsi/scsi_cd.c	(revision 185331)
 +++ sys/cam/scsi/scsi_cd.c	(working copy)
 @@ -382,6 +382,9 @@ cdoninvalidate(struct cam_periph *periph
  		camq_remove(&softc->changer->devq, softc->pinfo.index);
  
  	disk_gone(softc->disk);
 +	softc->disk->d_drv1 = NULL;
 +	softc->disk->d_close = NULL; /* allow closing the disk */
 +
  	xpt_print(periph->path, "lost device\n");
  }
 %%%
 
 -- 
 Jaakko
Responsible-Changed-From-To: freebsd-bugs->trasz 
Responsible-Changed-By: trasz 
Responsible-Changed-When: Thu Jan 8 17:21:07 UTC 2009 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=88823 
State-Changed-From-To: analyzed->closed 
State-Changed-By: trasz 
State-Changed-When: Thu Jan 8 17:27:59 UTC 2009 
State-Changed-Why:  
Fixed in -HEAD.  Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=88823 
>Unformatted:
