From nobody@FreeBSD.org  Fri Nov 25 17:21:40 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 271DF16A420
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 25 Nov 2005 17:21:40 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 58CB143D88
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 25 Nov 2005 17:21:30 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id jAPHLUZ2071583
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 25 Nov 2005 17:21:30 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id jAPHLUFE071582;
	Fri, 25 Nov 2005 17:21:30 GMT
	(envelope-from nobody)
Message-Id: <200511251721.jAPHLUFE071582@www.freebsd.org>
Date: Fri, 25 Nov 2005 17:21:30 GMT
From: Gleb Kozyrev <gkozyrev@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [tty] [panic] triggered by "sysctl -a"
X-Send-Pr-Version: www-2.3

>Number:         89538
>Category:       kern
>Synopsis:       [tty] [panic] triggered by "sysctl -a"
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    jhb
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Nov 25 17:30:03 GMT 2005
>Closed-Date:    Tue Jan 15 20:21:55 UTC 2008
>Last-Modified:  Tue Oct 21 07:20:00 UTC 2008
>Originator:     Gleb Kozyrev
>Release:        FreeBSD 6.0-RELEASE i386
>Organization:
>Environment:
FreeBSD localhost 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Wed Nov 2 14:36:19 EET 2005 root@localhost:/usr/obj/usr/src/sys/DDB i386
>Description:
After 14 days of uptime I ran "sysctl -a" and it triggered a panic.
 
In ddb:
=========Beginning of the citation==============
db> bt
Tracing pid 15840 tid 100071 td 0xc1553600
dev2udev(c20bf300,88,0,0,0) at dev2udev+0x11
sysctl_kern_ttys(c08d4500,0,0,cc865c04,c08d4500) at sysctl_kern_ttys+0xdf
sysctl_root(0,cc865c74,2,cc865c04,c1553600) at sysctl_root+0x107
userland_sysctl(c1553600,cc865c74,2,0,bfbfd5bc) at userland_sysctl+0xec
__sysctl(c1553600,cc865d04,6,a,296) at __sysctl+0x93
syscall(3b,3b,bfbf003b,2,bfbfd5bc) at syscall+0x2b7
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (202, FreeBSD ELF32, __sysctl), eip = 0x280b7a33, esp = 0xbfbfd52c,
ebp = 0xbfbfd568 ---
=========The end of the citation================
 
After call doadump() and reboot:
=========Beginning of the citation==============
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".
 
Unread portion of the kernel message buffer:
 
Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0xbf
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc05f46ed
stack pointer           = 0x28:0xcc865b18
frame pointer           = 0x28:0xcc865b18
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 15840 (sysctl)
Dumping 127 MB (3 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 64MB (16381 pages) 49 33 17 ... ok
  chunk 2: 63MB (16128 pages) 48 32 16
 
#0  doadump () at pcpu.h:165
165             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) bt full
#0  doadump () at pcpu.h:165
No locals.
#1  0xc0468487 in db_fncall (dummy1=-1063902272, dummy2=0, dummy3=0, dummy4=0xcc865944 "pY\206\224C\177&#9632;\\Y\206`Y\206\222\a")
    at /usr/src/sys/ddb/db_command.c:492
        fn_addr = -1067198068
        args = {1, 0, 545675548, -1065401452, -863610616, -863610612, 1938, 1938, 2, -1064703968}
        nargs = 0
        retval = 0
        t = 0
#2  0xc046828c in db_command (last_cmdp=0xc09181c4, cmd_table=0x0, aux_cmd_tablep=0xc089589c, aux_cmd_tablep_end=0xc08958b8)
    at /usr/src/sys/ddb/db_command.c:350
        cmd = (struct command *) 0xc089e9c0
        t = 0
        modif =
"pY\206\224C\177&#9632;\\Y\206`Y\206\222\a\000\000&#9604;\003\000\000\220Y\206\f\000\000\000|Y\206&#9604;\003\000\000\200Y\206Q~&#9632;&#9604;\003\000\000&#9604;
\003\000\000\r\000\000\000Y\206B~&#9632;\220Y\206&#9604;\003\000\000\f\000\017\003x\000\000\000&#9632;\212\221&#9632;\f\000\000\000+Y\206\004?F&#9632;\235;\2
07&#9632;?\237F&#9632;\f\000\000\000&#9632;\212\221&#9632;&#9474;\227F&#9632;"
        addr = -1063902272
        count = 0
        have_addr = 0
        result = 0
#3  0xc0468354 in db_command_loop () at /usr/src/sys/ddb/db_command.c:458
No locals.
#4  0xc0469f61 in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_main.c:221
        jb = {{_jb = {-863610372, -863610392, -863610320, -863610152, 12, -1069113606,
12, -863610296, -1067089549, -1064761795, -1067089416, -863610316}}}
        prev_jb = (void *) 0x0
        bkpt = 0
#5  0xc065666b in kdb_trap (type=12, code=0, tf=0xcc865ad8) at /usr/src/sys/kern/subr_kdb.c:473
        handled = -863610152
#6  0xc08104b0 in trap_fatal (frame=0xcc865ad8, eva=191) at /usr/src/sys/i386/i386/trap.c:822
        eflags = 514
        code = 514
        type = 12
        ss = 514
        esp = 0
        softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27, ssd_dpl = 0, ssd_p = 1, ssd_xx = 2, ssd_xx1 = 2, ssd_def32 = 1,
ssd_gran = 1}
#7  0xc081021f in trap_pfault (frame=0xcc865ad8, usermode=0, eva=191) at /usr/src/sys/i386/i386/trap.c:742
        va = 0
        vm = (struct vmspace *) 0x0
        map = 0xc1598708
        rv = 1
        ftype = 1 '\001'
        td = (struct thread *) 0xc1553600
        p = (struct proc *) 0xc155620c
#8  0xc080fe19 in trap (frame=
      {tf_fs = -863633400, tf_es = 40, tf_ds = -863633368, tf_edi = -863609988, tf_esi = -1052413952, tf_ebp = -863610088, tf_isp
= -863610108, tf_ebx = -1052413952, tf_edx = -1039404288, tf_ecx = 0, tf_eax = -1, tf_trapno = 12, tf_err = 0, tf_eip = -1067497747,
tf_cs = 32, tf_eflags = 66182, tf_esp = -863609920, tf_ss = -1066996549}) at /usr/src/sys/i386/i386/trap.c:432
        td = (struct thread *) 0xc1553600
        p = (struct proc *) 0xc155620c
        sticks = 3431357272
        i = 0
        ucode = 0
        type = 12
        code = 0
        eva = 191
#9  0xc07ff31a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
No locals.
#10 0xc05f46ed in dev2udev (x=0xc20bf300) at /usr/src/sys/fs/devfs/devfs_vnops.c:1145
No locals.
#11 0xc066ecbb in sysctl_kern_ttys (oidp=0xc08d4500, arg1=0x0, arg2=0, req=0xcc865c04) at /usr/src/sys/kern/tty.c:3040
        tp = (struct tty *) 0xc1457000
        tp2 = (struct tty *) 0xc1457000
        xt = {xt_size = 136, xt_rawcc = 0, xt_cancc = 0, xt_outcc = 0, xt_line = 0, xt_dev = 0, xt_state = 0, xt_flags = 0,
xt_timeout = 0, xt_pgid = 0,
  xt_sid = 0, xt_termios = {c_iflag = 0, c_oflag = 0, c_cflag = 0, c_lflag = 0, c_cc = '\0' <repeats 19 times>, c_ispeed = 0,
c_ospeed = 0}, xt_winsize = {
    ws_row = 0, ws_col = 0, ws_xpixel = 0, ws_ypixel = 0}, xt_column = 0, xt_rocount = 0, xt_rocol = 0, xt_ififosize = 0, xt_ihiwat
= 0, xt_ilowat = 0,
  xt_ispeedwat = 0, xt_ohiwat = 0, xt_olowat = 0, xt_ospeedwat = 0}
        error = -1052413952
#12 0xc0645c63 in sysctl_root (oidp=0x0, arg1=0x0, arg2=0, req=0xcc865c04) at /usr/src/sys/kern/kern_sysctl.c:1248
        oid = (struct sysctl_oid *) 0xc08d4500
        error = -1
        indx = 2
        lvl = -1
#13 0xc0645e60 in userland_sysctl (td=0xffffffff, name=0xcc865c74, namelen=2, old=0xcc865c04, oldlenp=0xbfbfd5bc, inkernel=0,
new=0x0, newlen=4294967295,
    retval=0xcc865c70, flags=-1) at /usr/src/sys/kern/kern_sysctl.c:1347
        error = -1077946948
        req = {td = 0xc1553600, lock = 1, oldptr = 0x0, oldlen = 0, oldidx = 3536, oldfunc = 0xc06459a4 <sysctl_old_user>, newptr =
0x0, newlen = 0,
  newidx = 0, newfunc = 0xc0645a10 <sysctl_new_user>, validlen = 0, flags = 0}
#14 0xc0645d03 in __sysctl (td=0xc1553600, uap=0xcc865d04) at /usr/src/sys/kern/kern_sysctl.c:1282
        error = -1051368948
        name = {1, 533, 1, 533, -1, -1, 0, -1048488688, -1051368948, 0, -1051380224, -863609636, -1067059971, -1051380224,
1, -863609668, -1051368948,
  -1051380224, -863609544, -863609640, -1067068430, -1051380224, -1051368948, 0}
        j = 10
#15 0xc08107ff in syscall (frame=
      {tf_fs = 59, tf_es = 59, tf_ds = -1078001605, tf_edi = 2, tf_esi = -1077946948, tf_ebp = -1077947032, tf_isp = -863609500,
tf_ebx = 672367844, tf_edx = 0, tf_ecx = -1077944736, tf_eax = 202, tf_trapno = 0, tf_err = 2, tf_eip = 671840819, tf_cs = 51,
tf_eflags = 662, tf_esp = -1077947092, tf_ss = 59})
    at /usr/src/sys/i386/i386/trap.c:976
        params = 0xbfbfd530 <Address 0xbfbfd530 out of bounds>
        callp = (struct sysent *) 0xc08cb8d8
        td = (struct thread *) 0xc1553600
        p = (struct proc *) 0xc155620c
        orig_tf_eflags = 662
        sticks = 10
        error = 0
        narg = 6
        args = {-1077944736, 2, 0, -1077946948, 0, 0, -863609548, 672367844}
        code = 202
#16 0xc07ff36f in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200
No locals.
#17 0x00000033 in ?? ()
No symbol table info available.
Previous frame inner to this frame (corrupt stack?)
=========The end of the citation================
>How-To-Repeat:

>Fix:
Antoine Pelisse wrote on Mon, 21 Nov 2005 12:41:40 +0000:
 
AP>  This is probably the same kind of panic that Don Lewis fixed lately in
AP> fill_kinfo_proc() and it should certainly be fixed the same way.
AP> We really can't release the lock in the loop and should look in the code
AP> for other occurrences of this mistake as it's really likely that it will
AP> trigger other panics in the future.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->phk 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Mon Dec 12 10:10:25 UTC 2005 
Responsible-Changed-Why:  
To devfs maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=89538 
Responsible-Changed-From-To: phk->bugs 
Responsible-Changed-By: phk 
Responsible-Changed-When: Sun Jan 28 21:20:43 UTC 2007 
Responsible-Changed-Why:  
over to bugs@, I'm not able to work on this. 

My best guess would be that this is caused by a disappearing tty 
(USB serial ?) or similar. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=89538 
Responsible-Changed-From-To: bugs->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Jan 28 22:09:22 UTC 2007 
Responsible-Changed-Why:  
Canonicalize assignee address. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=89538 

From: Ed Maste <emaste@phaedrus.sandvine.ca>
To: bug-followup@FreeBSD.org, gkozyrev@gmail.com
Cc:  
Subject: Re: kern/89538: [tty] [panic] triggered by "sysctl -a"
Date: Thu, 24 May 2007 13:05:29 -0400

 I just saw this same sort of panic from sysctl -a on 7-CURRENT cvsup'd
 as of last week (my BSDCan kernel): 
 
 FreeBSD laptop 7.0-CURRENT FreeBSD 7.0-CURRENT #1: Fri May 18 03:03:30 EDT 2007     emaste@laptop:/usr/kernel/GENERIC  i386
 
 #6  0xc08cca35 in trap_fatal (frame=0xd621ea6c, eva=3735929246) at /usr/src/sys/i386/i386/trap.c:867
 #7  0xc08cc76f in trap_pfault (frame=0xd621ea6c, usermode=0, eva=3735929246) at /usr/src/sys/i386/i386/trap.c:785
 #8  0xc08cc392 in trap (frame=0xd621ea6c) at /usr/src/sys/i386/i386/trap.c:462
 #9  0xc08b62ab in calltrap () at /usr/src/sys/i386/i386/exception.s:139
 #10 0xc0680855 in dev2udev (x=0xc35fc400) at /usr/src/sys/fs/devfs/devfs_vnops.c:1317
 #11 0xc070998b in sysctl_kern_ttys (oidp=0xc0a0c860, arg1=0x0, arg2=0, req=0xd621eb98) at /usr/src/sys/kern/tty.c:3007
 #12 0xc06d79b7 in sysctl_root (oidp=0x0, arg1=0x0, arg2=0, req=0xd621eb98) at /usr/src/sys/kern/kern_sysctl.c:1282
 #13 0xc06d7b88 in userland_sysctl (td=0xdeadc0de, name=0xd621ec18, namelen=2, old=0xd621eb98, oldlenp=0xbfbfd7bc, inkernel=0,
     new=0x0, newlen=3735929054, retval=0xd621ec14, flags=-559038242) at /usr/src/sys/kern/kern_sysctl.c:1377
 #14 0xc06d7a3f in __sysctl (td=0xc3938000, uap=0xd621ed00) at /usr/src/sys/kern/kern_sysctl.c:1312
 #15 0xc08ccd4e in syscall (frame=0xd621ed38) at /usr/src/sys/i386/i386/trap.c:1016
 #16 0xc08b6310 in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:196
 #17 0x00000033 in ?? ()
 
 	-Ed
State-Changed-From-To: open->feedback 
State-Changed-By: gavin 
State-Changed-When: Mon Jun 11 17:19:53 UTC 2007 
State-Changed-Why:  
Have asked for feedback from user who most recently had the problem 

http://www.freebsd.org/cgi/query-pr.cgi?pr=89538 

From: Gavin Atkinson <gavin@FreeBSD.org>
To: Ed Maste <emaste@phaedrus.sandvine.ca>
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/89538: [tty] [panic] triggered by "sysctl -a"
Date: Mon, 11 Jun 2007 18:10:38 +0100

 Hi,
 
 Do you have a core dump of the panic available?  If so, can you fire up
 gdb, go to frame 10 and "p/x *x"?  Also, in frame 11, can you "p/x *tp"
 please?
 
 Thanks,
 
 Gavin

From: Kazuaki ODA <kazuaki@aliceblue.jp>
To: bug-followup@FreeBSD.org,  gkozyrev@gmail.com
Cc:  
Subject: Re: kern/89538: [tty] [panic] triggered by "sysctl -a"
Date: Sun, 01 Jul 2007 12:16:57 +0900

 Hi, I got the same panic on 7.0-CURRENT cvsup'ed today.
 So I post the result of the suggestion.
 
 
 Fatal trap 12: page fault while in kernel mode
 cpuid = 1; apic id = 01
 fault virtual address   = 0xc0
 fault code              = supervisor read, page not present
 instruction pointer     = 0x20:0xc06e2d11
 stack pointer           = 0x28:0xe669aaa4
 frame pointer           = 0x28:0xe669aaa4
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, def32 1, gran 1
 processor eflags        = interrupt enabled, resume, IOPL = 0
 current process         = 2200 (sysctl)
 trap number             = 12
 panic: page fault
 cpuid = 1
 Uptime: 3h8m20s
 Physical memory: 1001 MB
 Dumping 139 MB: 124 108 92 76 60 44 28 12
 
 #0  doadump () at pcpu.h:195
 195             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
 (kgdb) bt
 #0  doadump () at pcpu.h:195
 #1  0xc074b957 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
 #2  0xc074bc19 in panic (fmt=Variable "fmt" is not available.
 ) at /usr/src/sys/kern/kern_shutdown.c:563
 #3  0xc0a04ade in trap_fatal (frame=0xe669aa64, eva=192)
     at /usr/src/sys/i386/i386/trap.c:870
 #4  0xc0a04d60 in trap_pfault (frame=0xe669aa64, usermode=0, eva=192)
     at /usr/src/sys/i386/i386/trap.c:784
 #5  0xc0a056c2 in trap (frame=0xe669aa64) at /usr/src/sys/i386/i386/trap.c:462
 #6  0xc09eb66b in calltrap () at /usr/src/sys/i386/i386/exception.s:139
 #7  0xc06e2d11 in dev2udev (x=0xc40b1c00)
     at /usr/src/sys/fs/devfs/devfs_vnops.c:1308
 #8  0xc078c9d2 in sysctl_kern_ttys (oidp=0xc0b390e0, arg1=0x0, arg2=0,
     req=0xe669aba4) at /usr/src/sys/kern/tty.c:3069
 #9  0xc07550f7 in sysctl_root (oidp=Variable "oidp" is not available.
 ) at /usr/src/sys/kern/kern_sysctl.c:1306
 #10 0xc0755244 in userland_sysctl (td=0xc4395440, name=0xe669ac14, namelen=2,
     old=0x0, oldlenp=0xbfbfe0f4, inkernel=0, new=0x0, newlen=0,
     retval=0xe669ac10, flags=0) at /usr/src/sys/kern/kern_sysctl.c:1401
 #11 0xc0755fde in __sysctl (td=0xc4395440, uap=0xe669acfc)
     at /usr/src/sys/kern/kern_sysctl.c:1336
 #12 0xc0a050b5 in syscall (frame=0xe669ad38)
     at /usr/src/sys/i386/i386/trap.c:1006
 #13 0xc09eb6d0 in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:196
 #14 0x00000033 in ?? ()
 Previous frame inner to this frame (corrupt stack?)
 (kgdb) frame 7
 #7  0xc06e2d11 in dev2udev (x=0xc40b1c00)
     at /usr/src/sys/fs/devfs/devfs_vnops.c:1308
 1308            return (x->si_priv->cdp_inode);
 (kgdb) p/x *x
 $1 = {si_priv = 0x0, si_flags = 0x3e9, si_atime = {tv_sec = 0x3e9,
     tv_nsec = 0x3e9}, si_ctime = {tv_sec = 0x4, tv_nsec = 0x3e9}, si_mtime = {
     tv_sec = 0x3e9, tv_nsec = 0x0}, si_uid = 0x5, si_gid = 0x0, si_mode = 0x0,
   si_cred = 0x0, si_drv0 = 0x0, si_refcount = 0x0, si_list = {le_next = 0x0,
     le_prev = 0x0}, si_clone = {le_next = 0x0, le_prev = 0x0}, si_children = {
     lh_first = 0x0}, si_siblings = {le_next = 0x0, le_prev = 0x0},
   si_parent = 0x3e9, si_name = 0x3e9, si_drv1 = 0xc426dd00,
   si_drv2 = 0xc426dd00, si_devsw = 0x0, si_iosize_max = 0x0,
   si_usecount = 0xffffffff, si_threadcount = 0x0, __si_u = {__sit_tty = 0x0,
     __sid_snapdata = 0x0}, __si_namebuf = {0x0 <repeats 64 times>}}
 (kgdb) frame 8
 #8  0xc078c9d2 in sysctl_kern_ttys (oidp=0xc0b390e0, arg1=0x0, arg2=0,
     req=0xe669aba4) at /usr/src/sys/kern/tty.c:3069
 3069                            xt.xt_dev = dev2udev(tp->t_dev);
 (kgdb) p/x *tp
 $2 = {t_rawq = {c_cc = 0x0, c_cbcount = 0x0, c_cbmax = 0x0,
     c_cbreserved = 0x0, c_cf = 0x0, c_cl = 0x0}, t_rawcc = 0x0, t_canq = {
     c_cc = 0x0, c_cbcount = 0x0, c_cbmax = 0x0, c_cbreserved = 0x0,
     c_cf = 0x0, c_cl = 0x0}, t_cancc = 0x0, t_outq = {c_cc = 0x0,
     c_cbcount = 0x0, c_cbmax = 0x0, c_cbreserved = 0x0, c_cf = 0x0,
     c_cl = 0x0}, t_outcc = 0x0, t_line = 0x0, t_dev = 0xc40b1c00,
   t_mdev = 0xc40b1c00, t_devunit = 0x1, t_state = 0x2000000, t_flags = 0x0,
   t_timeout = 0xffffffff, t_pgrp = 0x0, t_session = 0x0, t_sigio = 0x0,
   t_rsel = {si_thrlist = {tqe_next = 0x0, tqe_prev = 0x0}, si_thread = 0x0,
     si_note = {kl_list = {slh_first = 0x0}, kl_lock = 0xc0726bb0,
       kl_unlock = 0xc0726540, kl_locked = 0xc0726520,
       kl_lockarg = 0xc40a95ec}, si_flags = 0x0}, t_wsel = {si_thrlist = {
       tqe_next = 0x0, tqe_prev = 0x0}, si_thread = 0x0, si_note = {kl_list = {
         slh_first = 0x0}, kl_lock = 0xc0726bb0, kl_unlock = 0xc0726540,
       kl_locked = 0xc0726520, kl_lockarg = 0xc40a95ec}, si_flags = 0x0},
   t_termios = {c_iflag = 0x2b02, c_oflag = 0x3, c_cflag = 0x4b00,
     c_lflag = 0x580, c_cc = {0x4, 0xff, 0xff, 0x7f, 0x17, 0x15, 0x12, 0x8,
       0x3, 0x1c, 0x1a, 0x19, 0x11, 0x13, 0x16, 0xf, 0x1, 0x0, 0x14, 0xff},
     c_ispeed = 0x2580, c_ospeed = 0x2580}, t_init_in = {c_iflag = 0x2b02,
     c_oflag = 0x3, c_cflag = 0x4b00, c_lflag = 0x580, c_cc = {0x4, 0xff, 0xff,
       0x7f, 0x17, 0x15, 0x12, 0x8, 0x3, 0x1c, 0x1a, 0x19, 0x11, 0x13, 0x16,
       0xf, 0x1, 0x0, 0x14, 0xff}, c_ispeed = 0x2580, c_ospeed = 0x2580},
   t_init_out = {c_iflag = 0x2b02, c_oflag = 0x3, c_cflag = 0x4b00,
     c_lflag = 0x580, c_cc = {0x4, 0xff, 0xff, 0x7f, 0x17, 0x15, 0x12, 0x8,
       0x3, 0x1c, 0x1a, 0x19, 0x11, 0x13, 0x16, 0xf, 0x1, 0x0, 0x14, 0xff},
     c_ispeed = 0x2580, c_ospeed = 0x2580}, t_lock_in = {c_iflag = 0x0,
     c_oflag = 0x0, c_cflag = 0x0, c_lflag = 0x0, c_cc = {
       0x0 <repeats 20 times>}, c_ispeed = 0x0, c_ospeed = 0x0}, t_lock_out = {
     c_iflag = 0x0, c_oflag = 0x0, c_cflag = 0x0, c_lflag = 0x0, c_cc = {
       0x0 <repeats 20 times>}, c_ispeed = 0x0, c_ospeed = 0x0}, t_winsize = {
     ws_row = 0x0, ws_col = 0x0, ws_xpixel = 0x0, ws_ypixel = 0x0},
   t_sc = 0xc40b1d00, t_lsc = 0x0, t_column = 0x0, t_rocount = 0x0,
   t_rocol = 0x0, t_ififosize = 0x0, t_ihiwat = 0x0, t_ilowat = 0x0,
   t_ispeedwat = 0x0, t_ohiwat = 0x0, t_olowat = 0x0, t_ospeedwat = 0x0,
   t_gen = 0x0, t_list = {tqe_next = 0xc4225c00, tqe_prev = 0xc40a99dc},
   t_actout = 0x0, t_wopeners = 0x0, t_mtx = {lock_object = {
       lo_name = 0xc0a8aeba, lo_type = 0xc0a8aeba, lo_flags = 0x1030000,
       lo_witness_data = {lod_list = {stqe_next = 0x0}, lod_witness = 0x0}},
     mtx_lock = 0x4, mtx_recurse = 0x0}, t_refcnt = 0x2, t_hotchar = 0x0,
   t_dtr_wait = 0xbb8, t_do_timestamp = 0x0, t_timestamp = {tv_sec = 0x0,
     tv_usec = 0x0}, t_pps = 0x0, t_oproc = 0xc0da0300, t_stop = 0xc0da0510,
   t_param = 0xc0da01e0, t_modem = 0xc0d9fc20, t_break = 0xc0d9fbe0,
   t_ioctl = 0xc0d9fb80, t_open = 0xc0da0010, t_purge = 0x0,
   t_close = 0xc0d9feb0, t_cioctl = 0x0}
 (kgdb) quit
 
 
 -- 
 Kazuaki ODA
State-Changed-From-To: feedback->open 
State-Changed-By: gavin 
State-Changed-When: Mon Jul 16 13:04:31 UTC 2007 
State-Changed-Why:  

Feedback received. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=89538 

From: John Baldwin <jhb@freebsd.org>
To: bug-followup@freebsd.org,
 gkozyrev@gmail.com
Cc:  
Subject: Re: kern/89538: [tty] [panic] triggered by "sysctl -a"
Date: Fri, 19 Oct 2007 10:44:40 -0400

 One thing I noted is that si_usecount is -1 in the most recent gdb output.
 One possible race is that we read vp->v_usecount w/o holding the vnode
 interlock in devfs_reclaim(), so perhaps there is a race between
 VOP_RECLAIM() and some other thread doing a vref() such that the
 cdev is prematurely freed?  Patch is below:
 
 --- //depot/user/jhb/acpipci/fs/devfs/devfs_vnops.c
 +++ /home/john/work/p4/acpipci/fs/devfs/devfs_vnops.c
 @@ -995,17 +995,20 @@
  
  	vnode_destroy_vobject(vp);
  
 +	VI_LOCK(vp);
  	dev_lock();
  	dev = vp->v_rdev;
  	vp->v_rdev = NULL;
  
  	if (dev == NULL) {
  		dev_unlock();
 +		VI_UNLOCK(vp);
  		return (0);
  	}
  
  	dev->si_usecount -= vp->v_usecount;
  	dev_unlock();
 +	VI_UNLOCK(vp);
  	dev_rel(dev);
  	return (0);
  }
 
 -- 
 John Baldwin
State-Changed-From-To: open->patched 
State-Changed-By: jhb 
State-Changed-When: Tue Jan 8 13:46:20 UTC 2008 
State-Changed-Why:  
Fixed with rev 1.274 of sys/kern/tty.c.  Will MFC for 6.3 and 7.0. 


Responsible-Changed-From-To: freebsd-bugs->jhb 
Responsible-Changed-By: jhb 
Responsible-Changed-When: Tue Jan 8 13:46:20 UTC 2008 
Responsible-Changed-Why:  
Fixed with rev 1.274 of sys/kern/tty.c.  Will MFC for 6.3 and 7.0. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=89538 
State-Changed-From-To: patched->closed 
State-Changed-By: jhb 
State-Changed-When: Tue Jan 15 20:21:36 UTC 2008 
State-Changed-Why:  
Fix MFC'd, though too late for 6.3. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=89538 

From: "Sergey N. Voronkov" <serg@tmn.ru>
To: bug-followup@FreeBSD.org, jhb@FreeBSD.org
Cc:  
Subject: Re: kern/89538: [tty] [panic] triggered by "sysctl -a"
Date: Tue, 21 Oct 2008 13:19:02 +0600

 Could someone please MFC 1.274 to RELENG_6?
 
>Unformatted:
