current-users: bad free() in uhub

Subject: bad free() in uhub_detach()?
To: None <current-users@netbsd.org>
From: Jeff Rizzo <riz@tastylime.net>
List: current-users
Date: 10/25/2004 12:49:49
I just updated the kernel on my desktop machine from 2.0G to 2.99.10, 
and simultaneously switched on "options DIAGNOSTIC" and "options DEBUG" 
in preparation for doing a little (unrelated) development.  What I found 
was that when the kernel is compiled with DIAGNOSTIC+DEBUG, I get the 
following panic:

free: addr 0xdeadbeef not within kmem_map

... whenever I detach my keyboard and mouse using my USB KVM switch.  
Looking at the trace shows that the culprit free() occurs in 
uhub_detach(), but I don't have a serial console on this machine, so 
it's hard to get the actual trace.  (I'll hand-copy the list of 
functions at the end of this message)

It seems to require _both_ DEBUG and DIAGNOSTIC to trigger the panic; 
possibly KMEMSTATS as well.  GENERIC_DIAGNOSTIC doesn't crash like this, 
but with a config file that looks like this:

include "arch/i386/conf/GENERIC"

#options                REALEXTMEM=32768
options         DIAGNOSTIC
options         DEBUG
options         KMEMSTATS
makeoptions     DEBUG="-g"

...it crashes every single time.    I have been unable to get a crash 
dump;  when I try to force one with 'reboot 0x104' from the db> prompt, 
it writes a few pages, then gives up with "wddump: DMA error" and "i/o 
error".

Has anyone else seen this?  Is there anything else I should do to 
troubleshoot this?
Thanks.

Here's more or less what the console looks like after the crash.  This 
is handcopied, so there may be transcription errors.

uhub2 : at uhub0 port 1 (addr 2) disconnected
uhub4: at uhub2 port 1 (addr 3) disconnected
uhidev0: at uhub4 port 1 (addr 4) disconnected
wskbd1: disconnecting from wsdisplay0
wskbd1 detached
ukbd0 detached
uhidev0 detached
uhidev1: at uhub4 port 1 (addr 4) disconnected
uhid0 detached
uhid1 detached
uhid2 detached
uhidev1 detached
panic: free: addr 0xdeadbeef not within kmem_map
Stopped in pid 5.1 (usb0) at   netbsd:breakpoint+0x4:   leave
db>
db> trace
breakpoint()
cpu_Debugger()
panic()
free()
uhub_detach()
config_detach()
usb_disconnect_port()
uhub_detach()
config_detach()
usb_disconnect_port()
uhub_explore()
usb_discover()
usb_event_thread()
db>
 
Oh, since I appear to have neglected to mention this; this is on 
netbsd/i386 2.99.10, updated about 30 minutes ago.  (Haven't seen any 
new CVS commits since this compile)

Thanks,
+j



db> trace