Re: Panics and potential memory corruption when pulling out a uath device

From: Hans Petter Selasky <hselasky_at_c2i.net> Date: Mon, 18 May 2009 10:50:02 +0200 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:47 UTC

On Sunday 17 May 2009, Lucius Windschuh wrote:
> panic: mtx_lock() of destroyed mutex _at_
> /usr/src/sys/modules/wlan/../../net80211/ieee80211_node.c:1697
>
> (kgdb) bt
> #0  doadump () at pcpu.h:246
> #1  0xc04949c9 in db_fncall (dummy1=-979506816, dummy2=0,
> dummy3=-1068655593, dummy4=0xf3c47988 "_at_\231\235�001") at
> /usr/src/sys/ddb/db_command.c:548
> #2  0xc0494dc1 in db_command (last_cmdp=0xc0989c9c, cmd_table=0x0,
> dopager=1) at /usr/src/sys/ddb/db_command.c:445
> #3  0xc0494f1a in db_command_loop () at /usr/src/sys/ddb/db_command.c:498
> #4  0xc0496d7d in db_trap (type=3, code=0) at
> /usr/src/sys/ddb/db_main.c:229 #5  0xc06579d6 in kdb_trap (type=3, code=0,
> tf=0xf3c47b2c) at
> /usr/src/sys/kern/subr_kdb.c:534
> #6  0xc088bdce in trap (frame=0xf3c47b2c) at
> /usr/src/sys/i386/i386/trap.c:685 #7  0xc086f6fb in calltrap () at
> /usr/src/sys/i386/i386/exception.s:165 #8  0xc0657b5a in kdb_enter
> (why=0xc08f8592 "panic", msg=0xc08f8592 "panic") at cpufunc.h:71
> #9  0xc062a1a6 in panic (fmt=0xc08f6f47 "mtx_lock() of destroyed mutex
> _at_ %s:%d") at /usr/src/sys/kern/kern_shutdown.c:559
> #10 0xc061a925 in _mtx_lock_flags (m=0xc6af26b8, opts=0,
> file=0xc858faff
> "/usr/src/sys/modules/wlan/../../net80211/ieee80211_node.c",
> line=1697) at /usr/src/sys/kern/kern_mutex.c:174
> #11 0xc857445e in ieee80211_node_delucastkey (ni=0xc6af8000) at
> /usr/src/sys/modules/wlan/../../net80211/ieee80211_node.c:1697
> #12 0xc85760d6 in node_free (ni=0xc6af8000) at
> /usr/src/sys/modules/wlan/../../net80211/ieee80211_node.c:999
> #13 0xc8573992 in _ieee80211_free_node (ni=0xc6af8000) at
> /usr/src/sys/modules/wlan/../../net80211/ieee80211_node.c:1622
> #14 0xc84f5af0 in uath_bulk_tx_callback () from /boot/kernel/if_uath.ko
> #15 0xc0594d27 in usb2_callback_wrapper (pq=0xc9448030) at
> /usr/src/sys/dev/usb/usb_transfer.c:1962
> #16 0xc0592716 in usb2_command_wrapper (pq=0xc9448030, xfer=0x0) at
> /usr/src/sys/dev/usb/usb_transfer.c:2538
> #17 0xc05927f8 in usb2_callback_proc (_pm=0xc9448044) at
> /usr/src/sys/dev/usb/usb_transfer.c:1834
> #18 0xc058febe in usb2_process (arg=0xc58d8ca4) at
> /usr/src/sys/dev/usb/usb_process.c:139
> #19 0xc06036e8 in fork_exit (callout=0xc058fde0 <usb2_process>,
> arg=0xc58d8ca4, frame=0xf3c47d38) at /usr/src/sys/kern/kern_fork.c:830
> #20 0xc086f7a0 in fork_trampoline () at
> /usr/src/sys/i386/i386/exception.s:270

Regarding the first panic, there seems to be a detach race in both upgt and 
uath, which is not USB related. Try this patch:

http://perforce.freebsd.org/chv.cgi?CH=162250

--HPS