IGMPv3 hot interface detach panics?

Weongyo Jeong weongyo.jeong at gmail.com
Wed Mar 11 21:32:45 PDT 2009 

On Thu, Mar 12, 2009 at 03:46:41AM +0000, Bruce Simpson wrote:
> Can I have some volunteers please...
> Sam reports a panic when detaching a card on the fly with the IGMPv3 code.
> 
> Whilst I've taken a few precautions in the netisr against this, most 
> likely there is something getting used-after-free in the domifdetach 
> ping-pong which I've missed in the rush.
> So to track this down, I really need a backtrace with full debugging 
> symbols. I would encourage anyone who may face a similar issue to try to 
> reproduce it with HEAD and send me a full backtrace.
> 
> I may not get around to fixing this right away -- already on other stuff 
> -- but will try to as time arises.

This is one I have got from "Paul B. Mahol" <onemda_at_gmail.com>
yesterday and I think he might help you to get full backtrace:

db:1:lockinfo> show locks
db:1:locks>  show alllocks
Process 832 (usbus4) thread 0xc46a78c0 (100102)
Process 317 (devd) thread 0xc4057d20 (100048)
Process 11 (intr) thread 0xc3d09460 (100006)
db:1:alllocks>  show lockedvnods
Locked vnodes
db:0:kdb.enter.unknown>  show pcpu
cpuid        = 1
curthread    = 0xc46a78c0: pid 832 "usbus4"
curpcb       = 0xe62c0d90
fpcurthread  = none
idlethread   = 0xc3d09d20: pid 10 "idle: cpu1"
APIC ID      = 1
currentldt   = 0x50
spin locks held:
db:0:kdb.enter.unknown>  bt
Tracing pid 832 tid 100102 td 0xc46a78c0
in_ifdetach(c3e67c00,c3e67e30,32b,e62c0bac,c4471ab1,...) at
in_ifdetach+0x18d
if_detach(c3e67c00,0,c4465fec,416,20,...) at if_detach+0xfd
ndis_detach(c488ee00,1,c488ee00,c4669000,0,...) at ndis_detach+0x9a
ndisusb_detach(c488ee00,4,c0621186,9e8,c04ce619,...) at
ndisusb_detach+0x5a
device_detach(c488ee00,c43b4f8a,c44c4840,6,2,...) at device_detach+0x8c
usb2_detach_device(c4669000,ff,1,10,c061cfc5,...) at
usb2_detach_device+0x16a
uhub_explore(c3fed000,0,c43b4247,d8,c468fd34,...) at uhub_explore+0x1ab
usb2_bus_explore(c468fd34,0,c43bcef3,51,c068fb40,...) at
usb2_bus_explore+0xb9
usb2_process(c468fc70,e62c0d38,c061a74c,32d,c4646548,...) at
usb2_process+0xda
fork_exit(c43a6390,c468fc70,e62c0d38) at fork_exit+0xb8
fork_trampoline() at fork_trampoline+0x8
--- trap 0, eip = 0, esp = 0xe62c0d70, ebp = 0 ---

Kernel page fault with the following non-sleepable locks held:
exclusive sleep mutex if_addr_mtx (if_addr_mtx) r = 0 (0xc3e67e40)
locked @ /usr/local/src/sys/netinet/in.c:1041
exclusive sleep mutex in_multi_mtx (in_multi_mtx) r = 0 (0xc07f8ef4)
locked @ /usr/local/src/sys/netinet/in.c:1033
KDB: stack backtrace:
db_trace_self_wrapper(c062190e,e62c0a4c,c04e5895,c062e0be,409,...) at
db_trace_self_wrapper+0x26
kdb_backtrace(c062e0be,409,ffffffff,c07cadbc,e62c0a84,...) at
kdb_backtrace+0x29
_witness_debugger(c0623c6d,e62c0a98,4,1,0,...) at _witness_debugger+0x25
witness_warn(5,0,c064050e,c3c8da90,c46a78c0,...) at witness_warn+0x1fd
trap(e62c0b24) at trap+0x153
calltrap() at calltrap+0x6
--- trap 0xc, eip = 0xc055454d, esp = 0xe62c0b64, ebp = 0xe62c0b84 ---
in_ifdetach(c3e67c00,c3e67e30,32b,e62c0bac,c4471ab1,...) at
in_ifdetach+0x18d
if_detach(c3e67c00,0,c4465fec,416,20,...) at if_detach+0xfd
ndis_detach(c488ee00,1,c488ee00,c4669000,0,...) at ndis_detach+0x9a
ndisusb_detach(c488ee00,4,c0621186,9e8,c04ce619,...) at
ndisusb_detach+0x5a
device_detach(c488ee00,c43b4f8a,c44c4840,6,2,...) at device_detach+0x8c
usb2_detach_device(c4669000,ff,1,10,c061cfc5,...) at
usb2_detach_device+0x16a
uhub_explore(c3fed000,0,c43b4247,d8,c468fd34,...) at uhub_explore+0x1ab
usb2_bus_explore(c468fd34,0,c43bcef3,51,c068fb40,...) at
usb2_bus_explore+0xb9
usb2_process(c468fc70,e62c0d38,c061a74c,32d,c4646548,...) at
usb2_process+0xda
fork_exit(c43a6390,c468fc70,e62c0d38) at fork_exit+0xb8
fork_trampoline() at fork_trampoline+0x8
--- trap 0, eip = 0, esp = 0xe62c0d70, ebp = 0 ---

Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address   = 0x0
fault code              = supervisor write, page not present
instruction pointer     = 0x20:0xc055454d
stack pointer           = 0x28:0xe62c0b64
frame pointer           = 0x28:0xe62c0b84
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 832 (usbus4)
exclusive sleep mutex if_addr_mtx (if_addr_mtx) r = 0 (0xc3e67e40)
locked @ /usr/local/src/sys/netinet/in.c:1041
exclusive sleep mutex in_multi_mtx (in_multi_mtx) r = 0 (0xc07f8ef4)
locked @ /usr/local/src/sys/netinet/in.c:1033
exclusive sleep mutex Giant (Giant) r = 0 (0xc068b590) locked @
/usr/local/src/sys/modules/usb/usb/../../../dev/usb/controller/usb_controller.c:216
exclusive sx 123456789ABCDEF - USB config SX lock (123456789ABCDEF -
USB config SX lock) r = 0 (0xc466903c) locked @
/usr/local/src/sys/modules/usb/usb/../../../dev/usb/usb_device.c:941
exclusive sleep mutex if_addr_mtx (if_addr_mtx) r = 0 (0xc3e67e40)
locked @ /usr/local/src/sys/netinet/in.c:1041
exclusive sleep mutex in_multi_mtx (in_multi_mtx) r = 0 (0xc07f8ef4)
locked @ /usr/local/src/sys/netinet/in.c:1033
exclusive sleep mutex Giant (Giant) r = 0 (0xc068b590) locked @
/usr/local/src/sys/modules/usb/usb/../../../dev/usb/controller/usb_controller.c:216
exclusive sx 123456789ABCDEF - USB config SX lock (123456789ABCDEF -
USB config SX lock) r = 0 (0xc466903c) locked @ 
/usr/local/src/sys/modules/usb/usb/../../../dev/usb/usb_device.c:941
shared sx filedesc structure (filedesc structure) r = 0 (0xc412c12c)
locked @ /usr/local/src/sys/kern/sys_generic.c:990
exclusive sleep mutex uhci2 (uhci2) r = 0 (0xc45dfe74) locked @
/usr/local/src/sys/modules/usb/usb/../../../dev/usb/usb_hub.c:1355

regards,
Weongyo Jeong

More information about the freebsd-current mailing list