From owner-freebsd-current@FreeBSD.ORG Thu Mar 12 04:32:45 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 436C11065673 for ; Thu, 12 Mar 2009 04:32:45 +0000 (UTC) (envelope-from weongyo.jeong@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.229]) by mx1.freebsd.org (Postfix) with ESMTP id 0BD8D8FC16 for ; Thu, 12 Mar 2009 04:32:44 +0000 (UTC) (envelope-from weongyo.jeong@gmail.com) Received: by rv-out-0506.google.com with SMTP id f6so382286rvb.43 for ; Wed, 11 Mar 2009 21:32:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:received:from:date:to:cc :subject:message-id:reply-to:mail-followup-to:references :mime-version:content-type:content-disposition:in-reply-to :user-agent:organization:x-operation-sytem; bh=pIQKsRtVfCyOFDWeViSJAd/xV9HXmKwlb39LwtklWMw=; b=Dp2ZPkIvZjB/8Why2e+I+aaCxRrn9dYUk8Zq84IDi1sIhFA+rCfgZhHa/K6DBL3tjA vbNUsw5ldaMvHJbDObT4JkadnQhYsnTDVqTaKzwe6pWtkLYaWiwOcF6N4iFs70tA3SE4 PmSt/v5EX+UcYg3hIEq67FQx0lHUFLkyquO+A= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:date:to:cc:subject:message-id:reply-to:mail-followup-to :references:mime-version:content-type:content-disposition :in-reply-to:user-agent:organization:x-operation-sytem; b=V3pb/5q/OcUxaUwEPU0MJISz8PklBDp504rO1jbP5DFc/R9CWbHSMeq2jBsywkoirJ PJGqMXLh0NZxm8tpINMhJibVpnFBYWUicq6zfEiUXCkr3uNhM18hvvVrIWwECqMq4a06 K0Ok/RiDWPvYO78Qa8BI5tTw6D/ZgfxjJkP2A= Received: by 10.141.13.13 with SMTP id q13mr4786374rvi.163.1236832364678; Wed, 11 Mar 2009 21:32:44 -0700 (PDT) Received: from weongyo ([114.111.62.249]) by mx.google.com with ESMTPS id k41sm355227rvb.6.2009.03.11.21.32.42 (version=SSLv3 cipher=RC4-MD5); Wed, 11 Mar 2009 21:32:43 -0700 (PDT) Received: by weongyo (sSMTP sendmail emulation); Thu, 12 Mar 2009 13:32:40 +0900 From: Weongyo Jeong Date: Thu, 12 Mar 2009 13:32:40 +0900 To: Bruce Simpson Message-ID: <20090312043239.GE25538@weongyo.cdnetworks.kr> Mail-Followup-To: Bruce Simpson , freebsd-current@freebsd.org, "Paul B. Mahol" References: <49B885A1.9000907@incunabulum.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <49B885A1.9000907@incunabulum.net> User-Agent: Mutt/1.4.2.3i Organization: CDNetworks. X-Operation-Sytem: FreeBSD Cc: freebsd-current@freebsd.org Subject: Re: IGMPv3 hot interface detach panics? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Weongyo Jeong List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Mar 2009 04:32:45 -0000 On Thu, Mar 12, 2009 at 03:46:41AM +0000, Bruce Simpson wrote: > Can I have some volunteers please... > Sam reports a panic when detaching a card on the fly with the IGMPv3 code. > > Whilst I've taken a few precautions in the netisr against this, most > likely there is something getting used-after-free in the domifdetach > ping-pong which I've missed in the rush. > So to track this down, I really need a backtrace with full debugging > symbols. I would encourage anyone who may face a similar issue to try to > reproduce it with HEAD and send me a full backtrace. > > I may not get around to fixing this right away -- already on other stuff > -- but will try to as time arises. This is one I have got from "Paul B. Mahol" yesterday and I think he might help you to get full backtrace: db:1:lockinfo> show locks db:1:locks> show alllocks Process 832 (usbus4) thread 0xc46a78c0 (100102) Process 317 (devd) thread 0xc4057d20 (100048) Process 11 (intr) thread 0xc3d09460 (100006) db:1:alllocks> show lockedvnods Locked vnodes db:0:kdb.enter.unknown> show pcpu cpuid = 1 curthread = 0xc46a78c0: pid 832 "usbus4" curpcb = 0xe62c0d90 fpcurthread = none idlethread = 0xc3d09d20: pid 10 "idle: cpu1" APIC ID = 1 currentldt = 0x50 spin locks held: db:0:kdb.enter.unknown> bt Tracing pid 832 tid 100102 td 0xc46a78c0 in_ifdetach(c3e67c00,c3e67e30,32b,e62c0bac,c4471ab1,...) at in_ifdetach+0x18d if_detach(c3e67c00,0,c4465fec,416,20,...) at if_detach+0xfd ndis_detach(c488ee00,1,c488ee00,c4669000,0,...) at ndis_detach+0x9a ndisusb_detach(c488ee00,4,c0621186,9e8,c04ce619,...) at ndisusb_detach+0x5a device_detach(c488ee00,c43b4f8a,c44c4840,6,2,...) at device_detach+0x8c usb2_detach_device(c4669000,ff,1,10,c061cfc5,...) at usb2_detach_device+0x16a uhub_explore(c3fed000,0,c43b4247,d8,c468fd34,...) at uhub_explore+0x1ab usb2_bus_explore(c468fd34,0,c43bcef3,51,c068fb40,...) at usb2_bus_explore+0xb9 usb2_process(c468fc70,e62c0d38,c061a74c,32d,c4646548,...) at usb2_process+0xda fork_exit(c43a6390,c468fc70,e62c0d38) at fork_exit+0xb8 fork_trampoline() at fork_trampoline+0x8 --- trap 0, eip = 0, esp = 0xe62c0d70, ebp = 0 --- Kernel page fault with the following non-sleepable locks held: exclusive sleep mutex if_addr_mtx (if_addr_mtx) r = 0 (0xc3e67e40) locked @ /usr/local/src/sys/netinet/in.c:1041 exclusive sleep mutex in_multi_mtx (in_multi_mtx) r = 0 (0xc07f8ef4) locked @ /usr/local/src/sys/netinet/in.c:1033 KDB: stack backtrace: db_trace_self_wrapper(c062190e,e62c0a4c,c04e5895,c062e0be,409,...) at db_trace_self_wrapper+0x26 kdb_backtrace(c062e0be,409,ffffffff,c07cadbc,e62c0a84,...) at kdb_backtrace+0x29 _witness_debugger(c0623c6d,e62c0a98,4,1,0,...) at _witness_debugger+0x25 witness_warn(5,0,c064050e,c3c8da90,c46a78c0,...) at witness_warn+0x1fd trap(e62c0b24) at trap+0x153 calltrap() at calltrap+0x6 --- trap 0xc, eip = 0xc055454d, esp = 0xe62c0b64, ebp = 0xe62c0b84 --- in_ifdetach(c3e67c00,c3e67e30,32b,e62c0bac,c4471ab1,...) at in_ifdetach+0x18d if_detach(c3e67c00,0,c4465fec,416,20,...) at if_detach+0xfd ndis_detach(c488ee00,1,c488ee00,c4669000,0,...) at ndis_detach+0x9a ndisusb_detach(c488ee00,4,c0621186,9e8,c04ce619,...) at ndisusb_detach+0x5a device_detach(c488ee00,c43b4f8a,c44c4840,6,2,...) at device_detach+0x8c usb2_detach_device(c4669000,ff,1,10,c061cfc5,...) at usb2_detach_device+0x16a uhub_explore(c3fed000,0,c43b4247,d8,c468fd34,...) at uhub_explore+0x1ab usb2_bus_explore(c468fd34,0,c43bcef3,51,c068fb40,...) at usb2_bus_explore+0xb9 usb2_process(c468fc70,e62c0d38,c061a74c,32d,c4646548,...) at usb2_process+0xda fork_exit(c43a6390,c468fc70,e62c0d38) at fork_exit+0xb8 fork_trampoline() at fork_trampoline+0x8 --- trap 0, eip = 0, esp = 0xe62c0d70, ebp = 0 --- Fatal trap 12: page fault while in kernel mode cpuid = 1; apic id = 01 fault virtual address = 0x0 fault code = supervisor write, page not present instruction pointer = 0x20:0xc055454d stack pointer = 0x28:0xe62c0b64 frame pointer = 0x28:0xe62c0b84 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 832 (usbus4) exclusive sleep mutex if_addr_mtx (if_addr_mtx) r = 0 (0xc3e67e40) locked @ /usr/local/src/sys/netinet/in.c:1041 exclusive sleep mutex in_multi_mtx (in_multi_mtx) r = 0 (0xc07f8ef4) locked @ /usr/local/src/sys/netinet/in.c:1033 exclusive sleep mutex Giant (Giant) r = 0 (0xc068b590) locked @ /usr/local/src/sys/modules/usb/usb/../../../dev/usb/controller/usb_controller.c:216 exclusive sx 123456789ABCDEF - USB config SX lock (123456789ABCDEF - USB config SX lock) r = 0 (0xc466903c) locked @ /usr/local/src/sys/modules/usb/usb/../../../dev/usb/usb_device.c:941 exclusive sleep mutex if_addr_mtx (if_addr_mtx) r = 0 (0xc3e67e40) locked @ /usr/local/src/sys/netinet/in.c:1041 exclusive sleep mutex in_multi_mtx (in_multi_mtx) r = 0 (0xc07f8ef4) locked @ /usr/local/src/sys/netinet/in.c:1033 exclusive sleep mutex Giant (Giant) r = 0 (0xc068b590) locked @ /usr/local/src/sys/modules/usb/usb/../../../dev/usb/controller/usb_controller.c:216 exclusive sx 123456789ABCDEF - USB config SX lock (123456789ABCDEF - USB config SX lock) r = 0 (0xc466903c) locked @ /usr/local/src/sys/modules/usb/usb/../../../dev/usb/usb_device.c:941 shared sx filedesc structure (filedesc structure) r = 0 (0xc412c12c) locked @ /usr/local/src/sys/kern/sys_generic.c:990 exclusive sleep mutex uhci2 (uhci2) r = 0 (0xc45dfe74) locked @ /usr/local/src/sys/modules/usb/usb/../../../dev/usb/usb_hub.c:1355 regards, Weongyo Jeong