Date: Fri, 5 Feb 2010 12:06:43 +0200 From: Kostik Belousov <kostikbel@gmail.com> To: Andrew Gallatin <gallatin@cs.duke.edu> Cc: freebsd-hackers@freebsd.org Subject: Re: devfs panic w/INVARIANTS Message-ID: <20100205100643.GQ15587@deviant.kiev.zoral.com.ua> In-Reply-To: <4B6B30BC.7030107@cs.duke.edu> References: <4B6B30BC.7030107@cs.duke.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--U+NfgObvpQT1Q9Yq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Feb 04, 2010 at 03:40:28PM -0500, Andrew Gallatin wrote: > I've got a commercial driver that uses device cloning. > At unload time, the driver calls clone_cleanup(). When I unload > the driver when the kernel is built with INVARIANTS, I'll see a > panic in devfs_populate_loop(). This happens in 6-stable, > as well as 8-stable. >=20 > From what I can see the clone has been freed, but it > remains on the devfs cdevp_list. Then the next time > devfs_populate_loop() is called, it trips over the bad > entry (cdp->cdp_dirents points to 0xdeadc0dedeadc0de) > See appended kgdb session. >=20 > If I trace the code path, it looks like clone_cleanup() > calls destroy_devl(). And destroy_devl() will eventually > call devfs_free() if the si_refcnt is zero. But I don't > see anything which will get the cdev removed from > the cdevp_list prior to it being freed. >=20 > The only code I see which will get the cdev removed from > the cdevp_list() seems to be the "GC any lingering devices" > block in devfs_populate_loop >=20 > What am I missing? You did not mentioned it, but my guess is that you create clones from the dev_clone event handler. Please note that devfs_lookup() that fires dev_clone event, consumes a device reference. Thus clone handlers shall do dev_ref(). Due to races with cleanup, you should use MAKEDEV_REF flag for make_dev_credv(9) KPI instead of doing make_dev()/dev_ref() pair. That said, do you really need clones at all ? --U+NfgObvpQT1Q9Yq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAktr7bMACgkQC3+MBN1Mb4jGpgCg3IgMWZSS8Y5S5VoYdizbL5Zg 6xIAoLj2BoZxbjtThCVR+lG1uWtttqkk =i4F5 -----END PGP SIGNATURE----- --U+NfgObvpQT1Q9Yq--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100205100643.GQ15587>