From owner-freebsd-current@FreeBSD.ORG  Mon May 18 08:47:34 2009
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 006841065672;
	Mon, 18 May 2009 08:47:33 +0000 (UTC)
	(envelope-from hselasky@c2i.net)
Received: from swip.net (mailfe14.tele2.se [212.247.155.161])
	by mx1.freebsd.org (Postfix) with ESMTP id 35D878FC22;
	Mon, 18 May 2009 08:47:32 +0000 (UTC)
	(envelope-from hselasky@c2i.net)
X-Cloudmark-Score: 0.000000 []
X-Cloudmark-Analysis: v=1.0 c=1 a=x01RqrcTYZgA:10 a=bYLFNfMPybAA:10
	a=j+k/Ze5hWUCaCztCgEjzDQ==:17 a=6I5d2MoRAAAA:8
	a=0SyfTw2qVp_3weSCohYA:9 a=KG7o6BNqDIQg79z-6V4A:7
	a=ZHjOyVgRnGMO3rT5j2NDk6aTjSQA:4
Received: from [81.191.55.181] (account mc467741@c2i.net HELO laptop)
	by mailfe14.swip.net (CommuniGate Pro SMTP 5.2.13)
	with ESMTPA id 500280202; Mon, 18 May 2009 10:47:29 +0200
From: Hans Petter Selasky <hselasky@c2i.net>
To: freebsd-current@freebsd.org
Date: Mon, 18 May 2009 10:50:02 +0200
User-Agent: KMail/1.9.7
References: <90a5caac0905171354k6e7c008eye18bd69aa543eaa6@mail.gmail.com>
In-Reply-To: <90a5caac0905171354k6e7c008eye18bd69aa543eaa6@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message-Id: <200905181050.03154.hselasky@c2i.net>
Cc: Lucius Windschuh <lwindschuh@googlemail.com>, current@freebsd.org
Subject: Re: Panics and potential memory corruption when pulling out a uath
	device
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 18 May 2009 08:47:34 -0000

On Sunday 17 May 2009, Lucius Windschuh wrote:
> panic: mtx_lock() of destroyed mutex @
> /usr/src/sys/modules/wlan/../../net80211/ieee80211_node.c:1697
>
> (kgdb) bt
> #0 =C2=A0doadump () at pcpu.h:246
> #1 =C2=A00xc04949c9 in db_fncall (dummy1=3D-979506816, dummy2=3D0,
> dummy3=3D-1068655593, dummy4=3D0xf3c47988 "@\231\235=EF=BF=BD001") at
> /usr/src/sys/ddb/db_command.c:548
> #2 =C2=A00xc0494dc1 in db_command (last_cmdp=3D0xc0989c9c, cmd_table=3D0x=
0,
> dopager=3D1) at /usr/src/sys/ddb/db_command.c:445
> #3 =C2=A00xc0494f1a in db_command_loop () at /usr/src/sys/ddb/db_command.=
c:498
> #4 =C2=A00xc0496d7d in db_trap (type=3D3, code=3D0) at
> /usr/src/sys/ddb/db_main.c:229 #5 =C2=A00xc06579d6 in kdb_trap (type=3D3,=
 code=3D0,
> tf=3D0xf3c47b2c) at
> /usr/src/sys/kern/subr_kdb.c:534
> #6 =C2=A00xc088bdce in trap (frame=3D0xf3c47b2c) at
> /usr/src/sys/i386/i386/trap.c:685 #7 =C2=A00xc086f6fb in calltrap () at
> /usr/src/sys/i386/i386/exception.s:165 #8 =C2=A00xc0657b5a in kdb_enter
> (why=3D0xc08f8592 "panic", msg=3D0xc08f8592 "panic") at cpufunc.h:71
> #9 =C2=A00xc062a1a6 in panic (fmt=3D0xc08f6f47 "mtx_lock() of destroyed m=
utex
> @ %s:%d") at /usr/src/sys/kern/kern_shutdown.c:559
> #10 0xc061a925 in _mtx_lock_flags (m=3D0xc6af26b8, opts=3D0,
> file=3D0xc858faff
> "/usr/src/sys/modules/wlan/../../net80211/ieee80211_node.c",
> line=3D1697) at /usr/src/sys/kern/kern_mutex.c:174
> #11 0xc857445e in ieee80211_node_delucastkey (ni=3D0xc6af8000) at
> /usr/src/sys/modules/wlan/../../net80211/ieee80211_node.c:1697
> #12 0xc85760d6 in node_free (ni=3D0xc6af8000) at
> /usr/src/sys/modules/wlan/../../net80211/ieee80211_node.c:999
> #13 0xc8573992 in _ieee80211_free_node (ni=3D0xc6af8000) at
> /usr/src/sys/modules/wlan/../../net80211/ieee80211_node.c:1622
> #14 0xc84f5af0 in uath_bulk_tx_callback () from /boot/kernel/if_uath.ko
> #15 0xc0594d27 in usb2_callback_wrapper (pq=3D0xc9448030) at
> /usr/src/sys/dev/usb/usb_transfer.c:1962
> #16 0xc0592716 in usb2_command_wrapper (pq=3D0xc9448030, xfer=3D0x0) at
> /usr/src/sys/dev/usb/usb_transfer.c:2538
> #17 0xc05927f8 in usb2_callback_proc (_pm=3D0xc9448044) at
> /usr/src/sys/dev/usb/usb_transfer.c:1834
> #18 0xc058febe in usb2_process (arg=3D0xc58d8ca4) at
> /usr/src/sys/dev/usb/usb_process.c:139
> #19 0xc06036e8 in fork_exit (callout=3D0xc058fde0 <usb2_process>,
> arg=3D0xc58d8ca4, frame=3D0xf3c47d38) at /usr/src/sys/kern/kern_fork.c:830
> #20 0xc086f7a0 in fork_trampoline () at
> /usr/src/sys/i386/i386/exception.s:270

Regarding the first panic, there seems to be a detach race in both upgt and=
=20
uath, which is not USB related. Try this patch:

http://perforce.freebsd.org/chv.cgi?CH=3D162250

=2D-HPS