Date: Wed, 2 May 2007 14:24:54 -0400 From: Kris Kennaway <kris@obsecurity.org> To: net@FreeBSD.org Subject: panic: mtx_lock() of destroyed mutex @ ../../../net/route.c:1306 Message-ID: <20070502182454.GA41598@xor.obsecurity.org>
next in thread | raw e-mail | index | archive | help
--gBBFr7Ir9EOA20Yy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
One of my 7.0 systems has a flaky gateway, and when it goes down the
node often goes down with this panic:
panic: mtx_lock() of destroyed mutex @ ../../../net/route.c:1306
cpuid = 0
KDB: enter: panic
[thread pid 28619 tid 100074 ]
Stopped at kdb_enter+0x68: ta %xcc, 1
db> wh
Tracing pid 28619 tid 100074 td 0xfffff800140e87e0
panic() at panic+0x248
_mtx_lock_flags() at _mtx_lock_flags+0x8c
rt_check() at rt_check+0x128
arpresolve() at arpresolve+0x98
ether_output() at ether_output+0x94
ip_output() at ip_output+0xc64
udp_output() at udp_output+0x680
udp_send() at udp_send+0x38
sosend_dgram() at sosend_dgram+0x3e0
sosend() at sosend+0x74
kern_sendit() at kern_sendit+0x14c
sendit() at sendit+0x1d4
sendto() at sendto+0x48
syscall() at syscall+0x2f8
-- syscall (133, FreeBSD ELF64, sendto) %o7=0x40aa68ac --
I suspect locking is broken in an error case. net/route.c:1306 is in
the senderr() macro in rt_check():
/* XXX BSD/OS checks dst->sa_family != AF_NS */
if (rt->rt_flags & RTF_GATEWAY) {
if (rt->rt_gwroute == NULL)
goto lookup;
rt = rt->rt_gwroute;
bewm --> RT_LOCK(rt); /* NB: gwroute */
if ((rt->rt_flags & RTF_UP) == 0) {
rtfree(rt); /* unlock gwroute */
rt = rt0;
Kris
--gBBFr7Ir9EOA20Yy
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)
iD8DBQFGONd2Wry0BWjoQKURAkZgAJ9Rr6aYxPdsdsqYoLe1Z/V+xr0wJwCgpAI5
qj8wrx9rTPqhEx5ZcimjBcU=
=BrhP
-----END PGP SIGNATURE-----
--gBBFr7Ir9EOA20Yy--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070502182454.GA41598>