From root@atlantis.dp.ua  Fri Oct  6 23:24:23 2006
Return-Path: <root@atlantis.dp.ua>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 17A1716A407
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  6 Oct 2006 23:24:23 +0000 (UTC)
	(envelope-from root@atlantis.dp.ua)
Received: from postman.atlantis.dp.ua (postman.atlantis.dp.ua [193.108.47.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4417343D4C
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  6 Oct 2006 23:24:21 +0000 (GMT)
	(envelope-from root@atlantis.dp.ua)
Received: from homelynx.homenet (p160.atlantis.dp.ua [193.19.241.160])
	by postman.atlantis.dp.ua (8.13.1/8.13.1) with ESMTP id k96NO8ov083168
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 7 Oct 2006 02:24:08 +0300 (EEST)
	(envelope-from root@atlantis.dp.ua)
Received: from homelynx.homenet (localhost [127.0.0.1])
	by homelynx.homenet (8.13.8/8.13.8) with ESMTP id k96NO7md001383
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 7 Oct 2006 02:24:07 +0300 (EEST)
	(envelope-from root@homelynx.homenet)
Received: (from root@localhost)
	by homelynx.homenet (8.13.8/8.13.8/Submit) id k96NO77v001382;
	Sat, 7 Oct 2006 02:24:07 +0300 (EEST)
	(envelope-from root)
Message-Id: <200610062324.k96NO77v001382@homelynx.homenet>
Date: Sat, 7 Oct 2006 02:24:07 +0300 (EEST)
From: Dmitry Pryanishnikov <lynx.ripe@gmail.com>
Reply-To: Dmitry Pryanishnikov <lynx.ripe@gmail.com>
To: FreeBSD-gnats-submit@freebsd.org
Subject: kldunload fdc.ko leads to panic: mutex Giant owned
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         104079
>Category:       kern
>Synopsis:       [fdc] [patch] kldunload fdc.ko leads to panic: mutex Giant owned
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    jh
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Oct 06 23:30:26 GMT 2006
>Closed-Date:    Wed Mar 24 16:27:45 UTC 2010
>Last-Modified:  Wed Mar 24 16:27:45 UTC 2010
>Originator:     Dmitry Pryanishnikov
>Release:        FreeBSD 6.2-PRERELEASE i386
>Organization:
Atlantis ISP
>Environment:
System: FreeBSD homelynx.homenet 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #0: Fri Oct 6 23:51:35 EEST 2006 root@homelynx.homenet:/usr/obj/usr/RELENG_6/src/sys/lynx i386

>Description:
  When fdc.ko loaded via loader and then unloaded by 'kldunload fdc.ko',
  the following panic happens using INVARIANTS-enabled kernel:
  
  panic: mutex Giant owned at 
  /usr/RELENG_6/src/sys/modules/fdc/../../dev/fdc/fdc.c:1984

  Here is the relevant part of the backtrace:

#11 0xc04999d3 in panic (fmt=0xc05eda72 "mutex %s owned at %s:%d")
    at /usr/RELENG_6/src/sys/kern/kern_shutdown.c:549
        td = (struct thread *) 0xc36aea80
        bootopt = 256
        newpanic = 1
        ap = 0xe56abbdc "7^s}\a"
        buf = "mutex Giant owned at 
	/usr/RELENG_6/src/sys/modules/fdc/../../dev/fdc/fdc.c:1984",
	    '\0' <repeats 176 times>
#12 0xc0491ed8 in _mtx_assert (m=0xc063f7c0, what=-1056878592,
    file=0xc07d73cb "/usr/RELENG_6/src/sys/modules/fdc/../../dev/fdc/fdc.c",
    line=1984) at /usr/RELENG_6/src/sys/kern/kern_mutex.c:781
No locals.
#13 0xc07d65c2 in fd_detach (dev=0xc36d1200)
    at /usr/RELENG_6/src/sys/modules/fdc/../../dev/fdc/fdc.c:1984
        fd = (struct fd_data *) 0xc36e0300
#14 0xc04adddc in device_detach (dev=0xc36d1200) at device_if.h:211
No locals.
#15 0xc04acb18 in devclass_delete_driver (busclass=0xc3634400,
    driver=0xc07d8030) at /usr/RELENG_6/src/sys/kern/subr_bus.c:927
        dc = 0xc36343c0
        dl = 0xc360f840
        dev = 0xc36d1200
        i = 0
        error = 18
#16 0xc04af6a1 in driver_module_handler (mod=0xc328a780, what=1,
    arg=0xc07d801c) at /usr/RELENG_6/src/sys/kern/subr_bus.c:3743
        error = -1016904704
        dmd = (struct driver_module_data *) 0xc07d801c
        bus_devclass = 0xc3634400
        driver = 0x1
#17 0xc0491437 in module_unload (mod=0xc328a780, flags=0)
    at /usr/RELENG_6/src/sys/kern/kern_module.c:240
        error = 18
#18 0xc048bfb6 in linker_file_unload (file=0xc35a0700, flags=0)
    at /usr/RELENG_6/src/sys/kern/kern_linker.c:512
        mod = 0xc328a780
        next = 0xc328a740
        ml = 0xc1015000
        nextml = 0xc328a780
        cp = (struct common_symbol *) 0xc1015000
        error = 0
        i = -1020745856
#19 0xc048c748 in kern_kldunload (td=0xc35a0700, fileid=26, flags=0)
    at /usr/RELENG_6/src/sys/kern/kern_linker.c:828
        lf = 0xc35a0700
        error = 2
#20 0xc048c7a6 in kldunloadf (td=0xc36aea80, uap=0x0)
    at /usr/RELENG_6/src/sys/kern/kern_linker.c:858
No locals.
#21 0xc05c3feb in syscall (frame=
      {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 26, tf_esi = -1077940458, tf
_ebp = -1077940696, tf_isp = -445989532, tf_ebx = 1, tf_edx = 0, tf_ecx = 1, tf_
eax = 444, tf_trapno = 12, tf_err = 2, tf_eip = -2012504617, tf_cs = 51, tf_efla
gs = 658, tf_esp = -1077941828, tf_ss = 59})
    at /usr/RELENG_6/src/sys/i386/i386/trap.c:983
        params = 0xbfbfe9c0 <Address 0xbfbfe9c0 out of bounds>
        callp = (struct sysent *) 0xc061a7b0
        td = (struct thread *) 0xc36aea80
							
>How-To-Repeat:
    Build the kernel w/o fdc and with INVARIANTS, add
    
    fdc_load="YES"
    
    into the /boot/loader.conf, reboot into single-user mode (just to prevent
    possible FS corruptions), configure crash dump device with
    
    dumpon -v /dev/_your_swap_partition_
    
    and just do
    
    kldunload fdc.ko

>Fix:
    Unknown.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: kmacy 
State-Changed-When: Fri Nov 16 10:06:42 UTC 2007 
State-Changed-Why:  

Does this still occur? I don't see how it could happen with the code in HEAD. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=104079 

From: "Dmitry Pryanishnikov" <lynx.ripe@gmail.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/104079: [fdc] kldunload fdc.ko leads to panic: mutex Giant owned
Date: Sun, 25 Nov 2007 22:48:48 +0200

 Hello!
 
 2007/11/16, kmacy@freebsd.org <kmacy@freebsd.org>:
 > Synopsis: [fdc] kldunload fdc.ko leads to panic: mutex Giant owned
 >
 > State-Changed-From-To: open->feedback
 > State-Changed-By: kmacy
 > State-Changed-When: Fri Nov 16 10:06:42 UTC 2007
 > State-Changed-Why:
 >
 > Does this still occur? I don't see how it could happen with the code in HEAD.
 >
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=104079
 >
 
   Believe it or not - it still happens with HEAD csupped as of
 21.11.07. Backtrace looks
 similar to RELENG_6 case. I'll keep my test HEAD installation and resulting
 coredump for a while, so I'll be able to provide additional details
 upon request.
 
 
 --
 Sincerely, Dmitry
 nic-hdl: LYNX-RIPE
State-Changed-From-To: feedback->open 
State-Changed-By: gavin 
State-Changed-When: Sat Jan 26 19:07:47 UTC 2008 
State-Changed-Why:  
Feedback was received 

http://www.freebsd.org/cgi/query-pr.cgi?pr=104079 

From: Jaakko Heinonen <jh@saunalahti.fi>
To: bug-followup@FreeBSD.org, lynx.ripe@gmail.com
Cc:  
Subject: Re: kern/104079: [fdc] kldunload fdc.ko leads to panic: mutex
	Giant owned
Date: Tue, 11 Nov 2008 18:08:30 +0200

 On module unload fd_detach() is called with Giant held. The problem is
 that fd_detach() tries to acquire the GEOM topology lock (sx lock).
 This is not allowed under Giant.
 
 There are also other bugs related to loading/unloading the fdc module:
 
 * Return value from g_modevent() is ignored. fdc_modevent() always
   returns success even if g_modevent() fails.
 * g_wither_geom() races against module unload. Withering is not
   guaranteed to finish in finite time. If withering doesn't finish
   before g_modevent() call the module unload fails. Combined with
   g_modevent() return value ignorance the result is a panic in g_event
   thread.
   (Looks like g_wither_geom() race against module unload is a common
   problem with many geom classes. atapicd is affected for sure.)
 * When loading the module fdc_attach() must be completed before
   fd_attach(). However fd_attach() runs before fdc_attach().
 
 Following patch works around some of the problems. We can do withering
 as geom event to avoid calling g_wither_geom() under Giant. The makefile
 hack is to change the order of fd_attach() and fdc_attach(). If someone
 knows better way to change ordering I am happy to hear.
 (DRIVER_MODULE() macro doesn't take order (SI_ORDER_*) as argument.)
 
 The patch doesn't address g_wither_geom() race (except checking
 g_modevent() return value may prevent a panic in some cases).
 
 %%%
 Index: sys/modules/fdc/Makefile
 ===================================================================
 --- sys/modules/fdc/Makefile	(revision 184512)
 +++ sys/modules/fdc/Makefile	(working copy)
 @@ -7,11 +7,12 @@ KMOD=	fdc
  SRCS=	fdc.c fdc_cbus.c
  .else
  .PATH:  ${.CURDIR}/../../dev/fdc
 -SRCS=	fdc.c fdc_isa.c fdc_pccard.c
 +SRCS=	fdc_isa.c fdc_pccard.c
  .if ${MACHINE} == "i386" || ${MACHINE} == "amd64"
  CFLAGS+= -I${.CURDIR}/../../contrib/dev/acpica
  SRCS+=	opt_acpi.h acpi_if.h fdc_acpi.c
  .endif
 +SRCS+=	fdc.c
  .endif
  
  SRCS+=	opt_fdc.h bus_if.h card_if.h device_if.h \
 Index: sys/dev/fdc/fdc.c
 ===================================================================
 --- sys/dev/fdc/fdc.c	(revision 184512)
 +++ sys/dev/fdc/fdc.c	(working copy)
 @@ -2012,15 +2012,22 @@ fd_attach(device_t dev)
  	return (0);
  }
  
 +static void
 +fd_detach_geom(void *arg, int flag)
 +{
 +	struct	fd_data *fd = arg;
 +
 +	g_topology_assert();
 +	g_wither_geom(fd->fd_geom, ENXIO);
 +}
 +
  static int
  fd_detach(device_t dev)
  {
  	struct	fd_data *fd;
  
  	fd = device_get_softc(dev);
 -	g_topology_lock();
 -	g_wither_geom(fd->fd_geom, ENXIO);
 -	g_topology_unlock();
 +	g_waitfor_event(fd_detach_geom, fd, M_WAITOK, NULL);
  	while (device_get_state(dev) == DS_BUSY)
  		tsleep(fd, PZERO, "fdd", hz/10);
  	callout_drain(&fd->toffhandle);
 @@ -2049,8 +2056,7 @@ static int
  fdc_modevent(module_t mod, int type, void *data)
  {
  
 -	g_modevent(NULL, type, &g_fd_class);
 -	return (0);
 +	return (g_modevent(NULL, type, &g_fd_class));
  }
  
  DRIVER_MODULE(fd, fdc, fd_driver, fd_devclass, fdc_modevent, 0);
 %%%
 
 -- 
 Jaakko
Responsible-Changed-From-To: freebsd-bugs->jh 
Responsible-Changed-By: jh 
Responsible-Changed-When: Tue Nov 3 16:50:32 UTC 2009 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=104079 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/104079: commit references a PR
Date: Tue,  3 Nov 2009 19:05:19 +0000 (UTC)

 Author: jh
 Date: Tue Nov  3 19:05:05 2009
 New Revision: 198857
 URL: http://svn.freebsd.org/changeset/base/198857
 
 Log:
   fdc(4) module unload fixes:
   
   - Tear down the interrupt handler before killing the worker thread.
   - Do geom withering as GEOM event to avoid acquiring the GEOM topology
     lock under Giant.
   
   PR:		kern/104079
   Reviewed by:	joerg
   Approved by:	trasz (mentor)
 
 Modified:
   head/sys/dev/fdc/fdc.c
 
 Modified: head/sys/dev/fdc/fdc.c
 ==============================================================================
 --- head/sys/dev/fdc/fdc.c	Tue Nov  3 18:40:42 2009	(r198856)
 +++ head/sys/dev/fdc/fdc.c	Tue Nov  3 19:05:05 2009	(r198857)
 @@ -1734,6 +1734,10 @@ fdc_detach(device_t dev)
  	if ((error = bus_generic_detach(dev)))
  		return (error);
  
 +	if (fdc->fdc_intr)
 +		bus_teardown_intr(dev, fdc->res_irq, fdc->fdc_intr);
 +	fdc->fdc_intr = NULL;
 +
  	/* kill worker thread */
  	mtx_lock(&fdc->fdc_mtx);
  	fdc->flags |= FDC_KTHREAD_EXIT;
 @@ -2031,15 +2035,22 @@ fd_attach(device_t dev)
  	return (0);
  }
  
 +static void
 +fd_detach_geom(void *arg, int flag)
 +{
 +	struct	fd_data *fd = arg;
 +
 +	g_topology_assert();
 +	g_wither_geom(fd->fd_geom, ENXIO);
 +}
 +
  static int
  fd_detach(device_t dev)
  {
  	struct	fd_data *fd;
  
  	fd = device_get_softc(dev);
 -	g_topology_lock();
 -	g_wither_geom(fd->fd_geom, ENXIO);
 -	g_topology_unlock();
 +	g_waitfor_event(fd_detach_geom, fd, M_WAITOK, NULL);
  	while (device_get_state(dev) == DS_BUSY)
  		tsleep(fd, PZERO, "fdd", hz/10);
  	callout_drain(&fd->toffhandle);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: jh 
State-Changed-When: Tue Nov 3 19:16:08 UTC 2009 
State-Changed-Why:  
There are still some issues left but r198857 should fix the the reported panic. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=104079 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/104079: commit references a PR
Date: Wed, 23 Dec 2009 11:35:38 +0000 (UTC)

 Author: jh
 Date: Wed Dec 23 11:35:25 2009
 New Revision: 200895
 URL: http://svn.freebsd.org/changeset/base/200895
 
 Log:
   MFC r198520, r198857: fdc(4) module unload fixes
   
   PR:		kern/104079
   Approved by:	trasz (mentor)
 
 Modified:
   stable/8/sys/dev/fdc/fdc.c
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
   stable/8/sys/dev/xen/xenpci/   (props changed)
 
 Modified: stable/8/sys/dev/fdc/fdc.c
 ==============================================================================
 --- stable/8/sys/dev/fdc/fdc.c	Wed Dec 23 08:22:48 2009	(r200894)
 +++ stable/8/sys/dev/fdc/fdc.c	Wed Dec 23 11:35:25 2009	(r200895)
 @@ -1734,6 +1734,10 @@ fdc_detach(device_t dev)
  	if ((error = bus_generic_detach(dev)))
  		return (error);
  
 +	if (fdc->fdc_intr)
 +		bus_teardown_intr(dev, fdc->res_irq, fdc->fdc_intr);
 +	fdc->fdc_intr = NULL;
 +
  	/* kill worker thread */
  	mtx_lock(&fdc->fdc_mtx);
  	fdc->flags |= FDC_KTHREAD_EXIT;
 @@ -2031,15 +2035,22 @@ fd_attach(device_t dev)
  	return (0);
  }
  
 +static void
 +fd_detach_geom(void *arg, int flag)
 +{
 +	struct	fd_data *fd = arg;
 +
 +	g_topology_assert();
 +	g_wither_geom(fd->fd_geom, ENXIO);
 +}
 +
  static int
  fd_detach(device_t dev)
  {
  	struct	fd_data *fd;
  
  	fd = device_get_softc(dev);
 -	g_topology_lock();
 -	g_wither_geom(fd->fd_geom, ENXIO);
 -	g_topology_unlock();
 +	g_waitfor_event(fd_detach_geom, fd, M_WAITOK, NULL);
  	while (device_get_state(dev) == DS_BUSY)
  		tsleep(fd, PZERO, "fdd", hz/10);
  	callout_drain(&fd->toffhandle);
 @@ -2068,8 +2079,7 @@ static int
  fdc_modevent(module_t mod, int type, void *data)
  {
  
 -	g_modevent(NULL, type, &g_fd_class);
 -	return (0);
 +	return (g_modevent(NULL, type, &g_fd_class));
  }
  
  DRIVER_MODULE(fd, fdc, fd_driver, fd_devclass, fdc_modevent, 0);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: jh 
State-Changed-When: Wed Mar 24 16:27:44 UTC 2010 
State-Changed-Why:  
The reported panic has been fixed in head and stable/8. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=104079 
>Unformatted:
