Re: mutex_oncpu() called on destroyed mutex? (was: repeated panics in mutex_vector_enter (from unp_thread))

To: Edgar Fuß <ef%math.uni-bonn.de@localhost>
Subject: Re: mutex_oncpu() called on destroyed mutex? (was: repeated panics in mutex_vector_enter (from unp_thread))
From: Jason Thorpe <thorpej%me.com@localhost>
Date: Tue, 07 Aug 2018 11:11:38 -0700


> On Aug 7, 2018, at 9:44 AM, Edgar Fuß <ef%math.uni-bonn.de@localhost> wrote:
> 
> I observe this on 6.1, but I can't see the relevant code changed in current.
> 
> mutex_vector_enter() does (-current uses KPREMPT_* macros)
> 
> 	do {
> 		kpreempt_enable();
> 		SPINLOCK_BACKOFF(count);
> 		kpreempt_disable();
> 		owner = mtx->mtx_owner;
> 	} while (mutex_oncpu(owner));
> 
> and my problem seems to be owner == MUTEX_THREAD (i.e. the mutex destroyed) 
> the time mutex_oncpu(owner) is called.
> 
> My understanding of locking is limited (close to zero) but why shouldn't 
> the mutex in question be destroyed during the preemption-enabled period?
> 
> I must be missing something.

It could be destroyed by another thread on a different CPU.  Disabling preemption only affects the CPU that disabled it.

Sounds like this is just a classic use-after-free problem.  What's the stack trace of the panic?  Is the mutex embedded in some ephemeral data structure?

-- thorpej

Follow-Ups:
- Re: mutex_oncpu() called on destroyed mutex?
  - From: Edgar Fuß

References:
- repeated panics in mutex_vector_enter (from unp_thread)
  - From: Edgar Fuß
- mutex_oncpu() called on destroyed mutex? (was: repeated panics in mutex_vector_enter (from unp_thread))
  - From: Edgar Fuß

Prev by Date: Re: ddb input via IPMI virtual console
Next by Date: Re: mutex_oncpu() called on destroyed mutex?
Previous by Thread: mutex_oncpu() called on destroyed mutex? (was: repeated panics in mutex_vector_enter (from unp_thread))
Next by Thread: Re: mutex_oncpu() called on destroyed mutex?
Indexes:

Home | Main Index | Thread Index | Old Index