Page MenuHomeFreeBSD
Differential D56497

virtio_p9fs: Fix kernel panic on module unload
ClosedPublic
Actions

Authored by arichardson on Apr 18 2026, 6:00 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Jun 14, 12:01 AM
Unknown Object (File)
Thu, Jun 4, 7:00 AM
Unknown Object (File)
Wed, Jun 3, 4:59 AM
Unknown Object (File)
Tue, May 26, 6:08 AM
Unknown Object (File)
Tue, May 26, 6:04 AM
Unknown Object (File)
May 15 2026, 4:16 AM
Unknown Object (File)
May 14 2026, 7:27 PM
Unknown Object (File)
May 14 2026, 4:36 PM
View All 32 Files
Subscribers
imp
zlei

Details

Reviewers
kib
markj
Commits
rG3fe5069ce2bf: virtio_p9fs: Fix kernel panic on module unload
Summary

The virtio_p9fs module event handler can be invoked multiple times.
Previously, this caused p9_init_zones() and p9_register_trans() to be
executed multiple times, leaking UMA zones and corrupting the transport
list. During module unload, p9_destroy_zones() was also called multiple
times on the same zone pointers, triggering a duplicate free kernel panic
in uma_zdestroy().

This patch introduces a static reference counter in vt9p_modevent() to
ensure the zones and transports are only initialized and destroyed exactly
once, aligning with the approach used by other virtio drivers like vtnet.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

arichardson created this revision.Apr 18 2026, 6:00 AM
Herald added a subscriber: imp. · View Herald TranscriptApr 18 2026, 6:00 AM
arichardson requested review of this revision.Apr 18 2026, 6:00 AM
Harbormaster completed remote builds in B72318: Diff 175820.Apr 18 2026, 6:00 AM
arichardson added a child revision: D56492: p9fs: Move UMA zone initialization to VFS module lifecycle.Apr 18 2026, 6:01 AM
kib accepted this revision.Apr 18 2026, 7:51 PM
This revision is now accepted and ready to land.Apr 18 2026, 7:51 PM
markj accepted this revision.Apr 21 2026, 1:21 PM
Closed by commit rG3fe5069ce2bf: virtio_p9fs: Fix kernel panic on module unload (authored by arichardson). · Explain WhyMay 7 2026, 5:03 AM
This revision was automatically updated to reflect the committed changes.
arichardson added a commit: rG3fe5069ce2bf: virtio_p9fs: Fix kernel panic on module unload.
zlei added a subscriber: zlei.May 7 2026, 8:39 AM
zlei added inline comments.
sys/dev/virtio/p9fs/virtio_p9fs.c
479

This makes me nervous about the whole lifecycle of a module. I noticed that the module event will be only invoked exactly once ( if successfully ) while I was hacking the SYSINITs .

The virtio_p9fs module event handler can be invoked multiple times.

How does it possible to happen ?

zlei added inline comments.May 7 2026, 10:02 AM
sys/dev/virtio/p9fs/virtio_p9fs.c
493

Ahh, I see what happened.

VIRTIO_DRIVER_MODULE expands to two different DRIVER_MODULE and both of them share the same modevent handler vt9p_modevent. So on module load, the event handler vt9p_modevent will be invoked twice.

Revision Contents
Changeset List

PathSize
sys/
dev/
virtio/
p9fs/
12 lines

Diff 177346

View Options

sys/dev/virtio/p9fs/virtio_p9fs.c

Loading...