Change Details

Because we do not drain the hdac callout during detach, hot-unloading can result in a panic if the callback fires after we have freed the resources it uses. \# kldunload snd_hda pcm0: detached pcm1: detached hdaa0: detached hdacc0: detached Kernel page fault with the following non-sleepable locks held: exclusive sleep mutex hdac0 (HDA driver mutex) r = 0 (0xfffffe000212c820) locked @ /mnt/src/sys/dev/sound/pci/hda/hdac.c:400 stack backtrace: \#0 0xffffffff811c97df at witness_debugger+0x13f \#1 0xffffffff811cb364 at witness_warn+0x674 \#2 0xffffffff81a212c6 at trap_pfault+0x116 \#3 0xffffffff81a2023c at trap+0x54c \#4 0xffffffff819dc7f8 at calltrap+0x8 \#5 0xffffffff8412d05c at hdac_intr_handler+0x15c \#6 0xffffffff81066e17 at ithread_loop+0x387 \#7 0xffffffff81060e93 at fork_exit+0xa3 \#8 0xffffffff819dd85e at fork_trampoline+0xe Fatal trap 12: page fault while in kernel mode cpuid = 1; apic id = 01 fault virtual address = 0x180 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff8412e7ec stack pointer = 0x0:0xfffffe0046b04d20 frame pointer = 0x0:0xfffffe0046b04d40 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 12 (irq59: hdac0) rdi: fffffe005d38e288 rsi: ffffffff8413b1c8 rdx: 0000000000000030 rcx: 0000000000000000 r8: 0000000000000001 r9: 0000000000000002 rax: fffffe00024cc800 rbx: 0000000000000002 rbp: fffffe0046b04d40 r10: 3433313533372e30 r11: 0000000000000006 r12: fffffe005d38e200 r13: 0000000000000005 r14: 0000000000000001 r15: fffffe005d38e500 trap number = 12 panic: page fault cpuid = 1 time = 1745701580 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xa5/frame 0xfffffe0046b04490 kdb_backtrace() at kdb_backtrace+0xc6/frame 0xfffffe0046b045f0 vpanic() at vpanic+0x226/frame 0xfffffe0046b04790 panic() at panic+0xb5/frame 0xfffffe0046b04850 trap_fatal() at trap_fatal+0x65b/frame 0xfffffe0046b04950 trap_pfault() at trap_pfault+0x12b/frame 0xfffffe0046b04a70 trap() at trap+0x54c/frame 0xfffffe0046b04c50 calltrap() at calltrap+0x8/frame 0xfffffe0046b04c50 --- trap 0xc, rip = 0xffffffff8412e7ec, rsp = 0xfffffe0046b04d20, rbp = 0xfffffe0046b04d40 --- hdacc_stream_intr() at hdacc_stream_intr+0x3c/frame 0xfffffe0046b04d40 hdac_intr_handler() at hdac_intr_handler+0x15c/frame 0xfffffe0046b04d90 ithread_loop() at ithread_loop+0x387/frame 0xfffffe0046b04ef0 fork_exit() at fork_exit+0xa3/frame 0xfffffe0046b04f30 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0046b04f30 --- trap 0xc, rip = 0x829cc531a, rsp = 0x82b8b7a88, rbp = 0x82b8b7aa0 --- KDB: enter: panic [ thread pid 12 tid 100211 ] Stopped at kdb_enter+0x34: movq $0,0x1f09af1(%rip) db> Sponsored by: The FreeBSD Foundation MFC after: 1 week

Because we do not drain the hdac callout during detach, hot-unloading can result in a panic if the callback fires after we have freed the resources it uses. pcm0: detached pcm1: detached hdaa0: detached hdacc0: detached Kernel page fault with the following non-sleepable locks held: exclusive sleep mutex hdac0 (HDA driver mutex) r = 0 (0xfffffe000212c820) locked @ /mnt/src/sys/dev/sound/pci/hda/hdac.c:400 [...] db_trace_self_wrapper() at db_trace_self_wrapper+0xa5/frame 0xfffffe0046b04490 kdb_backtrace() at kdb_backtrace+0xc6/frame 0xfffffe0046b045f0 vpanic() at vpanic+0x226/frame 0xfffffe0046b04790 panic() at panic+0xb5/frame 0xfffffe0046b04850 trap_fatal() at trap_fatal+0x65b/frame 0xfffffe0046b04950 trap_pfault() at trap_pfault+0x12b/frame 0xfffffe0046b04a70 trap() at trap+0x54c/frame 0xfffffe0046b04c50 calltrap() at calltrap+0x8/frame 0xfffffe0046b04c50 --- trap 0xc, rip = 0xffffffff8412e7ec, rsp = 0xfffffe0046b04d20, rbp = 0xfffffe0046b04d40 --- hdacc_stream_intr() at hdacc_stream_intr+0x3c/frame 0xfffffe0046b04d40 hdac_intr_handler() at hdac_intr_handler+0x15c/frame 0xfffffe0046b04d90 ithread_loop() at ithread_loop+0x387/frame 0xfffffe0046b04ef0 fork_exit() at fork_exit+0xa3/frame 0xfffffe0046b04f30 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0046b04f30 --- trap 0xc, rip = 0x829cc531a, rsp = 0x82b8b7a88, rbp = 0x82b8b7aa0 --- KDB: enter: panic [ thread pid 12 tid 100211 ] Stopped at kdb_enter+0x34: movq $0,0x1f09af1(%rip) db> Sponsored by: The FreeBSD Foundation MFC after: 1 week

Because we do not drain the hdac callout during detach, hot-unloading can result in a panic if the callback fires after we have freed the resources it uses. \# kldunload snd_hda pcm0: detached pcm1: detached hdaa0: detached hdacc0: detached Kernel page fault with the following non-sleepable locks held: exclusive sleep mutex hdac0 (HDA driver mutex) r = 0 (0xfffffe000212c820) locked @ /mnt/src/sys/dev/sound/pci/hda/hdac.c:400 stack backtrace: \#0 0xffffffff811c97df at witness_debugger+0x13f \#1 0xffffffff811cb364 at witness_warn+0x674 \#2 0xffffffff81a212c6 at trap_pfault+0x116 \#3 0xffffffff81a2023c at trap+0x54c \#4 0xffffffff819dc7f8 at calltrap+0x8 \#5 0xffffffff8412d05c at hdac_intr_handler+0x15c \#6 0xffffffff81066e17 at ithread_loop+0x387 \#7 0xffffffff81060e93 at fork_exit+0xa3 \#8 0xffffffff819dd85e at fork_trampoline+0xe Fatal trap 12: page fault while in kernel mode cpuid = 1; apic id = 01 fault virtual address = 0x180 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff8412e7ec stack pointer = 0x0:0xfffffe0046b04d20 frame pointer = 0x0:0xfffffe0046b04d40 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 12 (irq59: hdac0) rdi: fffffe005d38e288 rsi: ffffffff8413b1c8 rdx: 0000000000000030 rcx: 0000000000000000 r8: 0000000000000001 r9: 0000000000000002 rax: fffffe00024cc800 rbx: 0000000000000002 rbp: fffffe0046b04d40 r10: 3433313533372e30 r11: 0000000000000006 r12: fffffe005d38e200 r13: 0000000000000005 r14: 0000000000000001 r15: fffffe005d38e500 trap number = 12 panic: page fault cpuid = 1 time = 1745701580[...] KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0xa5/frame 0xfffffe0046b04490 kdb_backtrace() at kdb_backtrace+0xc6/frame 0xfffffe0046b045f0 vpanic() at vpanic+0x226/frame 0xfffffe0046b04790 panic() at panic+0xb5/frame 0xfffffe0046b04850 trap_fatal() at trap_fatal+0x65b/frame 0xfffffe0046b04950 trap_pfault() at trap_pfault+0x12b/frame 0xfffffe0046b04a70 trap() at trap+0x54c/frame 0xfffffe0046b04c50 calltrap() at calltrap+0x8/frame 0xfffffe0046b04c50 --- trap 0xc, rip = 0xffffffff8412e7ec, rsp = 0xfffffe0046b04d20, rbp = 0xfffffe0046b04d40 --- hdacc_stream_intr() at hdacc_stream_intr+0x3c/frame 0xfffffe0046b04d40 hdac_intr_handler() at hdac_intr_handler+0x15c/frame 0xfffffe0046b04d90 ithread_loop() at ithread_loop+0x387/frame 0xfffffe0046b04ef0 fork_exit() at fork_exit+0xa3/frame 0xfffffe0046b04f30 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0046b04f30 --- trap 0xc, rip = 0x829cc531a, rsp = 0x82b8b7a88, rbp = 0x82b8b7aa0 --- KDB: enter: panic [ thread pid 12 tid 100211 ] Stopped at kdb_enter+0x34: movq $0,0x1f09af1(%rip) db> Sponsored by: The FreeBSD Foundation MFC after: 1 week