> On Aug 7, 2018, at 9:44 AM, Edgar Fuß <e...@math.uni-bonn.de> wrote:
>
> I observe this on 6.1, but I can't see the relevant code changed in current.
>
> mutex_vector_enter() does (-current uses KPREMPT_* macros)
>
> do {
> kpreempt_enable();
> SPINLOCK_BACKOFF(count);
> kpreempt_disable();
> owner = mtx->mtx_owner;
> } while (mutex_oncpu(owner));
>
> and my problem seems to be owner == MUTEX_THREAD (i.e. the mutex destroyed)
> the time mutex_oncpu(owner) is called.
>
> My understanding of locking is limited (close to zero) but why shouldn't
> the mutex in question be destroyed during the preemption-enabled period?
>
> I must be missing something.
It could be destroyed by another thread on a different CPU. Disabling
preemption only affects the CPU that disabled it.
Sounds like this is just a classic use-after-free problem. What's the stack
trace of the panic? Is the mutex embedded in some ephemeral data structure?
-- thorpej
