Kernel panic on kextunload >10.13.5

App & System Services Core OS
rameshprusty
rameshprusty OP
Created Aug ’18
Replies 7
Boosts 0
Views 3.3k
Participants

Hi Team,


We are facing kernel panic while doing kextunload to our driver. This is working fine for the OSX <= 10.13.5.

On OSX >10.13.5 wile unloading the kext, its getting panic.


We are communication with the kernel through iokit userclient , we have agent on the userspace runnung. Without killing the agent while we are trying to do a kextunload to our driver its getting panic. But if we kill our agent then do a kext unload its working fine.


Plese look at the below stack strace of the panic



Invalid connection: com.apple.coresymbolicationd

Anonymous UUID: C7B5663B-2CE3-9CC5-CA18-AD438D317BCD


Tue Aug 14 15:18:50 2018


*** Panic Report ***

panic(cpu 0 caller 0xffffff801ec6e2e1): "com_verdasys_dgagent[0x100000513]::terminate(kIOServiceSynchronous) timeout\n"@/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu/xnu-4570.71.2/iokit/Kernel/IOService.cpp:2297

Darwin Kernel Version 17.7.0: Thu Jun 21 22:53:14 PDT 2018; root:xnu-4570.71.2~1/RELEASE_X86_64

Kernel slide: 0x000000001e400000

Kernel text base: 0xffffff801e600000

Dgagent text base: 0xffffff7fa0d12000

BSD process name corresponding to current thread: kextunload


0xffffff801e66c1c6 : 0006c1c6 handle_debugger_trap (in kernel) + 1222

0xffffff801e795274 : 00195274 kdp_i386_trap (in kernel) + 276

0xffffff801e787544 : 00187544 kernel_trap (in kernel) + 1252

0xffffff801e61e1e0 : 0001e1e0 0xffffff800021e1e0 (in kernel) + 38

0xffffff801e66bc3c : 0006bc3c panic_trap_to_debugger (in kernel) + 540

0xffffff801e66b9fc : 0006b9fc panic (in kernel) + 92

0xffffff801ec6e2e1 : 0066e2e1 IOService::scheduleTerminatePhase2(unsigned int) (in kernel) + 529

0xffffff801ec71e17 : 00671e17 IOService::terminatePhase1(unsigned int) (in kernel) + 2311

0xffffff801ec916b1 : 006916b1 IOCatalogue::_terminateDrivers(OSDictionary*) (in kernel) + 161

0xffffff801ec918a5 : 006918a5 IOCatalogue::terminateDriversForModule(OSString*, bool) (in kernel) + 133

0xffffff801ec26d91 : 00626d91 OSKext::removeKext(OSKext*, bool) (in kernel) + 449

0xffffff801ec2cef5 : 0062cef5 OSKext::handleRequest(host*, unsigned int, char*, unsigned int, char**, unsigned int*, char**, unsigned int*) (in kernel) + 2085

0xffffff801ec3b9b4 : 0063b9b4 kext_request (in kernel) + 372

0xffffff801e6c1075 : 000c1075 0xffffff80002c1075 (in kernel) + 165

0xffffff801e6716e0 : 000716e0 ipc_kobject_server (in kernel) + 304

0xffffff801e64ea3d : 0004ea3d ipc_kmsg_send (in kernel) + 189

0xffffff801e66154b : 0006154b mach_msg_overwrite_trap (in kernel) + 891

0xffffff801e77171d : 0017171d mach_call_munger64 (in kernel) + 509

0xffffff801e61e9e6 : 0001e9e6 hndl_mach_scall64 (in kernel) + 22



Please look at the close code for the clinet



void userclient::stop(IOService* provider)

{

DEBUG("stop()\n");

if (fProvider) {

fProvider->close(this);

}


clientType = 0;


if (count == 0 && fProvider) {

fProvider->signal();

}

super::stop(provider);

}

IOReturn userclient::clientClose(void)

{

close();

terminate(0);

fProvider = NULL;

fTask = NULL;

return kIOReturnSuccess;

}


IOReturn userclient::close(void)

{

DEBUG("clientClose()\n");


if (clientType == dgaDaemon) {

agent_cleanup();

}

if(!fProvider)

return kIOReturnNotAttached;


if( fProvider && fProvider->isOpen(this) )

fProvider->close(this);



return kIOReturnSuccess;

}


bool userclient::terminate(IOOptionBits options)

{

if( fProvider && fProvider->isOpen(this) )

fProvider->close(this);

return super:terminate(options);

}

Replies  7
Boosts  0
Views  3.3k
Participants  
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Aug ’18

We are facing kernel panic while doing kextunload to our driver. This is working fine for the OSX <= 10.13.5.

On OSX >10.13.5 wile unloading the kext, its getting panic.

That’s only one macOS release greater than 10.13.5, and that’s 10.13.6. So, to be clear, it’s panicking on 10.13.6 but not panicking on 10.13.5?

Plese look at the below stack strace of the panic

That looks like an excerpt from the panic log. Can you post the full version?

ps If you mark it up as code (using the 

<>
button) it’s easier to read.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Sep ’18

Was there any solution for this kernel panic?

All I know about this issue is on this thread, that is, not much )-: If you can post a panic log, I’d be glad to take a look.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Sep ’18

Thanks for the panic log. Looking at this it seems like the critical frame is this one:

0xffffff9249f1bac0 : 0xffffff800ec6e2e1

That frame denotes 

IOService::scheduleTerminatePhase2(unsigned int)
. You can see the 10.13.3 source code for that routine in Darwin, with the specific panic being on line 2289. As you can see, I/O Kit’s termination logic is waiting for everything to shut down and, if that doesn’t happen within 15 seconds, it panics.

One thing to note here is that the Darwin code I linked to above is not the code you’re actually running. The panic log indicates you’re on xnu-4570.71.2, but the latest Darwin code is xnu-4570.50.219, and there have definitely been changes between those releases relevant to this code. Specifically, there has been at least one fix for exactly this sort of problem (r. 35752460).

As to why things are failing for you, I don’t have any specific input on that front. I do, however, have some general recommendations:

  • You should test on the latest 10.14 beta to see if you can reproduce the problem there.

  • If so, you should definitely file a bug about it. Please post your bug number, just for the record.

  • You should open a DTS tech support incident to see if we can find some sort of workaround.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Sep ’18

What is not clear to me is what it is waiting for and if the mechanism has changed in 10.13.5?

It’s waiting for the service to become non-busy (that is, 

kIOServiceBusyStateMask
to clear). This busy state is reflected in the public API via the 
IOService::getBusyState()
and 
IOService::adjustBusy()
methods. Those have doc comments that are well worth a read.

As to what’s making your service busy, it’s hard to say. With regards the bug I mentioned previously (r. 35752460), the underlying cause of the panic was a deadlock which stalled the thread which was keeping the service busy. That may well be the case here as well. And that may well be an OS bug or a bug in your KEXTs. It’s hard to say without doing a much deeper dive on this, and that’s going to be tricky in the context of DevForums.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
Kernel panic on kextunload >10.13.5
First post date Last post date
 
 
Q