From owner-freebsd-current@FreeBSD.ORG  Wed Sep 15 17:46:56 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 27B0216A4CE; Wed, 15 Sep 2004 17:46:56 +0000 (GMT)
Received: from mail.vicor-nb.com (bigwoop.vicor-nb.com [208.206.78.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id DC9BC43D4C; Wed, 15 Sep 2004 17:46:52 +0000 (GMT)
	(envelope-from julian@elischer.org)
Received: from elischer.org (julian.vicor-nb.com [208.206.78.97])
	by mail.vicor-nb.com (Postfix) with ESMTP
	id 3A38F7A3E1; Wed, 15 Sep 2004 10:46:52 -0700 (PDT)
Message-ID: <4148800B.7080702@elischer.org>
Date: Wed, 15 Sep 2004 10:46:51 -0700
From: Julian Elischer <julian@elischer.org>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3.1) Gecko/20030516
X-Accept-Language: en, hu
MIME-Version: 1.0
To: Robert Watson <rwatson@FreeBSD.org>
References: <Pine.NEB.3.96L.1040915105648.89730A-100000@fledge.watson.org>
In-Reply-To: <Pine.NEB.3.96L.1040915105648.89730A-100000@fledge.watson.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
cc: julian@FreeBSD.org
cc: current@FreeBSD.org
cc: jhb@FreeBSD.org
Subject: Re: Possible NULL pointer deref in sched_add() via maybe_preempt()
 and kse_release()
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Sep 2004 17:46:56 -0000

I have a patch  in
http://www.freebsd.org/~julian/r.diff

that fixes one possible source of this problem.


Robert Watson wrote:

>Got this today on an SMP box running mysql:
>
>kernel trap 12 with interrupts disabled
> 
> Fatal trap 12: page fault while in kernel mode
>cpuid = 0; apic id = 00
>fault virtual address   = 0x150
>fault code              = supervisor read, page not present
>instruction pointer     = 0x8:0xc06224de
>stack pointer           = 0x10:0xef1b1b28
>frame pointer           = 0x10:0xef1b1b38
>code segment            = base 0x0, limit 0xfffff, type 0x1b
>                        = DPL 0, pres 1, def32 1, gran 1
>processor eflags        = resume, IOPL = 0
>current process         = 572 (mysqld)
>db> trace
>sched_add(0,3) at sched_add+0x16
>setrunqueue(c27867d0,3) at setrunqueue+0x15f
>sched_switch(c27867d0,c2a93af0,2) at sched_switch+0xf2
>mi_switch(2,c2a93af0,c2a93c44,c2a93af0,ef1b1bf4) at mi_switch+0x1b2
>maybe_preempt(c2a93af0) at maybe_preempt+0x93
>sched_add(c2a93af0,0) at sched_add+0x103
>setrunqueue(c2a93af0,0) at setrunqueue+0x15f
>turnstile_unpend(c2960c40,c2785c40,c27867d0,ef1b1c78,c062efdc) at
>turnstile_unpend+0x25f
>_mtx_unlock_sleep(c2785cac,0,0,0) at _mtx_unlock_sleep+0x6c
>sleepq_catch_signals(c26f0c80,0,0,100,c2930260) at
>sleepq_catch_signals+0x134
>msleep(c26f0c80,c2785cac,168,c081471e,7f) at msleep+0x239
>kse_release(c27867d0,ef1b1d14,1,8a,206) at kse_release+0x237
>syscall(a89002f,830002f,bfa9002f,8304000,0) at syscall+0x283
>Xint0x80_syscall() at Xint0x80_syscall+0x1f
>--- syscall (383, FreeBSD ELF32, kse_release), eip = 0x2833aa1b, esp =
>0x8308f88, ebp = 0x8308fc4 ---
>db> show pcpu
>cpuid        = 0
>curthread    = 0xc27867d0: pid 572 "mysqld"
>curpcb       = 0xef1b1da0
>fpcurthread  = none
>idlethread   = 0xc2260960: pid 14 "idle: cpu0"
>APIC ID      = 0
>currentldt   = 0x30
>
>The source code here is probably about a day old; the panic occurred
>during a kernel build using an NFS-mounted source tree and local object
>tree.  MySQL should have been basically idle, since no clients were active
>or had been active recently, but no doubt it wakes up once in a while to
>do something.
>
>Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
>robert@fledge.watson.org      Principal Research Scientist, McAfee Research
>  
>