From owner-freebsd-bugs@FreeBSD.ORG  Fri Oct 19 15:10:02 2007
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A9E5016A498
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 19 Oct 2007 15:10:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 9CCA413C480
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 19 Oct 2007 15:10:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l9JFA2H1049935
	for <freebsd-bugs@freefall.freebsd.org>; Fri, 19 Oct 2007 15:10:02 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l9JFA2RM049934;
	Fri, 19 Oct 2007 15:10:02 GMT (envelope-from gnats)
Date: Fri, 19 Oct 2007 15:10:02 GMT
Message-Id: <200710191510.l9JFA2RM049934@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: John Baldwin <jhb@FreeBSD.org>
Cc: 
Subject: Re: kern/89538: [tty] [panic] triggered by "sysctl -a"
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: John Baldwin <jhb@FreeBSD.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Oct 2007 15:10:02 -0000

The following reply was made to PR kern/89538; it has been noted by GNATS.

From: John Baldwin <jhb@freebsd.org>
To: bug-followup@freebsd.org,
 gkozyrev@gmail.com
Cc:  
Subject: Re: kern/89538: [tty] [panic] triggered by "sysctl -a"
Date: Fri, 19 Oct 2007 10:44:40 -0400

 One thing I noted is that si_usecount is -1 in the most recent gdb output.
 One possible race is that we read vp->v_usecount w/o holding the vnode
 interlock in devfs_reclaim(), so perhaps there is a race between
 VOP_RECLAIM() and some other thread doing a vref() such that the
 cdev is prematurely freed?  Patch is below:
 
 --- //depot/user/jhb/acpipci/fs/devfs/devfs_vnops.c
 +++ /home/john/work/p4/acpipci/fs/devfs/devfs_vnops.c
 @@ -995,17 +995,20 @@
  
  	vnode_destroy_vobject(vp);
  
 +	VI_LOCK(vp);
  	dev_lock();
  	dev = vp->v_rdev;
  	vp->v_rdev = NULL;
  
  	if (dev == NULL) {
  		dev_unlock();
 +		VI_UNLOCK(vp);
  		return (0);
  	}
  
  	dev->si_usecount -= vp->v_usecount;
  	dev_unlock();
 +	VI_UNLOCK(vp);
  	dev_rel(dev);
  	return (0);
  }
 
 -- 
 John Baldwin