Date: Sun, 28 Sep 2014 14:25:56 -0700 From: Garrett Cooper <yaneurabeya@gmail.com> To: Neel Natu <neel@FreeBSD.org> Cc: "svn-src-head@freebsd.org" <svn-src-head@freebsd.org>, "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>, "src-committers@freebsd.org" <src-committers@freebsd.org> Subject: Re: svn commit: r272270 - head/sys/kern Message-ID: <FC10A2CF-E6CD-4736-8AFD-E7080E5F481A@gmail.com> In-Reply-To: <201409282112.s8SLCNuA067731@svn.freebsd.org> References: <201409282112.s8SLCNuA067731@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Neel!
Thank you for fixing this. I think we've run into similar issues with cu=
stomizations to the tty code at Isilon. I have one comment...
Thanks!
> On Sep 28, 2014, at 14:12, Neel Natu <neel@FreeBSD.org> wrote:
>=20
> Author: neel
> Date: Sun Sep 28 21:12:23 2014
> New Revision: 272270
> URL: http://svnweb.freebsd.org/changeset/base/272270
>=20
> Log:
> tty_rel_free() can be called more than once for the same tty so make sure=
> that the tty is dequeued from 'tty_list' only the first time.
>=20
> The panic below was seen when a revoke(2) was issued on an nmdm device.
> In this case there was also a thread that was blocked on a read(2) on the=
> device. The revoke(2) woke up the blocked thread which would typically
> return an error to userspace. In this case the reader also held the last
> reference on the file descriptor so fdrop() ended up calling tty_rel_free=
()
> via ttydev_close().
>=20
> tty_rel_free() then tried to dequeue 'tp' again which led to the panic.
>=20
> panic: Bad link elm 0xfffff80042602400 prev->next !=3D elm
> cpuid =3D 1
> KDB: stack backtrace:
> db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00f9c=
90460
> kdb_backtrace() at kdb_backtrace+0x39/frame 0xfffffe00f9c90510
> vpanic() at vpanic+0x189/frame 0xfffffe00f9c90590
> panic() at panic+0x43/frame 0xfffffe00f9c905f0
> tty_rel_free() at tty_rel_free+0x29b/frame 0xfffffe00f9c90640
> ttydev_close() at ttydev_close+0x1f9/frame 0xfffffe00f9c90690
> devfs_close() at devfs_close+0x298/frame 0xfffffe00f9c90720
> VOP_CLOSE_APV() at VOP_CLOSE_APV+0x13c/frame 0xfffffe00f9c90770
> vn_close() at vn_close+0x194/frame 0xfffffe00f9c90810
> vn_closefile() at vn_closefile+0x48/frame 0xfffffe00f9c90890
> devfs_close_f() at devfs_close_f+0x2c/frame 0xfffffe00f9c908c0
> _fdrop() at _fdrop+0x29/frame 0xfffffe00f9c908e0
> sys_read() at sys_read+0x63/frame 0xfffffe00f9c90980
> amd64_syscall() at amd64_syscall+0x2b3/frame 0xfffffe00f9c90ab0
> Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe00f9c90ab0
> --- syscall (3, FreeBSD ELF64, sys_read), rip =3D 0x800b78d8a, rsp =3D 0x=
7fffffbfdaf8, rbp =3D 0x7fffffbfdb30 ---
>=20
> CR: https://reviews.freebsd.org/D851
> Reviewed by: glebius, ed
> Reported by: Leon Dang
> Sponsored by: Nahanni Systems
> MFC after: 1 week
>=20
> Modified:
> head/sys/kern/tty.c
>=20
> Modified: head/sys/kern/tty.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
> --- head/sys/kern/tty.c Sun Sep 28 20:06:02 2014 (r272269)
> +++ head/sys/kern/tty.c Sun Sep 28 21:12:23 2014 (r272270)
> @@ -1055,13 +1055,13 @@ tty_rel_free(struct tty *tp)
> tp->t_dev =3D NULL;
> tty_unlock(tp);
>=20
> - sx_xlock(&tty_list_sx);
> - TAILQ_REMOVE(&tty_list, tp, t_list);
> - tty_list_count--;
> - sx_xunlock(&tty_list_sx);
> -
> - if (dev !=3D NULL)
> + if (dev !=3D NULL) {
if (dev =3D=3D NULL)
return;
Would be result in less change in an MFC.
> + sx_xlock(&tty_list_sx);
> + TAILQ_REMOVE(&tty_list, tp, t_list);
> + tty_list_count--;
> + sx_xunlock(&tty_list_sx);
> destroy_dev_sched_cb(dev, tty_dealloc, tp);
> + }
> }
>=20
> void
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FC10A2CF-E6CD-4736-8AFD-E7080E5F481A>