From owner-svn-src-head@freebsd.org  Sun Nov 22 16:36:13 2020
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4E1B546D456;
 Sun, 22 Nov 2020 16:36:13 +0000 (UTC)
 (envelope-from kevans@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org
 [IPv6:2610:1c1:1:606c::24b:4])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "smtp.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4CfGBP1kKMz3hRH;
 Sun, 22 Nov 2020 16:36:13 +0000 (UTC)
 (envelope-from kevans@freebsd.org)
Received: from mail-qk1-f178.google.com (mail-qk1-f178.google.com
 [209.85.222.178])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 (Authenticated sender: kevans)
 by smtp.freebsd.org (Postfix) with ESMTPSA id 29757634B;
 Sun, 22 Nov 2020 16:36:13 +0000 (UTC)
 (envelope-from kevans@freebsd.org)
Received: by mail-qk1-f178.google.com with SMTP id d28so14193775qka.11;
 Sun, 22 Nov 2020 08:36:13 -0800 (PST)
X-Gm-Message-State: AOAM531/ICnUoX7RL78mXRXfh7Y72bJ7ANTf84RLGDOuDj27REXlBXw8
 hHCuC6pyauRqI3TmtKPiIMBbWXwdpmANsmH+Lj0=
X-Google-Smtp-Source: ABdhPJyU7J4nWpqYohbNgZotIY3wNFoc36MI6ju7Ah7f/aMC8n3Sqwtf2juUiEN3Lq4Ze5jpCnFtRLpvU05CgUXLi80=
X-Received: by 2002:a37:9f82:: with SMTP id
 i124mr26297433qke.493.1606062972827; 
 Sun, 22 Nov 2020 08:36:12 -0800 (PST)
MIME-Version: 1.0
References: <202011220500.0AM50Tml047660@repo.freebsd.org>
 <75a09790-79d8-f539-e118-acf32b6bc65e@gmail.com>
In-Reply-To: <75a09790-79d8-f539-e118-acf32b6bc65e@gmail.com>
From: Kyle Evans <kevans@freebsd.org>
Date: Sun, 22 Nov 2020 10:36:01 -0600
X-Gmail-Original-Message-ID: <CACNAnaEM3e7Pu4hKm7aLB52E-STzju0A9gA7VA-RVoOjFnu0ew@mail.gmail.com>
Message-ID: <CACNAnaEM3e7Pu4hKm7aLB52E-STzju0A9gA7VA-RVoOjFnu0ew@mail.gmail.com>
Subject: Re: svn commit: r367927 - in head: sys/kern tests/sys/kern
To: Guy Yur <guyyur@gmail.com>
Cc: Robert Wing <rew@freebsd.org>, src-committers <src-committers@freebsd.org>,
 svn-src-all <svn-src-all@freebsd.org>, svn-src-head <svn-src-head@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Nov 2020 16:36:13 -0000

On Sun, Nov 22, 2020 at 9:54 AM Guy Yur <guyyur@gmail.com> wrote:
>
> On 22/11/20 7:00 am, Robert Wing wrote:
> > Author: rew
> > Date: Sun Nov 22 05:00:28 2020
> > New Revision: 367927
> > URL: https://svnweb.freebsd.org/changeset/base/367927
> >
> > Log:
> >    fd: free old file descriptor tables when not shared
> >
> >    During the life of a process, new file descriptor tables may be allo=
cated. When
> >    a new table is allocated, the old table is placed in a free list and=
 held onto
> >    until all processes referencing them exit.
> >
> >    When a new file descriptor table is allocated, the old file descript=
or table
> >    can be freed when the current process has a single-thread and the fi=
le
> >    descriptor table is not being shared with any other processes.
> >
> >    Reviewed by:    kevans
> >    Approved by:    kevans (mentor)
> >    Differential Revision:  https://reviews.freebsd.org/D18617
> >
> > Added:
> >    head/tests/sys/kern/fdgrowtable_test.c   (contents, props changed)
> > Modified:
> >    head/sys/kern/kern_descrip.c
> >    head/tests/sys/kern/Makefile
>
> Hi,
>
> I am getting a kernel panic with this commit when building
> devel/gmake port and it runs dup2 test in configure script.
>
> panic: fc_ioctls !=3D NULL, but fc_nioctls=3D-16162
> ...
> #10 0xffffffff80655c72 in vpanic (fmt=3D<optimized out>, ap=3D<optimized =
out>)
>      at /usr/src/sys/kern/kern_shutdown.c:907
> #11 0xffffffff80655a03 in panic (
>      fmt=3D0xffffffff80eb2b78 <cnputs_mtx> "=ED=97=9D\200\377\377\377\377=
")
>      at /usr/src/sys/kern/kern_shutdown.c:843
> #12 0xffffffff805fff9a in filecaps_copy_prep (src=3D<optimized out>)
>      at /usr/src/sys/kern/kern_descrip.c:1629
> #13 kern_dup (td=3D<optimized out>, mode=3D<optimized out>, flags=3D0,
>      old=3D<optimized out>, new=3D256) at /usr/src/sys/kern/kern_descrip.=
c:970
> #14 0xffffffff8094a5de in syscallenter (td=3D<optimized out>)
>      at /usr/src/sys/amd64/amd64/../../kern/subr_syscall.c:189
> #15 amd64_syscall (td=3D0xfffffe00513f8500, traced=3D0)
>      at /usr/src/sys/amd64/amd64/trap.c:1156
>
>
> Simplified test program that causes panic:
> #include <unistd.h>
> #include <limits.h>
>
> int main ()
> {
>    int bad_fd =3D INT_MAX;
>    dup2 (1, 1);
>    close (0);
>    dup2 (0, 0);
>    dup2 (2, bad_fd);
>    dup2 (2, -1);
>    dup2 (2, 255);
>    dup2 (2, 256);
>    return 0;
> }
>

Whoops. =3D\

It looks like kern_dup grows the file table but assumes that it can
continue using oldfe that it fetched from the now-freed table. I
suspect we just need to refetch oldfde after the grow operation, and
it might be a good idea (under INVARIANTS) to grab the fp from oldfde
before we grow the table and assert that the new entry we fetch is the
same underlying file.

Thanks,

Kyle Evans