From owner-freebsd-current  Sat Oct  5 12:14:27 2002
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id F24A237B404; Sat,  5 Oct 2002 12:14:24 -0700 (PDT)
Received: from gull.mail.pas.earthlink.net (gull.mail.pas.earthlink.net [207.217.120.84])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 3C78543E6A; Sat,  5 Oct 2002 12:14:24 -0700 (PDT)
	(envelope-from tlambert2@mindspring.com)
Received: from pool0044.cvx22-bradley.dialup.earthlink.net ([209.179.198.44] helo=mindspring.com)
	by gull.mail.pas.earthlink.net with esmtp (Exim 3.33 #1)
	id 17xuNS-0004TP-00; Sat, 05 Oct 2002 12:14:15 -0700
Message-ID: <3D9F39BB.66126C35@mindspring.com>
Date: Sat, 05 Oct 2002 12:12:59 -0700
From: Terry Lambert <tlambert2@mindspring.com>
X-Mailer: Mozilla 4.79 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Stefan Farfeleder <e0026813@stud3.tuwien.ac.at>
Cc: John Baldwin <jhb@FreeBSD.org>,
	Juli Mallett <jmallett@FreeBSD.org>, current@FreeBSD.org
Subject: [PATCH] Re: Junior Kernel Hacker page updated...
References: <20021004132203.A78223@FreeBSD.org> <XFMail.20021004163317.jhb@FreeBSD.org> <20021005135504.GA254@frog.fafoe>
Content-Type: multipart/mixed;
 boundary="------------6432A5E3A2499CE19F1AEDE9"
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

This is a multi-part message in MIME format.
--------------6432A5E3A2499CE19F1AEDE9
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Stefan Farfeleder wrote:
> (kgdb) l *kqueue_scan+0x242
> 0xc01a1212 is in kqueue_scan
> (/freebsd/current/src/sys/kern/kern_event.c:716).
> 713             TAILQ_INSERT_TAIL(&kq->kq_head, &marker, kn_tqe);
> 714             while (count) {
> 715                     kn = TAILQ_FIRST(&kq->kq_head);
> translates to:          mov    (%edi),%ebx
> 716                     TAILQ_REMOVE(&kq->kq_head, kn, kn_tqe);
> translates to:          cmpl   $0x0,0x8(%ebx)
> 
> This line causes the page fault because %ebx is 0.


This can't happen, at least from an "empty list" perspective,
even if kqueue_scan() is reentered, since the "marker" is an
auto allocation on the stack, and a different stack means a
different marker gets inserted (marker isn't static, so having
more than one insert of the marker won't result in only a
single insertion).

I suspect that what is hapening is that the code is being
reentered, and one marker is being treated as an event, because
of whatever garbage happens to be on the stack in the allocated
marker.

The marker is removed, and then it is not found before you hit
the end of the list.

Please try the attached patch.

-- Terry
--------------6432A5E3A2499CE19F1AEDE9
Content-Type: text/plain; charset=us-ascii;
 name="kpanic.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="kpanic.diff"

Index: sys/event.h
===================================================================
RCS file: /cvs/src/sys/sys/event.h,v
retrieving revision 1.21
diff -c -r1.21 event.h
*** sys/event.h	29 Jun 2002 19:14:52 -0000	1.21
--- sys/event.h	5 Oct 2002 15:12:24 -0000
***************
*** 160,165 ****
--- 160,166 ----
  #define KN_QUEUED	0x02			/* event is on queue */
  #define KN_DISABLED	0x04			/* event is disabled */
  #define KN_DETACHED	0x08			/* knote is detached */
+ #define KN_MARKER	0x10			/* knote is a scan marker */
  
  #define kn_id		kn_kevent.ident
  #define kn_filter	kn_kevent.filter
Index: kern/kern_event.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_event.c,v
retrieving revision 1.45
diff -c -r1.45 kern_event.c
*** kern/kern_event.c	17 Aug 2002 02:36:16 -0000	1.45
--- kern/kern_event.c	5 Oct 2002 15:13:26 -0000
***************
*** 653,658 ****
--- 653,659 ----
  
  	FILE_LOCK_ASSERT(fp, MA_NOTOWNED);
  
+ 	marker.kn_status = KN_MARKER;
  	kq = (struct kqueue *)fp->f_data;
  	count = maxevents;
  	if (count == 0)
***************
*** 713,718 ****
--- 714,727 ----
  	TAILQ_INSERT_TAIL(&kq->kq_head, &marker, kn_tqe); 
  	while (count) {
  		kn = TAILQ_FIRST(&kq->kq_head);
+ 		/*
+ 		 * Skip over all markers which are not ours.  This looks
+ 		 * unsafe, but we can't hit the end of the list without
+ 		 * hitting our own marker.
+ 		 */
+ 		while ((kn->kn_status & KN_MARKER) && (kn != &marker)) {
+ 			kn = TAILQ_NEXT(kn, kn_tqe);
+ 		}
  		TAILQ_REMOVE(&kq->kq_head, kn, kn_tqe); 
  		if (kn == &marker) {
  			splx(s);

--------------6432A5E3A2499CE19F1AEDE9--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message