From owner-freebsd-current Sat Feb 8 7: 9:36 2003 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 339CF37B401 for ; Sat, 8 Feb 2003 07:09:35 -0800 (PST) Received: from mail.gmx.net (mail.gmx.net [213.165.65.60]) by mx1.FreeBSD.org (Postfix) with SMTP id 0E59343FA3 for ; Sat, 8 Feb 2003 07:09:34 -0800 (PST) (envelope-from tmoestl@gmx.net) Received: (qmail 20595 invoked by uid 0); 8 Feb 2003 15:09:32 -0000 Received: from p508E55B2.dip.t-dialin.net (HELO galatea.local) (80.142.85.178) by mail.gmx.net (mp011-rz3) with SMTP; 8 Feb 2003 15:09:32 -0000 Received: from tmm by galatea.local with local (Exim 4.12 #1) id 18hWeY-000D95-00; Sat, 08 Feb 2003 16:12:26 +0100 Date: Sat, 8 Feb 2003 16:12:26 +0100 From: Thomas Moestl To: Morten Rodal Cc: Kris Kennaway , current@FreeBSD.ORG Subject: Re: Panic in fork() Message-ID: <20030208151226.GB624@crow.dom2ip.de> Mail-Followup-To: Morten Rodal , Kris Kennaway , current@FreeBSD.ORG References: <20030208092406.GA12104@rot13.obsecurity.org> <20030208110512.GB12696@rot13.obsecurity.org> <20030208141542.GC11725@slurp.rodal.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030208141542.GC11725@slurp.rodal.no> User-Agent: Mutt/1.4i Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, 2003/02/08 at 15:15:44 +0100, Morten Rodal wrote: > On Sat, Feb 08, 2003 at 03:05:12AM -0800, Kris Kennaway wrote: > > bento# addr2line -e kernel.debug 0xc01a1e2d > > ../../../kern/kern_fork.c:388 > > > > for (; p2 != NULL; p2 = LIST_NEXT(p2, p_list)) { > > PROC_LOCK(p2); > > 388 --> while (p2->p_pid == trypid || > > > > That is the exact same spot I saw my computer (old smp machine) crash. > I think someone mentioned that it would be more or less impossible to > crash there since one would not enter the for loop when p2 is NULL. > > Could it be that PROC_LOCK tampers with p2? addr2line will usually point to the first line of a statement if it spans multiple lines; in this case, the full guard is: while (p2->p_pid == trypid || p2->p_pgrp->pg_id == trypid || p2->p_session->s_sid == trypid) { The fault address indicates, that p2->p_pgrp->p_session (p_session is a macro that expands to p_pgrp->p_session) is NULL, since the offset of s_sid in struct session is 0x14. I haven't yet found out how that could happen though, this field is never legitimatly NULL and the locking seems to be tight so that it cannot be freed from under fork1(). - Thomas -- Thomas Moestl http://www.tu-bs.de/~y0015675/ http://people.FreeBSD.org/~tmm/ PGP fingerprint: 1C97 A604 2BD0 E492 51D0 9C0F 1FE6 4F1D 419C 776C To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message