From owner-freebsd-hackers@FreeBSD.ORG Thu Jan 4 11:02:50 2007 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 33F9C16A403 for ; Thu, 4 Jan 2007 11:02:50 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from relay01.kiev.sovam.com (relay01.kiev.sovam.com [62.64.120.200]) by mx1.freebsd.org (Postfix) with ESMTP id B376913C45E for ; Thu, 4 Jan 2007 11:02:49 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from [212.82.216.227] (helo=fw.zoral.com.ua) by relay01.kiev.sovam.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.60) (envelope-from ) id 1H2QMq-000Lo1-6g for freebsd-hackers@freebsd.org; Thu, 04 Jan 2007 13:02:48 +0200 Received: from deviant.kiev.zoral.com.ua (root@deviant.kiev.zoral.com.ua [10.1.1.148]) by fw.zoral.com.ua (8.13.4/8.13.4) with ESMTP id l04B29ge034912 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 4 Jan 2007 13:02:09 +0200 (EET) (envelope-from kostikbel@gmail.com) Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1]) by deviant.kiev.zoral.com.ua (8.13.8/8.13.8) with ESMTP id l04B29Xc019842; Thu, 4 Jan 2007 13:02:09 +0200 (EET) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by deviant.kiev.zoral.com.ua (8.13.8/8.13.8/Submit) id l04B289P019841; Thu, 4 Jan 2007 13:02:08 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to kostikbel@gmail.com using -f Date: Thu, 4 Jan 2007 13:02:08 +0200 From: Kostik Belousov To: Eugene Grosbein Message-ID: <20070104110208.GG21325@deviant.kiev.zoral.com.ua> References: <20070103141820.GA1014@grosbein.pp.ru> <200701031601.05541.jhb@freebsd.org> <20070104040727.GD21325@deviant.kiev.zoral.com.ua> <20070104103708.GF21325@deviant.kiev.zoral.com.ua> <20070104105208.GA78979@svzserv.kemerovo.su> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="719vRtZnJj4YbTia" Content-Disposition: inline In-Reply-To: <20070104105208.GA78979@svzserv.kemerovo.su> User-Agent: Mutt/1.4.2.2i X-Virus-Scanned: ClamAV version 0.88.7, clamav-milter version 0.88.7 on fw.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-0.1 required=5.0 tests=ALL_TRUSTED,SPF_NEUTRAL autolearn=failed version=3.1.7 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on fw.zoral.com.ua X-Scanner-Signature: 021e97fb5facab6d3ae496d7b6c27559 X-DrWeb-checked: yes X-SpamTest-Envelope-From: kostikbel@gmail.com X-SpamTest-Group-ID: 00000000 X-SpamTest-Info: Profiles 661 [Dec 30 2006] X-SpamTest-Info: helo_type=3 X-SpamTest-Info: {received from trusted relay: not dialup} X-SpamTest-Method: none X-SpamTest-Method: Local Lists X-SpamTest-Rate: 0 X-SpamTest-Status: Not detected X-SpamTest-Status-Extended: not_detected X-SpamTest-Version: SMTP-Filter Version 3.0.0 [0255], KAS30/Release Cc: freebsd-hackers@freebsd.org, Eugene Grosbein Subject: Re: WITNESS & RELENG_6 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jan 2007 11:02:50 -0000 --719vRtZnJj4YbTia Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 04, 2007 at 05:52:08PM +0700, Eugene Grosbein wrote: > On Thu, Jan 04, 2007 at 12:37:08PM +0200, Kostik Belousov wrote: >=20 > > The problem is revealed by INVARIANTS option, not by WITNESS, and is de= finitely the use-after-free. > >=20 > > in src/nvidia_dev.c, nvidia_dev_close(), that is cdevsw.d_close proc, > > the destroy_dev() is called. Please, apply rev. 1.199 of sys/kern/kern_= conf.c. > > I expect that crashes shall stop, but non-killable processes (in the "d= evdrn") > > state would accumulate. > >=20 > > Please, confirm. >=20 > I've tried to apply 1.199 to RELENG_6 but failed: > one of three chunks has been rejected. >=20 Hmm, it needs 1.198 as well. Below is aggregated patch against RELENG_6. Index: kern_conf.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/local/arch/ncvs/src/sys/kern/kern_conf.c,v retrieving revision 1.186.2.7 diff -u -r1.186.2.7 kern_conf.c --- kern_conf.c 30 Oct 2006 15:43:56 -0000 1.186.2.7 +++ kern_conf.c 4 Jan 2007 10:59:33 -0000 @@ -676,16 +676,20 @@ dev->si_flags &=3D ~SI_CLONELIST; } =20 + dev->si_refcount++; /* Avoid race with dev_rel() */ csw =3D dev->si_devsw; dev->si_devsw =3D NULL; /* already NULL for SI_ALIAS */ while (csw !=3D NULL && csw->d_purge !=3D NULL && dev->si_threadcount) { - printf("Purging %lu threads from %s\n", - dev->si_threadcount, devtoname(dev)); csw->d_purge(dev); msleep(csw, &devmtx, PRIBIO, "devprg", hz/10); + if (dev->si_threadcount) + printf("Still %lu threads in %s\n", + dev->si_threadcount, devtoname(dev)); + } + while (dev->si_threadcount !=3D 0) { + /* Use unique dummy wait ident */ + msleep(&csw, &devmtx, PRIBIO, "devdrn", hz / 10); } - if (csw !=3D NULL && csw->d_purge !=3D NULL) - printf("All threads purged from %s\n", devtoname(dev)); =20 dev->si_drv1 =3D 0; dev->si_drv2 =3D 0; @@ -700,6 +704,7 @@ fini_cdevsw(csw); } dev->si_flags &=3D ~SI_ALIAS; + dev->si_refcount--; /* Avoid race with dev_rel() */ =20 if (dev->si_refcount > 0) { LIST_INSERT_HEAD(&dead_cdevsw.d_devs, dev, si_list); --719vRtZnJj4YbTia Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFnN6wC3+MBN1Mb4gRApPjAKCt66RlKWkHZE7fNYxvHsnxrD0WvACfRzLl cLbrG/qv/LLo87HEaNAD4A0= =ZIUk -----END PGP SIGNATURE----- --719vRtZnJj4YbTia--