From owner-freebsd-current@FreeBSD.ORG  Mon Apr 26 15:32:38 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4B35816A4CE
	for <freebsd-current@freebsd.org>;
	Mon, 26 Apr 2004 15:32:38 -0700 (PDT)
Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7970E43D2F
	for <freebsd-current@freebsd.org>;
	Mon, 26 Apr 2004 15:32:37 -0700 (PDT)
	(envelope-from julian@elischer.org)
Received: from interjet.elischer.org ([24.7.73.28])
          by comcast.net (sccrmhc12) with ESMTP
          id <20040426223235012002o726e>; Mon, 26 Apr 2004 22:32:36 +0000
Received: from localhost (localhost.elischer.org [127.0.0.1])
	by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id PAA48181;
	Mon, 26 Apr 2004 15:32:34 -0700 (PDT)
Date: Mon, 26 Apr 2004 15:32:33 -0700 (PDT)
From: Julian Elischer <julian@elischer.org>
To: Daniel Eischen <eischen@vigrid.com>
In-Reply-To: <Pine.GSO.4.10.10404261714360.10647-100000@pcnet5.pcnet.com>
Message-ID: <Pine.BSF.4.21.0404261530090.45911-100000@InterJet.elischer.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-current@freebsd.org
cc: Dan Nelson <dnelson@allantgroup.com>
Subject: Re: panic: Exit: Single threading fouled up
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Apr 2004 22:32:38 -0000



On Mon, 26 Apr 2004, Daniel Eischen wrote:
> 
> There is a race in kse_release() and kse_wakeup() that looks
> to have been introduced when sleepqueues were added.  msleep()
> drops the mutex too early (in this case the proc lock) and
> TDF_SINTR gets set after the mutex has been released.  So
> the code in thread_single():
> 
> 				if (force_exit == SINGLE_EXIT) {
> 					if (TD_IS_SUSPENDED(td2)) {
> 						thread_unsuspend_one(td2);
> 					}
> ->					if (TD_ON_SLEEPQ(td2) &&
> ->					    (td2->td_flags & TDF_SINTR)) {
> 						sleepq_abort(td2);
> 					}
> 
> may not abort the thread in the sleep queue.


I don't see imediatly how that would allow two processes 
to get into the same code twice.. or someone could leave the
pointer set after doing single-threading, but
it does show that this is tricky stuff.