From owner-freebsd-current  Fri Dec 26 00:17:35 1997
Return-Path: <owner-freebsd-current>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id AAA00259
          for current-outgoing; Fri, 26 Dec 1997 00:17:35 -0800 (PST)
          (envelope-from owner-freebsd-current)
Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id AAA00249
          for <current@FreeBSD.ORG>; Fri, 26 Dec 1997 00:17:17 -0800 (PST)
          (envelope-from bde@godzilla.zeta.org.au)
Received: (from bde@localhost)
	by godzilla.zeta.org.au (8.8.7/8.8.7) id TAA11683;
	Fri, 26 Dec 1997 19:12:13 +1100
Date: Fri, 26 Dec 1997 19:12:13 +1100
From: Bruce Evans <bde@zeta.org.au>
Message-Id: <199712260812.TAA11683@godzilla.zeta.org.au>
To: dg@root.com, julian@whistle.com
Subject: Re: crash (in networking code?)
Cc: current@FreeBSD.ORG, gjp@erols.com
Sender: owner-freebsd-current@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

>I think this is a worry. I need to check a bunch of code against 
>this possibility. (MALLOC in splnet allowing un-expected re-enterence)

I hope there are no reentrance bugs.  Invalidation of objects that you
think you own is bad enough.

I use the following to find bogus M_WAITOK malloc()s.  It complained about
problems in all of the recently fixed areas (2 in netinet, one in accept1().

Bruce

diff -c2 kern_malloc.c~ kern_malloc.c
*** kern_malloc.c~	Fri Dec  5 23:25:33 1997
--- kern_malloc.c	Fri Dec 26 14:02:11 1997
***************
*** 1,2 ****
--- 1,6 ----
+ static volatile int dbm_db = 0;
+ static volatile int dbm_ipl = 0; /* change to 0xc0020000 to hide splnet bugs */
+ static volatile int dbm_sleep = 0;
+ 
  /*
   * Copyright (c) 1987, 1991, 1993
***************
*** 127,130 ****
--- 137,153 ----
  	kbp = &bucket[indx];
  	s = splhigh();
+ #if 1
+ 	if (!cold && !(flags & M_NOWAIT) && s != 0x80000000 && s != dbm_ipl) {
+ #elif 0
+ 	if (!cold && !(flags & M_NOWAIT) && s & 0x0000ffff) {
+ #else
+ 	if (!cold && !(flags & M_NOWAIT) && s == 0xffffffff) {
+ #endif
+ 		printf("malloc(..., M_NOWAIT) called at high ipl %#x\n", s);
+ 		if (dbm_db)
+ 			Debugger("");
+ 		if (dbm_sleep)
+ 			tsleep((caddr_t)ksp, PSWP+2, type->ks_shortdesc, 1);
+ 	}
  	while (ksp->ks_memuse >= ksp->ks_limit) {
  		if (flags & M_NOWAIT) {