Date: Sun, 2 Mar 2008 17:25:23 +0200 From: Kostik Belousov <kostikbel@gmail.com> To: jmg@freebsd.org Cc: current@freebsd.org Subject: knlsit_cleardel() panic Message-ID: <20080302152523.GO57756@deviant.kiev.zoral.com.ua>
next in thread | raw e-mail | index | archive | help
--Rk/mPadVKW99GUvB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi,
The panic below was already reported, but now I got it on my desktop
and was able to investigate further.
#5 0xc06daf36 in trap (frame=3D0xe8093b1c)
at /usr/bsd/src/sys/i386/i386/trap.c:490
#6 0xc06c0b4b in calltrap () at /usr/bsd/src/sys/i386/i386/exception.s:139
#7 0xc0493968 in knlist_cleardel (knl=3D0xcabec128, td=3D0x0, islocked=3D1=
,=20
killkn=3D0) at atomic.h:149
#8 0xc04f520c in pipeclose (cpipe=3D0xcabec0b8)
at /usr/bsd/src/sys/kern/sys_pipe.c:1508
#9 0xc04f5320 in pipe_close (fp=3D0xc5ce8630, td=3D0xcac01aa0)
at /usr/bsd/src/sys/kern/sys_pipe.c:1425
#10 0xc0489442 in fdrop (fp=3D0xc5ce8630, td=3D0xcac01aa0) at file.h:297
#11 0xc048accf in closef (fp=3D0xc5ce8630, td=3D0xcac01aa0)
at /usr/bsd/src/sys/kern/kern_descrip.c:1958
#12 0xc048b1ff in kern_close (td=3D0xcac01aa0, fd=3D10)
at /usr/bsd/src/sys/kern/kern_descrip.c:1054
#13 0xc048b2da in close (td=3D0xcac01aa0, uap=3D0xe8093cfc)
at /usr/bsd/src/sys/kern/kern_descrip.c:1006
---Type <return> to continue, or q <return> to quit---
#14 0xc06da865 in syscall (frame=3D0xe8093d38)
at /usr/bsd/src/sys/i386/i386/trap.c:1035
#15 0xc06c0bb0 in Xint0x80_syscall ()
at /usr/bsd/src/sys/i386/i386/exception.s:196
At the frame 8, we have
(kgdb) p/x *(knl->kl_list->slh_first)
$9 =3D {kn_link =3D {sle_next =3D 0x0}, kn_selnext =3D {sle_next =3D 0x0},
kn_knlist =3D 0x0, kn_tqe =3D {tqe_next =3D 0xc58de484, tqe_prev =3D 0xc5=
e9ab20},
kn_kq =3D 0x0, kn_kevent =3D {ident =3D 0x0, filter =3D 0x0, flags =3D 0x=
0,
fflags =3D 0x0, data =3D 0x0, udata =3D 0x0}, kn_status =3D 0x20,
kn_sfflags =3D 0x0, kn_sdata =3D 0x0, kn_ptr =3D {p_fp =3D 0x0, p_proc =
=3D 0x0,
p_aio =3D 0x0, p_lio =3D 0x0}, kn_fop =3D 0x0, kn_hook =3D 0x0}
The knote is KN_MARKER, and the kn_kq is NULL. The result is that KQ_LOCK
in the knlist_cleardel()::SLIST_FOREACH_SAFE() loop dereferences NULL and
panics.
Does the following change makes any sense?
diff --git a/sys/kern/kern_event.c b/sys/kern/kern_event.c
index 9ac661c..31ac77a 100644
--- a/sys/kern/kern_event.c
+++ b/sys/kern/kern_event.c
@@ -1169,6 +1169,7 @@ kqueue_scan(struct kqueue *kq, int maxevents, struct =
kevent_copyops *k_ops,
goto done_nl;
}
marker->kn_status =3D KN_MARKER;
+ marker->kn_kq =3D kq;
KQ_LOCK(kq);
goto start;
=20
@@ -1742,7 +1743,8 @@ again: /* need to reacquire lock since we have dropp=
ed it */
SLIST_FOREACH_SAFE(kn, &knl->kl_list, kn_selnext, kn2) {
kq =3D kn->kn_kq;
KQ_LOCK(kq);
- if ((kn->kn_status & KN_INFLUX)) {
+ if ((kn->kn_status & KN_INFLUX) ||
+ (kn->kn_status & KN_MARKER)) {
KQ_UNLOCK(kq);
continue;
}
@@ -1764,7 +1766,8 @@ again: /* need to reacquire lock since we have dropp=
ed it */
kn =3D SLIST_FIRST(&knl->kl_list);
kq =3D kn->kn_kq;
KQ_LOCK(kq);
- KASSERT(kn->kn_status & KN_INFLUX,
+ KASSERT((kn->kn_status & KN_INFLUX) ||
+ (kn->kn_status & KN_MARKER),
("knote removed w/o list lock"));
knl->kl_unlock(knl->kl_lockarg);
kq->kq_state |=3D KQ_FLUXWAIT;
--Rk/mPadVKW99GUvB
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (FreeBSD)
iEYEARECAAYFAkfKxuIACgkQC3+MBN1Mb4i+tgCeI/bqZ6KMKaYFtVMTGTyQU2GE
WFQAoJF7vgiv/gnN02wtRwuVT9f5cfcG
=za8X
-----END PGP SIGNATURE-----
--Rk/mPadVKW99GUvB--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080302152523.GO57756>