From owner-freebsd-current@FreeBSD.ORG  Sun Mar  2 15:25:39 2008
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9036E1065672
	for <current@freebsd.org>; Sun,  2 Mar 2008 15:25:39 +0000 (UTC)
	(envelope-from kostikbel@gmail.com)
Received: from relay03.kiev.sovam.com (relay03.kiev.sovam.com [62.64.120.201])
	by mx1.freebsd.org (Postfix) with ESMTP id 2EBC38FC14
	for <current@freebsd.org>; Sun,  2 Mar 2008 15:25:39 +0000 (UTC)
	(envelope-from kostikbel@gmail.com)
Received: from [212.82.216.226] (helo=skuns.kiev.zoral.com.ua)
	by relay03.kiev.sovam.com with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.67) (envelope-from <kostikbel@gmail.com>)
	id 1JVq4F-000NKf-JI; Sun, 02 Mar 2008 17:25:37 +0200
Received: from deviant.kiev.zoral.com.ua (root@deviant.kiev.zoral.com.ua
	[10.1.1.148])
	by skuns.kiev.zoral.com.ua (8.14.2/8.14.2) with ESMTP id m22FPcSJ028231
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Sun, 2 Mar 2008 17:25:39 +0200 (EET)
	(envelope-from kostikbel@gmail.com)
Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1])
	by deviant.kiev.zoral.com.ua (8.14.2/8.14.2) with ESMTP id
	m22FPNfq030819; Sun, 2 Mar 2008 17:25:23 +0200 (EET)
	(envelope-from kostikbel@gmail.com)
Received: (from kostik@localhost)
	by deviant.kiev.zoral.com.ua (8.14.2/8.14.2/Submit) id m22FPNOR030818; 
	Sun, 2 Mar 2008 17:25:23 +0200 (EET)
	(envelope-from kostikbel@gmail.com)
X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to
	kostikbel@gmail.com using -f
Date: Sun, 2 Mar 2008 17:25:23 +0200
From: Kostik Belousov <kostikbel@gmail.com>
To: jmg@freebsd.org
Message-ID: <20080302152523.GO57756@deviant.kiev.zoral.com.ua>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="Rk/mPadVKW99GUvB"
Content-Disposition: inline
User-Agent: Mutt/1.4.2.3i
X-Virus-Scanned: ClamAV version 0.91.2,
	clamav-milter version 0.91.2 on skuns.kiev.zoral.com.ua
X-Virus-Status: Clean
X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00
	autolearn=ham version=3.2.4
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
	skuns.kiev.zoral.com.ua
X-Scanner-Signature: 5c3fbe8c197fbeb60746bb89bf9baef4
X-DrWeb-checked: yes
X-SpamTest-Envelope-From: kostikbel@gmail.com
X-SpamTest-Group-ID: 00000000
X-SpamTest-Header: Not Detected
X-SpamTest-Info: Profiles 2347 [Mar 2 2008]
X-SpamTest-Info: helo_type=3
X-SpamTest-Method: none
X-SpamTest-Rate: 0
X-SpamTest-Status: Not detected
X-SpamTest-Status-Extended: not_detected
X-SpamTest-Version: SMTP-Filter Version 3.0.0 [0278], KAS30/Release
Cc: current@freebsd.org
Subject: knlsit_cleardel() panic
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Mar 2008 15:25:39 -0000


--Rk/mPadVKW99GUvB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

The panic below was already reported, but now I got it on my desktop
and was able to investigate further.

#5  0xc06daf36 in trap (frame=3D0xe8093b1c)
    at /usr/bsd/src/sys/i386/i386/trap.c:490
#6  0xc06c0b4b in calltrap () at /usr/bsd/src/sys/i386/i386/exception.s:139
#7  0xc0493968 in knlist_cleardel (knl=3D0xcabec128, td=3D0x0, islocked=3D1=
,=20
    killkn=3D0) at atomic.h:149
#8  0xc04f520c in pipeclose (cpipe=3D0xcabec0b8)
    at /usr/bsd/src/sys/kern/sys_pipe.c:1508
#9  0xc04f5320 in pipe_close (fp=3D0xc5ce8630, td=3D0xcac01aa0)
    at /usr/bsd/src/sys/kern/sys_pipe.c:1425
#10 0xc0489442 in fdrop (fp=3D0xc5ce8630, td=3D0xcac01aa0) at file.h:297
#11 0xc048accf in closef (fp=3D0xc5ce8630, td=3D0xcac01aa0)
    at /usr/bsd/src/sys/kern/kern_descrip.c:1958
#12 0xc048b1ff in kern_close (td=3D0xcac01aa0, fd=3D10)
    at /usr/bsd/src/sys/kern/kern_descrip.c:1054
#13 0xc048b2da in close (td=3D0xcac01aa0, uap=3D0xe8093cfc)
    at /usr/bsd/src/sys/kern/kern_descrip.c:1006
---Type <return> to continue, or q <return> to quit---
#14 0xc06da865 in syscall (frame=3D0xe8093d38)
    at /usr/bsd/src/sys/i386/i386/trap.c:1035
#15 0xc06c0bb0 in Xint0x80_syscall ()
    at /usr/bsd/src/sys/i386/i386/exception.s:196

At the frame 8, we have
(kgdb) p/x *(knl->kl_list->slh_first)
$9 =3D {kn_link =3D {sle_next =3D 0x0}, kn_selnext =3D {sle_next =3D 0x0},
  kn_knlist =3D 0x0, kn_tqe =3D {tqe_next =3D 0xc58de484, tqe_prev =3D 0xc5=
e9ab20},
  kn_kq =3D 0x0, kn_kevent =3D {ident =3D 0x0, filter =3D 0x0, flags =3D 0x=
0,
    fflags =3D 0x0, data =3D 0x0, udata =3D 0x0}, kn_status =3D 0x20,
  kn_sfflags =3D 0x0, kn_sdata =3D 0x0, kn_ptr =3D {p_fp =3D 0x0, p_proc =
=3D 0x0,
    p_aio =3D 0x0, p_lio =3D 0x0}, kn_fop =3D 0x0, kn_hook =3D 0x0}

The knote is KN_MARKER, and the kn_kq is NULL. The result is that KQ_LOCK
in the knlist_cleardel()::SLIST_FOREACH_SAFE() loop dereferences NULL and
panics.

Does the following change makes any sense?

diff --git a/sys/kern/kern_event.c b/sys/kern/kern_event.c
index 9ac661c..31ac77a 100644
--- a/sys/kern/kern_event.c
+++ b/sys/kern/kern_event.c
@@ -1169,6 +1169,7 @@ kqueue_scan(struct kqueue *kq, int maxevents, struct =
kevent_copyops *k_ops,
 		goto done_nl;
 	}
 	marker->kn_status =3D KN_MARKER;
+	marker->kn_kq =3D kq;
 	KQ_LOCK(kq);
 	goto start;
=20
@@ -1742,7 +1743,8 @@ again:		/* need to reacquire lock since we have dropp=
ed it */
 	SLIST_FOREACH_SAFE(kn, &knl->kl_list, kn_selnext, kn2) {
 		kq =3D kn->kn_kq;
 		KQ_LOCK(kq);
-		if ((kn->kn_status & KN_INFLUX)) {
+		if ((kn->kn_status & KN_INFLUX) ||
+		    (kn->kn_status & KN_MARKER)) {
 			KQ_UNLOCK(kq);
 			continue;
 		}
@@ -1764,7 +1766,8 @@ again:		/* need to reacquire lock since we have dropp=
ed it */
 		kn =3D SLIST_FIRST(&knl->kl_list);
 		kq =3D kn->kn_kq;
 		KQ_LOCK(kq);
-		KASSERT(kn->kn_status & KN_INFLUX,
+		KASSERT((kn->kn_status & KN_INFLUX) ||
+			(kn->kn_status & KN_MARKER),
 		    ("knote removed w/o list lock"));
 		knl->kl_unlock(knl->kl_lockarg);
 		kq->kq_state |=3D KQ_FLUXWAIT;

--Rk/mPadVKW99GUvB
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (FreeBSD)

iEYEARECAAYFAkfKxuIACgkQC3+MBN1Mb4i+tgCeI/bqZ6KMKaYFtVMTGTyQU2GE
WFQAoJF7vgiv/gnN02wtRwuVT9f5cfcG
=za8X
-----END PGP SIGNATURE-----

--Rk/mPadVKW99GUvB--