From owner-freebsd-current@FreeBSD.ORG Mon Sep 1 01:32:04 2008 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D4BB3106564A; Mon, 1 Sep 2008 01:32:04 +0000 (UTC) (envelope-from Tor.Egge@cvsup.no.freebsd.org) Received: from pil.idi.ntnu.no (pil.idi.ntnu.no [129.241.107.93]) by mx1.freebsd.org (Postfix) with ESMTP id 557178FC13; Mon, 1 Sep 2008 01:32:04 +0000 (UTC) (envelope-from Tor.Egge@cvsup.no.freebsd.org) Received: from cvsup.no.freebsd.org (c2h5oh.idi.ntnu.no [129.241.103.69]) by pil.idi.ntnu.no (8.14.1/8.13.1) with ESMTP id m811VUoH027877 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 1 Sep 2008 03:31:30 +0200 (MEST) Received: from localhost (localhost [127.0.0.1]) by cvsup.no.freebsd.org (8.14.2/8.14.2) with ESMTP id m811VT18058877; Mon, 1 Sep 2008 01:31:29 GMT (envelope-from Tor.Egge@cvsup.no.freebsd.org) Date: Mon, 01 Sep 2008 01:31:17 +0000 (UTC) Message-Id: <20080901.013117.74700691.Tor.Egge@cvsup.no.freebsd.org> To: Benjamin.Close@clearchain.com From: Tor Egge In-Reply-To: <48B6BC81.5060300@clearchain.com> References: <200808230003.44081.jhb@freebsd.org> <3bbf2fe10808230233u195f3530wf4e3b6e007b638d9@mail.gmail.com> <48B6BC81.5060300@clearchain.com> X-Mailer: Mew version 5.2 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned-By: mimedefang.idi.ntnu.no, using CLAMD X-SMTP-From: Sender=, Relay/Client=c2h5oh.idi.ntnu.no [129.241.103.69], EHLO=cvsup.no.freebsd.org X-Scanned-By: MIMEDefang 2.48 on 129.241.107.38 X-Scanned-By: mimedefang.idi.ntnu.no, using MIMEDefang 2.48 with local filter 16.42-idi X-Filter-Time: 1 seconds Cc: attilio@freebsd.org, kevinxlinuz@163.com, freebsd-current@freebsd.org, kib@freebsd.org Subject: Re: [BUG] I think sleepqueue need to be protected in sleepq_broadcast X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Sep 2008 01:32:04 -0000 sleepq_resume_thread() contains an ownership handover of sq if the resumed thread is the last one blocked on the wait channel. After the handover, sq is no longer protected by the sleep queue chain lock and should no longer be accessed by sleepq_broadcast(). Normally, when sleepq_broadcast() incorrectly accesses sq after the handover, it will find the sq->sq_blocked queue to be empty, and the code appears to work. If the last correctly woken thread manages to go to sleep again very quickly on another wait channel, sleepq_broadcast() might incorrectly determine that the sq->sq_blocked queue isn't empty, and start doing the wrong thing. A similar (but probably much more difficult to trigger) issue is present with regards to thread_lock() and turnstiles. The caller of thread_lock() might have performed sufficient locking to ensure that the thread to be locked doesn't go away, but any turnstile spin lock pointed to by td->td_lock isn't protected. Making turnstiles type stable (setting UMA_ZONE_NOFREE flag for turnstile_zone) should fix that issue. - Tor Egge