Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 10 Jul 2007 08:12:34 -0700
From:      Peter Wemm <peter@wemm.org>
To:        current@freebsd.org
Subject:   kqueue bug in 7.x with "things" that go away.
Message-ID:  <200707100812.34540.peter@wemm.org>

next in thread | raw e-mail | index | archive | help
I've run into a bug in kqueue/tty in 7.x.

How to reproduce:
open a tty, eg: a usb ftdi ucom device (ttyU0)
put a read event on it.  sleep in kevent
physically remove usb device
observe dmesg to say ucom0 went away.  Note sleeping program doesn't 
wake up.
ctrl-C (or otherwise exit the program sleeping in kevent)
panic!  0xdeadc0de reference or worse.

There are probably other ways to make it go boom, but this is pretty 
graphic.

The stack trace I have is a mess due to inlined static function calls, 
but here are the relevant parts:

#7  0xffffffff8042d77e in calltrap () 
at ../../../amd64/amd64/exception.S:169
#8  0xffffffff802a1645 in knlist_remove_kq (knl=0xdeadc0dedeadc1ae,
    kn=0xffffff0003bc5b40, knlislocked=0, kqislocked=0)
    at ../../../kern/kern_event.c:1608
#9  0xffffffff802a41fe in kqueue_close (fp=0xffffff0003d90528,
    td=0xffffff000e5c29c0) at ../../../kern/kern_event.c:1463
#10 0xffffffff8029c3cc in fdrop (fp=0xffffff0003d90528, 
td=0xffffff000e5c29c0)
    at file.h:297
#11 0xffffffff8029d7fb in closef (fp=0xffffff0003d90528, 
td=0xffffff000e5c29c0)
    at ../../../kern/kern_descrip.c:1983
#12 0xffffffff8029e32d in fdfree (td=0xffffff000e5c29c0)
    at ../../../kern/kern_descrip.c:1693
#13 0xffffffff802a70cc in exit1 (td=0xffffff000e5c29c0, rv=2)
---Type <return> to continue, or q <return> to quit---
    at ../../../kern/kern_exit.c:272
#14 0xffffffff802c651f in sigexit (td=0xffffff000e5c29c0, sig=0)
    at ../../../kern/kern_sig.c:2884
#15 0xffffffff802c7378 in postsig (sig=-559038034)
    at ../../../kern/kern_sig.c:2756
#16 0xffffffff802f4519 in ast (framep=0xffffffffabfe8c70)
    at ../../../kern/subr_trap.c:259
#17 0xffffffff8042d970 in Xfast_syscall ()
    at ../../../amd64/amd64/exception.S:286

Unfortunately, you don't see the inlined function calls in the trace.  
I'm not 100% sure what frame 8 and 9 are.

The kqueue filter functions dont seem to check TS_GONE.
-- 
Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com
"All of this is for nothing if we don't go to the stars" - JMS/B5



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200707100812.34540.peter>