Date: Tue, 10 Jul 2007 08:12:34 -0700 From: Peter Wemm <peter@wemm.org> To: current@freebsd.org Subject: kqueue bug in 7.x with "things" that go away. Message-ID: <200707100812.34540.peter@wemm.org>
next in thread | raw e-mail | index | archive | help
I've run into a bug in kqueue/tty in 7.x. How to reproduce: open a tty, eg: a usb ftdi ucom device (ttyU0) put a read event on it. sleep in kevent physically remove usb device observe dmesg to say ucom0 went away. Note sleeping program doesn't wake up. ctrl-C (or otherwise exit the program sleeping in kevent) panic! 0xdeadc0de reference or worse. There are probably other ways to make it go boom, but this is pretty graphic. The stack trace I have is a mess due to inlined static function calls, but here are the relevant parts: #7 0xffffffff8042d77e in calltrap () at ../../../amd64/amd64/exception.S:169 #8 0xffffffff802a1645 in knlist_remove_kq (knl=0xdeadc0dedeadc1ae, kn=0xffffff0003bc5b40, knlislocked=0, kqislocked=0) at ../../../kern/kern_event.c:1608 #9 0xffffffff802a41fe in kqueue_close (fp=0xffffff0003d90528, td=0xffffff000e5c29c0) at ../../../kern/kern_event.c:1463 #10 0xffffffff8029c3cc in fdrop (fp=0xffffff0003d90528, td=0xffffff000e5c29c0) at file.h:297 #11 0xffffffff8029d7fb in closef (fp=0xffffff0003d90528, td=0xffffff000e5c29c0) at ../../../kern/kern_descrip.c:1983 #12 0xffffffff8029e32d in fdfree (td=0xffffff000e5c29c0) at ../../../kern/kern_descrip.c:1693 #13 0xffffffff802a70cc in exit1 (td=0xffffff000e5c29c0, rv=2) ---Type <return> to continue, or q <return> to quit--- at ../../../kern/kern_exit.c:272 #14 0xffffffff802c651f in sigexit (td=0xffffff000e5c29c0, sig=0) at ../../../kern/kern_sig.c:2884 #15 0xffffffff802c7378 in postsig (sig=-559038034) at ../../../kern/kern_sig.c:2756 #16 0xffffffff802f4519 in ast (framep=0xffffffffabfe8c70) at ../../../kern/subr_trap.c:259 #17 0xffffffff8042d970 in Xfast_syscall () at ../../../amd64/amd64/exception.S:286 Unfortunately, you don't see the inlined function calls in the trace. I'm not 100% sure what frame 8 and 9 are. The kqueue filter functions dont seem to check TS_GONE. -- Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com "All of this is for nothing if we don't go to the stars" - JMS/B5
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200707100812.34540.peter>