From owner-freebsd-current@FreeBSD.ORG  Sun May  4 09:48:14 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9957D37B401; Sun,  4 May 2003 09:48:14 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id E562743FAF; Sun,  4 May 2003 09:48:13 -0700 (PDT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.12.9/8.12.9) with SMTP id h44GmP9S032142;
	Sun, 4 May 2003 12:48:26 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Sun, 4 May 2003 12:48:24 -0400 (EDT)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: Philippe Charnier <charnier@xp11.frmug.org>
In-Reply-To: <200305041541.h44Ffb7n001131@xp11.frmug.org>
Message-ID: <Pine.NEB.3.96L.1030504124255.24722E-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: current@FreeBSD.org
cc: jhb@FreeBSD.org
Subject: Re: panic: mutex process lock not owned at
	../../../kern/sys_process.c:97
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 04 May 2003 16:48:15 -0000


On Sun, 4 May 2003, Philippe Charnier wrote:

> On Wed, 30 Apr 2003, Radko Keves <rado@studnet.sk> got this panic. The
> panic is easy to reproduce using `truss ls'. John Baldwin asked for a
> stack trace.  Here is one: 

> 79              PROC_UNLOCK(p);
> 80              if (kl < 0)
> 81                      error = EINVAL;
> 82              else
> 83                      /* XXXKSE: */
> 84                      error = proc_read_regs(FIRST_THREAD_IN_PROC(p), &r);
> 85              if (error == 0)
> 86                      error = uiomove(kv, kl, uio);
> 87              PROC_LOCK(p);
> 88              if (error == 0 && uio->uio_rw == UIO_WRITE) {

Try moving the PROC_UNLOCK() call from line 79 to just after line 84
(i.e., before the error check and possible uiomove()).  It looks like some
similar bugs might exist in other bits of procfs.  I've attached a patch
that tries to more generally handle use of the proc lock more properly
with uiomove(), but might also not be perfect.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Network Associates Laboratories

Index: procfs_dbregs.c
===================================================================
RCS file: /home/ncvs/src/sys/fs/procfs/procfs_dbregs.c,v
retrieving revision 1.21
diff -u -r1.21 procfs_dbregs.c
--- procfs_dbregs.c	29 Jun 2002 17:26:15 -0000	1.21
+++ procfs_dbregs.c	4 May 2003 16:45:28 -0000
@@ -87,8 +87,11 @@
 	else
 		/* XXXKSE: */
 		error = proc_read_dbregs(FIRST_THREAD_IN_PROC(p), &r);
-	if (error == 0)
+	if (error == 0) {
+		PROC_UNLOCK(p);
 		error = uiomove(kv, kl, uio);
+		PROC_LOCK(p);
+	}
 	if (error == 0 && uio->uio_rw == UIO_WRITE) {
 		if (!P_SHOULDSTOP(p)) /* XXXKSE should be P_TRACED? */
 			error = EBUSY;
Index: procfs_fpregs.c
===================================================================
RCS file: /home/ncvs/src/sys/fs/procfs/procfs_fpregs.c,v
retrieving revision 1.27
diff -u -r1.27 procfs_fpregs.c
--- procfs_fpregs.c	29 Jun 2002 17:26:15 -0000	1.27
+++ procfs_fpregs.c	4 May 2003 16:44:43 -0000
@@ -81,8 +81,11 @@
 	else
 		/* XXXKSE: */
 		error = proc_read_fpregs(FIRST_THREAD_IN_PROC(p), &r);
-	if (error == 0)
+	if (error == 0) {
+		PROC_UNLOCK(p);
 		error = uiomove(kv, kl, uio);
+		PROC_LOCK(p);
+	}
 	if (error == 0 && uio->uio_rw == UIO_WRITE) {
 		if (!P_SHOULDSTOP(p))
 			error = EBUSY;
Index: procfs_ioctl.c
===================================================================
RCS file: /home/ncvs/src/sys/fs/procfs/procfs_ioctl.c,v
retrieving revision 1.9
diff -u -r1.9 procfs_ioctl.c
--- procfs_ioctl.c	17 Apr 2003 22:13:46 -0000	1.9
+++ procfs_ioctl.c	4 May 2003 16:46:16 -0000
@@ -67,6 +67,9 @@
 		*(unsigned int *)data = p->p_pfsflags;
 		break;
 	case PIOCWAIT:
+		/*
+		 * Should PHOLD() and relase proc lock here?
+		 */
 		while (p->p_step == 0) {
 			/* sleep until p stops */
 			error = msleep(&p->p_stype, &p->p_mtx,
Index: procfs_regs.c
===================================================================
RCS file: /home/ncvs/src/sys/fs/procfs/procfs_regs.c,v
retrieving revision 1.26
diff -u -r1.26 procfs_regs.c
--- procfs_regs.c	29 Jun 2002 17:26:15 -0000	1.26
+++ procfs_regs.c	4 May 2003 16:44:57 -0000
@@ -76,15 +76,16 @@
 		kl = uio->uio_resid;
 
 	_PHOLD(p);
-	PROC_UNLOCK(p);
 	if (kl < 0)
 		error = EINVAL;
 	else
 		/* XXXKSE: */
 		error = proc_read_regs(FIRST_THREAD_IN_PROC(p), &r);
-	if (error == 0)
+	if (error == 0) {
+		PROC_UNLOCK(p);
 		error = uiomove(kv, kl, uio);
-	PROC_LOCK(p);
+		PROC_LOCK(p);
+	}
 	if (error == 0 && uio->uio_rw == UIO_WRITE) {
 		if (!P_SHOULDSTOP(p))
 			error = EBUSY;