From owner-freebsd-current@FreeBSD.ORG  Tue Feb 10 20:11:02 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from green.homeunix.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id BF3AD16A4CE
	for <current@FreeBSD.org>; Tue, 10 Feb 2004 20:11:01 -0800 (PST)
Received: from green.homeunix.org (green@localhost [127.0.0.1])
	by green.homeunix.org (8.12.10/8.12.9) with ESMTP id i1B4AtlQ001198
	for <current@FreeBSD.org>; Tue, 10 Feb 2004 23:10:56 -0500 (EST)
	(envelope-from green@green.homeunix.org)
Received: from localhost (green@localhost)i1B4Aren001195
	for <current@FreeBSD.org>; Tue, 10 Feb 2004 23:10:54 -0500 (EST)
Message-Id: <200402110410.i1B4Aren001195@green.homeunix.org>
X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4
To: current@FreeBSD.org
In-Reply-To: Message from Brian Fundakowski Feldman <green@FreeBSD.org> 
	<200402100457.i1A4v1As001530@green.homeunix.org> 
From: "Brian F. Feldman" <green@FreeBSD.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 10 Feb 2004 23:10:53 -0500
Sender: green@green.homeunix.org
Subject: Re: panic (page fault) in poll (on pipe) 
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Feb 2004 04:11:02 -0000

With Alfred's help, I think I've determined the send side of the socket not 
calling selwakeup() is the problem.  If there's a missing selwakeup{,pri}(), 
then the object can be freed while it's still on the select/poll queues.
So far, I haven't had a crash, whereas mozilla, running multithreaded, with 
libpthread on SMP, can otherwise cause it very quickly.

Index: uipc_socket.c
===================================================================
RCS file: /usr/ncvs/src/sys/kern/uipc_socket.c,v
retrieving revision 1.161
diff -u -r1.161 uipc_socket.c
--- uipc_socket.c	31 Jan 2004 10:40:23 -0000	1.161
+++ uipc_socket.c	11 Feb 2004 03:36:05 -0000
@@ -291,6 +291,7 @@
 	struct socket *so;
 {
 	struct socket *head = so->so_head;
+	int s;
 
 	KASSERT(so->so_count == 0, ("socket %p so_count not 0", so));
 
@@ -314,6 +315,12 @@
 		so->so_state &= ~SS_INCOMP;
 		so->so_head = NULL;
 	}
+	so->so_snd.sb_flags |= SB_NOINTR;
+	(void)sblock(&so->so_snd, M_WAITOK);
+	s = splimp();
+	socantsendmore(so);
+	splx(s);
+	sbunlock(&so->so_snd);
 	sbrelease(&so->so_snd, so);
 	sorflush(so);
 	sodealloc(so);


-- 
Brian Fundakowski Feldman                           \'[ FreeBSD ]''''''''''\
  <> green@FreeBSD.org                               \  The Power to Serve! \
 Opinions expressed are my own.                       \,,,,,,,,,,,,,,,,,,,,,,\