Date: Fri, 8 Apr 2005 19:50:35 GMT From: Steven Sears <stevenjsears@yahoo.com> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/79693: SMP: msleep and sleepq_broadcast race Message-ID: <200504081950.j38JoZ41062994@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/79693; it has been noted by GNATS. From: Steven Sears <stevenjsears@yahoo.com> To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/79693: SMP: msleep and sleepq_broadcast race Date: Fri, 8 Apr 2005 12:41:36 -0700 (PDT) Found some inaccuracies in my original write-up, sorry about that. Here's an accurate account: 1. threadA calls msleep with PCATCH set 2. threadA acquires sleepq lock 3. threadA is queued on sleepq 4. threadA calls sleepq_catch_signals, which drops the sleepq lock 5. threadB calls wakeup on same identifier, which calls sleepq_broadcast 6. threadB grabs sleepq lock 7. threadB removes threadA from sleepq, which sets td->td_sleepqueue 8. threadB queues threadA to local temporary queue (list) 9. threadB drops sleepq lock 10. threadA calls sleepq_timedwait_sig, which calls sleepq_sleep and determines it has been woken up since td->td_sleepqueue != NULL 11. threadA returns from sleepq_switch, sleepq_timedwait_sig, msleep 12. threadA calls msleep with PCATCH set 13. threadA is queued on sleepq [CORRUPTION] Note threadA is still on sleepq_broadcast's local temporary queue (list). This results in threadA pointing back to itself on the sleepq. 14. threadA goes to sleep 15. threadB dequeues threadA from its local temporary queue (list) and schedules it. 16. goto 15 -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200504081950.j38JoZ41062994>