From owner-freebsd-bugs@FreeBSD.ORG  Fri Apr  8 19:50:36 2005
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 222D416A4D9
	for <freebsd-bugs@hub.freebsd.org>;
	Fri,  8 Apr 2005 19:50:36 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EC21343D41
	for <freebsd-bugs@hub.freebsd.org>;
	Fri,  8 Apr 2005 19:50:35 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j38JoZ6a062995
	for <freebsd-bugs@freefall.freebsd.org>; Fri, 8 Apr 2005 19:50:35 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j38JoZ41062994;
	Fri, 8 Apr 2005 19:50:35 GMT
	(envelope-from gnats)
Date: Fri, 8 Apr 2005 19:50:35 GMT
Message-Id: <200504081950.j38JoZ41062994@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: Steven Sears <stevenjsears@yahoo.com>
Subject: Re: kern/79693: SMP: msleep and sleepq_broadcast race
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Steven Sears <stevenjsears@yahoo.com>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2005 19:50:36 -0000

The following reply was made to PR kern/79693; it has been noted by GNATS.

From: Steven Sears <stevenjsears@yahoo.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/79693: SMP: msleep and sleepq_broadcast race
Date: Fri, 8 Apr 2005 12:41:36 -0700 (PDT)

 Found some inaccuracies in my original write-up, sorry
 about that. Here's an accurate account:
 
 1. threadA calls msleep with PCATCH set
 2. threadA acquires sleepq lock
 3. threadA is queued on sleepq
 4. threadA calls sleepq_catch_signals, which drops the
 sleepq lock
 5. threadB calls wakeup on same identifier, which
 calls sleepq_broadcast
 6. threadB grabs sleepq lock
 7. threadB removes threadA from sleepq, which sets
 td->td_sleepqueue
 8. threadB queues threadA to local temporary queue
 (list)
 9. threadB drops sleepq lock
 10. threadA calls sleepq_timedwait_sig, which calls
 sleepq_sleep and
 determines it has been woken up since 
 td->td_sleepqueue != NULL
 11. threadA returns from sleepq_switch,
 sleepq_timedwait_sig, msleep
 12. threadA calls msleep with PCATCH set
 13. threadA is queued on sleepq [CORRUPTION] Note
 threadA is still on
 sleepq_broadcast's local temporary queue (list). This
 results in threadA
 pointing back to itself on the sleepq.
 14. threadA goes to sleep
 15. threadB dequeues threadA from its local temporary
 queue (list) and
 schedules it.
 16. goto 15
 
 
 
  -Steve
 
 
 __________________________________________________
 Do You Yahoo!?
 Tired of spam?  Yahoo! Mail has the best spam protection around 
 http://mail.yahoo.com