From owner-freebsd-current@FreeBSD.ORG Thu Nov 10 19:59:05 2005 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D46B16A41F for ; Thu, 10 Nov 2005 19:59:05 +0000 (GMT) (envelope-from wpaul@windriver.com) Received: from mail.wrs.com (unknown-1-11.wrs.com [147.11.1.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 031F043D5A for ; Thu, 10 Nov 2005 19:59:04 +0000 (GMT) (envelope-from wpaul@windriver.com) Received: from huisne.wrs.com (huisne [147.11.46.60]) by mail.wrs.com (8.13.3/8.13.3) with ESMTP id jAAJwohI021463; Thu, 10 Nov 2005 11:58:50 -0800 (PST) Received: from unknown-46-211 (IDENT:U2FsdGVkX19EdtwcTl5ENIPgqCoh+GZqxcMm7mJf5eY@[147.11.46.211]) by huisne.wrs.com (8.9.1/8.9.0) with ESMTP id LAA15924; Thu, 10 Nov 2005 11:58:49 -0800 (PST) From: Bill Paul Organization: Wind River Systems To: Mark Tinguely , current@freebsd.org, mcsi@mcsi.pp.ru Date: Thu, 10 Nov 2005 11:58:48 -0800 User-Agent: KMail/1.5.3 References: <200511101942.jAAJgLNq093929@casselton.net> In-Reply-To: <200511101942.jAAJgLNq093929@casselton.net> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200511101158.48784.wpaul@windriver.com> X-Mailman-Approved-At: Fri, 11 Nov 2005 03:23:41 +0000 Cc: Subject: Re: CURRENT panics sometimes X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Nov 2005 19:59:05 -0000 Of all the gin joints in all the towns in all the world, Mark Tinguely had to walk into mine and say: > We are chasing a different panic (kern/88725) where dynamic callout > are freed but the callout could be still pending. The freed memory > can be re-allocated, modified and then cause errors when the timer > wheel is checked. > > After finding this one occurance, I did a complete search of callouts, > and I see a potential simular error in the ntoskrnl_libfini() routine > in the file /sys/compat/ndis/subr_ntoskrnl.c and a few other places > (7 total). I wanted to make verify each of these 7 occurances before > issuing a patch. > > I suspect a simple test loop could verify that this is a simular error > as kern/88725. > > --Mark Tinguely Hm. Unfortunately, the ntoskrnl_libfini() won't be called until the ndis.ko module is unloaded, and that's not happening here. That isn't to say that there isn't a callout bug in there somewhere. Note that Project Evil has its own callwheel because struct callout doesn't fit inside the Windows struct KTIMER (and in Windows, drivers allocate KTIMERs themselves from the heap and can free them without calling any routine to deallocate them first). The assumption is that by the time MiniportHalt() has completed, the underlying driver has stopped/cancelled all the timers it started. Originally I used the timeout()/untimeout() API, but I found that in some cases I would find myself trying to cancel a timer that had already fired. This problem doesn't occur with the built-in callwheel that's there now. Also, using timeout()/untimeout() causes timer callouts to be run with Giant held, which I didn't want. -Bill -- ============================================================================= -Bill Paul (510) 749-2329 | Senior Engineer, Master of Unix-Fu wpaul@windriver.com | Wind River Systems ============================================================================= "Ignorance may be bliss, but delusion is ecstasy!" -Perki =============================================================================