From owner-freebsd-bugs@FreeBSD.ORG Sun Apr 11 18:10:18 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0463916A4CE for ; Sun, 11 Apr 2004 18:10:18 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id D751A43D4C for ; Sun, 11 Apr 2004 18:10:17 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) i3C1AHbv048108 for ; Sun, 11 Apr 2004 18:10:17 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i3C1AHOb048107; Sun, 11 Apr 2004 18:10:17 -0700 (PDT) (envelope-from gnats) Resent-Date: Sun, 11 Apr 2004 18:10:17 -0700 (PDT) Resent-Message-Id: <200404120110.i3C1AHOb048107@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Stephan Uphoff Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E2DED16A4CE for ; Sun, 11 Apr 2004 18:07:21 -0700 (PDT) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBFDA43D5F for ; Sun, 11 Apr 2004 18:07:21 -0700 (PDT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.12.10/8.12.10) with ESMTP id i3C17L72006073 for ; Sun, 11 Apr 2004 18:07:21 -0700 (PDT) (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.12.10/8.12.10/Submit) id i3C17L0O006072; Sun, 11 Apr 2004 18:07:21 -0700 (PDT) (envelope-from nobody) Message-Id: <200404120107.i3C17L0O006072@www.freebsd.org> Date: Sun, 11 Apr 2004 18:07:21 -0700 (PDT) From: Stephan Uphoff To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Subject: kern/65448: _mtx_unlock_sleep() race condition if ADAPTIVE_MUTEXES is defined X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2004 01:10:18 -0000 >Number: 65448 >Category: kern >Synopsis: _mtx_unlock_sleep() race condition if ADAPTIVE_MUTEXES is defined >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Apr 11 18:10:17 PDT 2004 >Closed-Date: >Last-Modified: >Originator: Stephan Uphoff >Release: current >Organization: >Environment: N/A >Description: The following waiting loop is used in _mtx_unlock_sleep() if both ADAPTIVE_MUTEXES and SMP is defined. while (mtx_owner(m) == owner && TD_IS_RUNNING(owner)) { #ifdef __i386__ ia32_pause(); #endif } Problem: The current thread has no lock or reference count on the "owner" thread. This means that the thread pointed to by owner can terminate and become invalid. If the "owner" thread terminates between the tests "mtx_owner(m) == owner" and "TD_IS_RUNNING(owner)" the second test might access an invalid memory address. Additional Nitpick: Because TD_IS_RUNNING(owner) is defined as #define TD_IS_RUNNING(td) ((td)->td_state == TDS_RUNNING) and The td_state field is not volatile. and ia32_pause() is not marked to modify memory. the compiler can regard the test "TD_IS_RUNNING(owner)" as being loop invariant and rewrite the code fragment above as: if((mtx_owner(m) == owner && TD_IS_RUNNING(owner)) do { #ifdef __i386__ ia32_pause(); #endif while (mtx_owner(m) == owner); This would cause problems. >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: