Date: Thu, 16 Jan 1997 03:41:38 +1100 From: Bruce Evans <bde@zeta.org.au> To: bde@zeta.org.au, dg@root.com Cc: bugs@FreeBSD.ORG, dyson@FreeBSD.ORG, wollman@FreeBSD.ORG Subject: Re: malloc(..., M_WAITOK) found harmful Message-ID: <199701151641.DAA29626@godzilla.zeta.org.au>
next in thread | raw e-mail | index | archive | help
>>Here mbinit() calls m_clalloc() with the M_DONTWAIT flag and m_clalloc()
>>calls kmem_malloc() with the M_NOWAIT flag, but the flag is not passed
>>on to vm_map_insert() and vm_map_entry_create() eventually calls malloc()
>>with the M_WAITOK flag. vm_map_create() always uses M_WAITOK.
entry_ (oops)
>
> Hmmm. I don't see how this can happen since the map is mb_map and
>vm_map_entry_create does special things in this case to make sure that
>malloc is NOT called. Please explain...
I was looking at the wrong function. Anyway, vm_map_entry_create()
certainly calls malloc() at a bad time. Here's a more interesting
trace with the same bug occurring much later after almost everything
is initialized:
....
setting ldconfig path: /usr/lib /usr/lib/compat /usr/X11R6/lib /usr/local/lib
standard daemons: inetd cron sendmailM_NOWAIT malloc called at high spl 0xc0020000
...
M_NOWAIT malloc called at high spl 0xc003849a
Debugger("")
Stopped at _Debugger+0x36: movb $0,_in_Debugger.94
db> t
_Debugger(f0119716,f01196ee,c003849a) at _Debugger+0x36
_malloc(24,1f,0,f0645000,f063ec80) at _malloc+0x16f
_vm_map_entry_create(f063ec80,f063ec80,f063ec84,1000,c0020000) at _vm_map_entry_create+0x164
_vm_map_insert(f063ec80,f0223084,685000,0,f0644000) at _vm_map_insert+0x1ec
_kmem_malloc(f063ec80,1000,1,f0791600,efbff9d0) at _kmem_malloc+0x10c
_m_clalloc(1,1) at _m_clalloc+0x2e
_ed_get_packet(f0226864,f00d3804,5ea,0,540) at _ed_get_packet+0xc7
_edintr_sc(f0226864,efbffabc,f01d115f,0,80000000) at _edintr_sc+0x373
_edintr(0,80000000,f0640010,efbf0010,f2b0d454) at _edintr+0x1a
Xresume15() at Xresume15+0x2b
--- interrupt, eip = 0xf01da2fa, ebp = 0xefbffabc ---
_generic_bcopy(efbffb18,efbffb9c,2000,efbffb14) at _generic_bcopy+0x1a
_nfs_readrpc(f094b500,efbffb9c,f08fc600,f28e74e0,f08fc600) at _nfs_readrpc+0x67a
_nfs_doio(f28e74e0,f08fc600,f0908a00,f28e74e0,2000) at _nfs_doio+0x167
_nfs_strategy(efbffc1c) at _nfs_strategy+0x61
_vnode_pager_leaf_getpages(f0959580,efbffd24,2,0,f0959580) at _vnode_pager_leaf_getpages+0x3c2
_vnode_pager_getpages(f0959580,efbffd24,2,0,2) at _vnode_pager_getpages+0x77
_vm_pager_get_pages(f0959580,efbffd24,2,0) at _vm_pager_get_pages+0x24
_vm_fault(f063ed80,f342d000,1,0,f0908a00) at _vm_fault+0x5b4
_trap_pfault(efbffda4,0,efbfff0c,f342d000,efbffe98) at _trap_pfault+0xc9
_trap(10,10,efbffe98,f342d000,efbffe0c) at _trap+0x298
alltraps_with_regs_pushed(efbffe98,f0908a00,f020eaf8,0,0) at alltraps_with_regs_pushed+0x33
_execve(f0908a00,efbfff94,efbfff84,18b74,ffffffff) at _execve+0x1c3
_syscall(efbf0027,27,18b8c,ffffffff,efbfdb48) at _syscall+0x185
_Xsyscall() at _Xsyscall+0x35
--- syscall 59, eip = 0x8064461, ebp = 0xefbfdb48 ---
Here m_clalloc(1, M_DONTWAIT) is called from a deeply nested interrupt
handler. vm_map_entry_create()'s arg is 0xf063ec80 == mcl_map, which
is not specially handled :-(. This has been broken since 1996/05/10
when Garrett added mcl_map.
Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701151641.DAA29626>