Date: 18 Mar 2002 04:26:40 +0100 From: Dag-Erling Smorgrav <des@ofug.org> To: Kris Kennaway <kris@obsecurity.org> Cc: current@FreeBSD.org, fs@FreeBSD.org, alfred@freebsd.org Subject: Re: panic: bwrite: buffer is not busy??? Message-ID: <xzpadt6r1xr.fsf@flood.ping.uio.no> In-Reply-To: <20020317124958.A34008@xor.obsecurity.org> References: <20020317124958.A34008@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway <kris@obsecurity.org> writes:
> #14 0xc0204b92 in _mtx_lock_sleep (m=0xc2f91f34, opts=0, file=0x0, line=0)
> at ../../../kern/kern_mutex.c:370
(kgdb) up 14
#14 0xc0204b92 in _mtx_lock_sleep (m=0xc2f91f34, opts=0, file=0x0, line=0)
at ../../../kern/kern_mutex.c:370
370 td1 = mtx_owner(m);
(kgdb) p *m
$1 = {mtx_object = {lo_class = 0x0, lo_name = 0x0, lo_flags = 0, lo_list = {
stqe_next = 0x0}, lo_witness = 0x0}, mtx_lock = 2, mtx_recurse = 0,
mtx_blocked = {tqh_first = 0x0, tqh_last = 0x0}, mtx_contested = {
le_next = 0x0, le_prev = 0x0}}
The mutex is uninitialized (destroyed, actually), because...
> #15 0xc024f55c in checkdirs (olddp=0xcf1814c0, newdp=0xcf1815a0) at ../../../kern/vfs_syscalls.c:457
(kgdb) up
#15 0xc024f55c in checkdirs (olddp=0xcf1814c0, newdp=0xcf1815a0)
at ../../../kern/vfs_syscalls.c:457
457 FILEDESC_LOCK(fdp);
(kgdb) p *fdp
$2 = {fd_ofiles = 0xc2f91200, fd_ofileflags = 0xc2f91f00 "", fd_cdir = 0x0,
fd_rdir = 0x0, fd_jdir = 0x0, fd_nfiles = 0, fd_lastfile = 0,
fd_freefile = -1024110592, fd_cmask = 0, fd_refcnt = 0, fd_knlistsize = 4,
fd_knlist = 0x11ffff, fd_knhashmask = 0, fd_knhash = 0xdb, fd_mtx = {
mtx_object = {lo_class = 0x0, lo_name = 0x0, lo_flags = 0, lo_list = {
stqe_next = 0x0}, lo_witness = 0x0}, mtx_lock = 2, mtx_recurse = 0,
mtx_blocked = {tqh_first = 0x0, tqh_last = 0x0}, mtx_contested = {
le_next = 0x0, le_prev = 0x0}}}
...the process has no open files at all, because...
(kgdb) p p->p_pid
$4 = 10099
(kgdb) p p->p_comm
$5 = "wc\000oot", '\000' <repeats 13 times>
(kgdb) p p->p_stat
$6 = 3
(kgdb) p/x p->p_flag
$7 = 0x6000
...it's exiting, and fdfree() has already run.
Solution: p->p_fd must be protected by p's proc lock; fdfree() must
set it to NULL immediately after freeing it; checkdirs() must lock
each process before examining its fd list.
Other problem spotted while investigating this: fdfree() can fail
silently; fdfree() should panic if fdp->fd_refcnt is non-zero.
DES
--
Dag-Erling Smorgrav - des@ofug.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpadt6r1xr.fsf>