Date: Thu, 16 Jan 1997 03:41:38 +1100 From: Bruce Evans <bde@zeta.org.au> To: bde@zeta.org.au, dg@root.com Cc: bugs@FreeBSD.ORG, dyson@FreeBSD.ORG, wollman@FreeBSD.ORG Subject: Re: malloc(..., M_WAITOK) found harmful Message-ID: <199701151641.DAA29626@godzilla.zeta.org.au>
next in thread | raw e-mail | index | archive | help
>>Here mbinit() calls m_clalloc() with the M_DONTWAIT flag and m_clalloc() >>calls kmem_malloc() with the M_NOWAIT flag, but the flag is not passed >>on to vm_map_insert() and vm_map_entry_create() eventually calls malloc() >>with the M_WAITOK flag. vm_map_create() always uses M_WAITOK. entry_ (oops) > > Hmmm. I don't see how this can happen since the map is mb_map and >vm_map_entry_create does special things in this case to make sure that >malloc is NOT called. Please explain... I was looking at the wrong function. Anyway, vm_map_entry_create() certainly calls malloc() at a bad time. Here's a more interesting trace with the same bug occurring much later after almost everything is initialized: .... setting ldconfig path: /usr/lib /usr/lib/compat /usr/X11R6/lib /usr/local/lib standard daemons: inetd cron sendmailM_NOWAIT malloc called at high spl 0xc0020000 ... M_NOWAIT malloc called at high spl 0xc003849a Debugger("") Stopped at _Debugger+0x36: movb $0,_in_Debugger.94 db> t _Debugger(f0119716,f01196ee,c003849a) at _Debugger+0x36 _malloc(24,1f,0,f0645000,f063ec80) at _malloc+0x16f _vm_map_entry_create(f063ec80,f063ec80,f063ec84,1000,c0020000) at _vm_map_entry_create+0x164 _vm_map_insert(f063ec80,f0223084,685000,0,f0644000) at _vm_map_insert+0x1ec _kmem_malloc(f063ec80,1000,1,f0791600,efbff9d0) at _kmem_malloc+0x10c _m_clalloc(1,1) at _m_clalloc+0x2e _ed_get_packet(f0226864,f00d3804,5ea,0,540) at _ed_get_packet+0xc7 _edintr_sc(f0226864,efbffabc,f01d115f,0,80000000) at _edintr_sc+0x373 _edintr(0,80000000,f0640010,efbf0010,f2b0d454) at _edintr+0x1a Xresume15() at Xresume15+0x2b --- interrupt, eip = 0xf01da2fa, ebp = 0xefbffabc --- _generic_bcopy(efbffb18,efbffb9c,2000,efbffb14) at _generic_bcopy+0x1a _nfs_readrpc(f094b500,efbffb9c,f08fc600,f28e74e0,f08fc600) at _nfs_readrpc+0x67a _nfs_doio(f28e74e0,f08fc600,f0908a00,f28e74e0,2000) at _nfs_doio+0x167 _nfs_strategy(efbffc1c) at _nfs_strategy+0x61 _vnode_pager_leaf_getpages(f0959580,efbffd24,2,0,f0959580) at _vnode_pager_leaf_getpages+0x3c2 _vnode_pager_getpages(f0959580,efbffd24,2,0,2) at _vnode_pager_getpages+0x77 _vm_pager_get_pages(f0959580,efbffd24,2,0) at _vm_pager_get_pages+0x24 _vm_fault(f063ed80,f342d000,1,0,f0908a00) at _vm_fault+0x5b4 _trap_pfault(efbffda4,0,efbfff0c,f342d000,efbffe98) at _trap_pfault+0xc9 _trap(10,10,efbffe98,f342d000,efbffe0c) at _trap+0x298 alltraps_with_regs_pushed(efbffe98,f0908a00,f020eaf8,0,0) at alltraps_with_regs_pushed+0x33 _execve(f0908a00,efbfff94,efbfff84,18b74,ffffffff) at _execve+0x1c3 _syscall(efbf0027,27,18b8c,ffffffff,efbfdb48) at _syscall+0x185 _Xsyscall() at _Xsyscall+0x35 --- syscall 59, eip = 0x8064461, ebp = 0xefbfdb48 --- Here m_clalloc(1, M_DONTWAIT) is called from a deeply nested interrupt handler. vm_map_entry_create()'s arg is 0xf063ec80 == mcl_map, which is not specially handled :-(. This has been broken since 1996/05/10 when Garrett added mcl_map. Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701151641.DAA29626>