Date: Mon, 6 Aug 2018 12:43:06 -0700 From: Matthew Macy <mmacy@freebsd.org> To: Hans Petter Selasky <hps@selasky.org> Cc: Roman Bogorodskiy <novel@freebsd.org>, freebsd-current@freebsd.org Subject: Re: panic after ifioctl/if_clone_destroy Message-ID: <CAPrugNoivMkazen1R_5DkODaCYbL1dRoM9m1VEEmVDvMTW4Kmg@mail.gmail.com> In-Reply-To: <911d520a-4eb5-02b4-a119-3663a7537e6a@selasky.org> References: <20180805153556.GA1957@kloomba> <CAPrugNqVUoP0V8%2ByKTbCZgMoDu22xvCfUuga2LbKabjyi_=__A@mail.gmail.com> <a03803e6-5f1e-1960-c6a1-c7477f0ac9d4@selasky.org> <8acc8f27-29f2-d4c1-7473-f7053b14e7ad@selasky.org> <911d520a-4eb5-02b4-a119-3663a7537e6a@selasky.org>
next in thread | previous in thread | raw e-mail | index | archive | help
The struct thread is typesafe. The problem is that the link is no longer
typesafe now that it=E2=80=99s not part of the thread. Thanks for pointing =
this
out. I=E2=80=99ll commit a fix later today.
-M
On Mon, Aug 6, 2018 at 02:39 Hans Petter Selasky <hps@selasky.org> wrote:
> Hi Matthew,
>
> On 08/06/18 10:02, Hans Petter Selasky wrote:
> > - if ((tdwait =3D TAILQ_FIRST(&record->er_tdlist)) !=3D NUL=
L &&
> > - TD_IS_RUNNING(tdwait->et_td)) {
>
> At least the TD_IS_RUNNING() check is invalid. The "tdwait" structure is
> in the control of the other CPU and "tdwait->et_td" might be invalid at
> any time, so accessing any members here is not a good idea.
>
> It is pretty clear that the epoch was exited during the loop:
>
> etd->et_td =3D (void*)0xDEADBEEF;
>
> fault virtual address =3D 0xdeadc2ff
> fault code =3D supervisor read data, page not present
>
>
> If you remove the TD_IS_RUNNING() check I'm not sure how useful this
> loop will be ...
>
> --HPS
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPrugNoivMkazen1R_5DkODaCYbL1dRoM9m1VEEmVDvMTW4Kmg>