HEADS DOWN: MPSAFE TTY layer integrated

Tor Egge Tor.Egge at cvsup.no.freebsd.org
Wed Aug 27 20:03:02 UTC 2008 

> Well, that's all I've got to say for now, I guess. Be sure to update
> your systems and give my code some extensive testing. Thanks!

After updating userland and the kernel, my machine hung during boot,
running /etc/rc.d/serial2 (a local addition) that contained:

		  #!/bin/sh
		  
		  # PROVIDE: serial2
		  # REQUIRE: serial
		  # KEYWORD: FreeBSD
		  
		  # Lock clocal flag.
		  stty clocal < /dev/ttyu0.init
		  stty clocal < /dev/ttyu0.lock


Commenting out these stty settings allowed the machine to boot.

Running the stty commands manually in an xterm resulted in a crash:

stf0: bpf attached
kernel trap 12 with interrupts disabled


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x8
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xa07412e7
stack pointer           = 0x28:0xdae65954
frame pointer           = 0x28:0xdae65974
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = resume, IOPL = 0
current process         = 1311 (bash)
trap number             = 12
panic: page fault
cpuid = 0
Uptime: 2m22s
Invoking shutdown_post_sync events
eventhandler_invoke("shutdown_post_sync")
eventhandler_invoke: executing 0xa047a5d0
eventhandler_invoke("shutdown_post_sync") done
Physical memory: 3058 MB
Dumping 107 MB: 92 76 60 44 28 12

(kgdb) where
#0  doadump () at pcpu.h:221
#1  0xa0707828 in boot (howto=260) at ../../../kern/kern_shutdown.c:466
#2  0xa0707bbd in panic (fmt=Variable "fmt" is not available.
) at ../../../kern/kern_shutdown.c:631
#3  0xa0a28323 in trap_fatal (frame=0xdae65914, eva=8)
    at ../../../i386/i386/trap.c:958
#4  0xa0a28cd1 in trap (frame=0xdae65914) at ../../../i386/i386/trap.c:335
#5  0xa0a0cddb in calltrap () at ../../../i386/i386/exception.s:171
#6  0xa07412e7 in propagate_priority (td=0xad298690)
    at ../../../kern/subr_turnstile.c:272
#7  0xa0742097 in turnstile_wait (ts=0xacb3aaf0, owner=0xad298690, queue=Variable "queue" is not available.
)
    at ../../../kern/subr_turnstile.c:737
#8  0xa06f9eee in _mtx_lock_sleep (m=0xacb4fe04, tid=2901798176, opts=0, 
    file=0x0, line=0) at ../../../kern/kern_mutex.c:414
#9  0xa0750f75 in ttyil_open (dev=0xacc79d00, oflags=1, devtype=8192, 
    td=0xacf5ed20) at ../../../kern/tty.c:668
#10 0xa066d2df in devfs_open (ap=0xdae65acc)
    at ../../../fs/devfs/devfs_vnops.c:881
#11 0xa0a3b2f2 in VOP_OPEN_APV (vop=0xa0b289c0, a=0xdae65acc) at vnode_if.c:371
#12 0xa07a0147 in vn_open_cred (ndp=0xdae65ba8, flagp=0xdae65c5c, cmode=420, 
    cred=0xad305a00, fp=0xacf26690) at vnode_if.h:196
#13 0xa07a0283 in vn_open (ndp=0xdae65ba8, flagp=0xdae65c5c, cmode=420, 
    fp=0xacf26690) at ../../../kern/vfs_vnops.c:96
#14 0xa079bd66 in kern_openat (td=0xacf5ed20, fd=-100, 
    path=0x812ed80 <Address 0x812ed80 out of bounds>, pathseg=UIO_USERSPACE, 
    flags=1, mode=438) at ../../../kern/vfs_syscalls.c:1069
#15 0xa079c235 in kern_open (td=0xacf5ed20, 
    path=0x812ed80 <Address 0x812ed80 out of bounds>, pathseg=UIO_USERSPACE, 
    flags=0, mode=438) at ../../../kern/vfs_syscalls.c:1023
#16 0xa079c2b0 in open (td=0xacf5ed20, uap=0xdae65cf8)
    at ../../../kern/vfs_syscalls.c:999
#17 0xa0a288c5 in syscall (frame=0xdae65d38) at ../../../i386/i386/trap.c:1105
#18 0xa0a0ce40 in Xint0x80_syscall () at ../../../i386/i386/exception.s:267
#19 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) frame 6
#6  0xa07412e7 in propagate_priority (td=0xad298690)
    at ../../../kern/subr_turnstile.c:272
272                     if (!turnstile_adjust_thread(ts, td)) {
(kgdb) info locals
ts = (struct turnstile *) 0x0
pri = 128
(kgdb) print td
$1 = (struct thread *) 0xad298690
(kgdb) print td->td_blocked  
$2 = (struct turnstile *) 0x0
(kgdb) print td->td_proc->p_pid
$3 = 1298
(kgdb) print td->td_state
$4 = TDS_INACTIVE

i.e. the mutex lock owner had exited.


The problem seems to be caused by a bad return statement inside ttyil_ioctl()
for the TIOCSETA case.

- Tor Egge

-------------- next part --------------
Index: sys/kern/tty.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/tty.c,v
retrieving revision 1.284
diff -u -r1.284 tty.c
--- sys/kern/tty.c	22 Aug 2008 21:27:37 -0000	1.284
+++ sys/kern/tty.c	23 Aug 2008 22:00:31 -0000
@@ -709,7 +709,6 @@
 		if (error)
 			break;
 		bcopy(data, dev->si_drv2, sizeof(struct termios));
-		return (0);
 		break;
 	case TIOCGETD:
 		*(int *)data = TTYDISC;

More information about the freebsd-current mailing list