[Bug 293382] Dead lock and kernel crash around closefp_impl

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293382

--- Comment #17 from Konstantin Belousov <kib@FreeBSD.org> ---
(In reply to Paul from comment #16)
If believing the guessed location for kq, and there is a reason to believe
because the lock name looks right, it seems that the kq was drained/closed
in parallel with closing the fd.  This might explain why the knote dereferenced
was garbage.

Besides trying the HEAD, you could try to apply the following rude patch.
If it helps, I might consider using a sentinel to resume iteration instead
of restarting from scratch, after the kq relock.

diff --git a/sys/kern/kern_event.c b/sys/kern/kern_event.c
index e8e670d39d09..4bbd9063b6ef 100644
--- a/sys/kern/kern_event.c
+++ b/sys/kern/kern_event.c
@@ -2830,10 +2830,9 @@ knote_fdclose(struct thread *td, int fd)
         * We shouldn't have to worry about new kevents appearing on fd
         * since filedesc is locked.
         */
+again:
        TAILQ_FOREACH(kq, &fdp->fd_kqlist, kq_list) {
                KQ_LOCK(kq);
-
-again:
                influx = 0;
                while (kq->kq_knlistsize > fd &&
                    (kn = SLIST_FIRST(&kq->kq_knlist[fd])) != NULL) {

-- 
You are receiving this mail because:
You are the assignee for the bug.