kern/79693: SMP: msleep and sleepq_broadcast race
Steven Sears
stevenjsears at yahoo.com
Fri Apr 8 12:50:36 PDT 2005
The following reply was made to PR kern/79693; it has been noted by GNATS.
From: Steven Sears <stevenjsears at yahoo.com>
To: bug-followup at FreeBSD.org
Cc:
Subject: Re: kern/79693: SMP: msleep and sleepq_broadcast race
Date: Fri, 8 Apr 2005 12:41:36 -0700 (PDT)
Found some inaccuracies in my original write-up, sorry
about that. Here's an accurate account:
1. threadA calls msleep with PCATCH set
2. threadA acquires sleepq lock
3. threadA is queued on sleepq
4. threadA calls sleepq_catch_signals, which drops the
sleepq lock
5. threadB calls wakeup on same identifier, which
calls sleepq_broadcast
6. threadB grabs sleepq lock
7. threadB removes threadA from sleepq, which sets
td->td_sleepqueue
8. threadB queues threadA to local temporary queue
(list)
9. threadB drops sleepq lock
10. threadA calls sleepq_timedwait_sig, which calls
sleepq_sleep and
determines it has been woken up since
td->td_sleepqueue != NULL
11. threadA returns from sleepq_switch,
sleepq_timedwait_sig, msleep
12. threadA calls msleep with PCATCH set
13. threadA is queued on sleepq [CORRUPTION] Note
threadA is still on
sleepq_broadcast's local temporary queue (list). This
results in threadA
pointing back to itself on the sleepq.
14. threadA goes to sleep
15. threadB dequeues threadA from its local temporary
queue (list) and
schedules it.
16. goto 15
-Steve
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the freebsd-bugs
mailing list