panic (page fault) in poll (on pipe)
Brian F. Feldman
green at FreeBSD.org
Tue Feb 10 20:11:02 PST 2004
With Alfred's help, I think I've determined the send side of the socket not
calling selwakeup() is the problem. If there's a missing selwakeup{,pri}(),
then the object can be freed while it's still on the select/poll queues.
So far, I haven't had a crash, whereas mozilla, running multithreaded, with
libpthread on SMP, can otherwise cause it very quickly.
Index: uipc_socket.c
===================================================================
RCS file: /usr/ncvs/src/sys/kern/uipc_socket.c,v
retrieving revision 1.161
diff -u -r1.161 uipc_socket.c
--- uipc_socket.c 31 Jan 2004 10:40:23 -0000 1.161
+++ uipc_socket.c 11 Feb 2004 03:36:05 -0000
@@ -291,6 +291,7 @@
struct socket *so;
{
struct socket *head = so->so_head;
+ int s;
KASSERT(so->so_count == 0, ("socket %p so_count not 0", so));
@@ -314,6 +315,12 @@
so->so_state &= ~SS_INCOMP;
so->so_head = NULL;
}
+ so->so_snd.sb_flags |= SB_NOINTR;
+ (void)sblock(&so->so_snd, M_WAITOK);
+ s = splimp();
+ socantsendmore(so);
+ splx(s);
+ sbunlock(&so->so_snd);
sbrelease(&so->so_snd, so);
sorflush(so);
sodealloc(so);
--
Brian Fundakowski Feldman \'[ FreeBSD ]''''''''''\
<> green at FreeBSD.org \ The Power to Serve! \
Opinions expressed are my own. \,,,,,,,,,,,,,,,,,,,,,,\
More information about the freebsd-current
mailing list