panic caused by EVFILT_SIGNAL detaching in rfork()ed thread

Igor Sysoev is at rambler-co.ru
Wed Sep 1 03:45:09 PDT 2004


5.3-BETA2 still may panic as described in
http://freebsd.rambler.ru/bsdmail/freebsd-hackers_2004/msg02732.html

#0  doadump () at pcpu.h:159
#1  0xc05ffbf4 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:396
#2  0xc05fff13 in panic (fmt=0xc07bca72 "from debugger")
    at /usr/src/sys/kern/kern_shutdown.c:558
#3  0xc045fe89 in db_panic (addr=-1067481728, have_addr=0, count=-1,
    modif=0xeacfd92c "") at /usr/src/sys/ddb/db_command.c:435
#4  0xc045fe20 in db_command (last_cmdp=0xc0894604, cmd_table=0x0,
    aux_cmd_tablep=0xc08150d4, aux_cmd_tablep_end=0xc08150f0)
    at /usr/src/sys/ddb/db_command.c:349
#5  0xc045fee8 in db_command_loop () at /usr/src/sys/ddb/db_command.c:455
#6  0xc0461a4d in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_main.c:221
#7  0xc0616b03 in kdb_trap (type=12, code=0, tf=0x1)
    at /usr/src/sys/kern/subr_kdb.c:418
#8  0xc0787efd in trap_fatal (frame=0xeacfdac4, eva=28)
    at /usr/src/sys/i386/i386/trap.c:807
#9  0xc0787c5b in trap_pfault (frame=0xeacfdac4, usermode=0, eva=28)
    at /usr/src/sys/i386/i386/trap.c:730
#10 0xc07878a1 in trap (frame=
      {tf_fs = -1067319272, tf_es = -1064632304, tf_ds = -1010368496, tf_edi = -1065428340, tf_esi = 1502, tf_ebp = -355476720, tf_isp = -355476752, tf_ebx = 0, tf_edx = 4, tf_ecx = 2, tf_eax = -1013504780, tf_trapno = 12, tf_err = 0, tf_eip = -1067481728, tf_cs = 8, tf_eflags = 66118, tf_esp = -1008610988, tf_ss = 0}) at /usr/src/sys/i386/i386/trap.c:417
#11 0xc077631a in calltrap () at /usr/src/sys/i386/i386/exception.s:140
#12 0xc0620018 in removechild (parent=0x0, child=0x5de)
    at /usr/src/sys/kern/subr_witness.c:1443
#13 0xc05e86ab in knlist_remove_kq (knl=0xc39724f4, kn=0x0,
    knlislocked=-1065428340, kqislocked=0)
    at /usr/src/sys/kern/kern_event.c:1502
#14 0xc05e87b3 in knlist_remove (knl=0xc39724f4, kn=0xc3e1d154, islocked=0)
    at /usr/src/sys/kern/kern_event.c:1527
#15 0xc060451b in filt_sigdetach (kn=0x0) at /usr/src/sys/kern/kern_sig.c:2733
#16 0xc05e826a in kqueue_close (fp=0xc394ebb0, td=0xc3a22420)
    at /usr/src/sys/kern/kern_event.c:1372
#17 0xc05e5524 in fdrop_locked (fp=0xc394ebb0, td=0xc3a22420) at file.h:289
#18 0xc05e47b8 in fdrop (fp=0xc394ebb0, td=0xc3a22420)
    at /usr/src/sys/kern/kern_descrip.c:1897
#19 0xc05e478b in closef (fp=0xc394ebb0, td=0xc3a22420)
    at /usr/src/sys/kern/kern_descrip.c:1883
#20 0xc05e40e7 in fdfree (td=0xc3a22420)
    at /usr/src/sys/kern/kern_descrip.c:1610
#21 0xc05ea896 in exit1 (td=0xc3a22420, rv=0)
    at /usr/src/sys/kern/kern_exit.c:242
#22 0xc05ea494 in sys_exit (td=0xc3a22420, uap=0x0)
    at /usr/src/sys/kern/kern_exit.c:94
#23 0xc07881cf in syscall (frame=
      {tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = 2, tf_esi = 134873108, tf_ebp = -1077941784, tf_isp = -355476108, tf_ebx = 672658924, tf_edx = 10, tf_ecx = 672658608, tf_eax = 1, tf_trapno = 12, tf_err = 2, tf_eip = 672162923, tf_cs = 31, tf_eflags = 662, tf_esp = -1077941812, tf_ss = 47})
    at /usr/src/sys/i386/i386/trap.c:1004
#24 0xc077636f in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:201

[ ... ]

(kgdb) fr 15
#15 0xc060451b in filt_sigdetach (kn=0x0) at /usr/src/sys/kern/kern_sig.c:2733
2733            knlist_remove(&p->p_klist, kn, 0);
(kgdb) down
#14 0xc05e87b3 in knlist_remove (knl=0xc39724f4, kn=0xc3e1d154, islocked=0)
    at /usr/src/sys/kern/kern_event.c:1527
1527            knlist_remove_kq(knl, kn, islocked, 0);
(kgdb) p *knl
$1 = {kl_lock = 0x0, kl_list = {slh_first = 0x0}}


However, I do not know is it safe to test !SLIST_EMPTY(&p->p_klist) in
filt_sigdetach() because in 5.3-BETA2 kqueue uses own mutex. Unfortunately,
I could not just now to write a small test case to allow everyone to
reproduce the panic but my user-level server always causes panic on exit on
unpatched 5.x and sometimes on unpatched 4.10.


Igor Sysoev
http://sysoev.ru/en/


More information about the freebsd-current mailing list