Possible NULL pointer deref in sched_add() via maybe_preempt() and kse_release()

Julian Elischer julian at elischer.org
Wed Sep 15 10:46:56 PDT 2004

I have a patch  in

that fixes one possible source of this problem.

Robert Watson wrote:

>Got this today on an SMP box running mysql:
>kernel trap 12 with interrupts disabled
> Fatal trap 12: page fault while in kernel mode
>cpuid = 0; apic id = 00
>fault virtual address   = 0x150
>fault code              = supervisor read, page not present
>instruction pointer     = 0x8:0xc06224de
>stack pointer           = 0x10:0xef1b1b28
>frame pointer           = 0x10:0xef1b1b38
>code segment            = base 0x0, limit 0xfffff, type 0x1b
>                        = DPL 0, pres 1, def32 1, gran 1
>processor eflags        = resume, IOPL = 0
>current process         = 572 (mysqld)
>db> trace
>sched_add(0,3) at sched_add+0x16
>setrunqueue(c27867d0,3) at setrunqueue+0x15f
>sched_switch(c27867d0,c2a93af0,2) at sched_switch+0xf2
>mi_switch(2,c2a93af0,c2a93c44,c2a93af0,ef1b1bf4) at mi_switch+0x1b2
>maybe_preempt(c2a93af0) at maybe_preempt+0x93
>sched_add(c2a93af0,0) at sched_add+0x103
>setrunqueue(c2a93af0,0) at setrunqueue+0x15f
>turnstile_unpend(c2960c40,c2785c40,c27867d0,ef1b1c78,c062efdc) at
>_mtx_unlock_sleep(c2785cac,0,0,0) at _mtx_unlock_sleep+0x6c
>sleepq_catch_signals(c26f0c80,0,0,100,c2930260) at
>msleep(c26f0c80,c2785cac,168,c081471e,7f) at msleep+0x239
>kse_release(c27867d0,ef1b1d14,1,8a,206) at kse_release+0x237
>syscall(a89002f,830002f,bfa9002f,8304000,0) at syscall+0x283
>Xint0x80_syscall() at Xint0x80_syscall+0x1f
>--- syscall (383, FreeBSD ELF32, kse_release), eip = 0x2833aa1b, esp =
>0x8308f88, ebp = 0x8308fc4 ---
>db> show pcpu
>cpuid        = 0
>curthread    = 0xc27867d0: pid 572 "mysqld"
>curpcb       = 0xef1b1da0
>fpcurthread  = none
>idlethread   = 0xc2260960: pid 14 "idle: cpu0"
>APIC ID      = 0
>currentldt   = 0x30
>The source code here is probably about a day old; the panic occurred
>during a kernel build using an NFS-mounted source tree and local object
>tree.  MySQL should have been basically idle, since no clients were active
>or had been active recently, but no doubt it wakes up once in a while to
>do something.
>Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
>robert at fledge.watson.org      Principal Research Scientist, McAfee Research

More information about the freebsd-current mailing list