Subject: RE: kern/32631: Bad concurrency checking can cause a crash in sys
To: None <email@example.com>
From: None <Yves-Emmanuel.JUTARD@fr.thalesgroup.com>
Date: 01/26/2006 15:47:05
> Can you send a diff please?
Here it is. (I'm not used to diff, so I hope I send the proper thing.)
Based on subr_pool.c v188.8.131.52
diff subr_pool.c subr_pool_corrected.c
This fix has worked for me so far, but since I'm not a kernel expert, I may be missing some things. So be careful ;-)
The "unlock" near line 1047 should not be moved because 'pool_catchup' expect it to be set.
De : firstname.lastname@example.org [mailto:email@example.com]
Envoye : mercredi 25 janvier 2006 17:25
A : firstname.lastname@example.org; email@example.com;
Objet : Re: kern/32631: Bad concurrency checking can cause a crash in
The following reply was made to PR kern/32631; it has been noted by GNATS.
From: firstname.lastname@example.org (Christos Zoulas)
To: email@example.com, firstname.lastname@example.org,
Subject: Re: kern/32631: Bad concurrency checking can cause a crash in sys/kern/subr_pool.c
Date: Wed, 25 Jan 2006 11:22:24 -0500
On Jan 25, 4:05pm, email@example.com (firstname.lastname@example.org) wrote:
-- Subject: kern/32631: Bad concurrency checking can cause a crash in sys/ker
| >Number: 32631
| >Category: kern
| >Synopsis: Bad concurrency checking can cause a crash in sys/kern/subr_pool.c
| >Confidential: no
| >Severity: critical
| >Priority: medium
| >Responsible: kern-bug-people
| >State: open
| >Class: sw-bug
| >Submitter-Id: net
| >Arrival-Date: Wed Jan 25 16:05:01 +0000 2006
| >Originator: Yves-Emmanuel JUTARD
| >Release: 3.0.0
| THALES Communication
| custom environment : recompiled from /src, only some parts of NetBSD are used (TCP/IP stack and some parts of the kernel)
| in file sys/kern/subr_pool.c,v 184.108.40.206,
| in function 'pool_get' (l. 796)
| line 1038, pool_get can call "pool_catchup' on a 'entered' pool (pp, locked by 'pr_enter' at line 818)
| now, under specific conditions, pool_catchup(pp) can call pool_allocator_alloc(pp), which can call 'pool_reclaim(pp)' which call 'pr_enter(pp)', which fail and crash, since 'pp' is already entered !
| I have experienced crashes because of that, on our custom board with limited memory.
| Use NetBSD on a low mem system.
| The solution is to call 'pr_leave(pp)' just before calling 'pool_catchup(pp)' in pool_get.
| pr_leave(pp) is normally called AFTER the call to pool_catchup, line 1046.
| I suggest moving it BEFORE, line 1034.
| This is valid because we have finished manipulating the pool, so we can "leave" it peacefully.
| It works for me.
Can you send a diff please?