Context Navigation

#18927 closed bug (fixed)

Failed to acquire spinlock for a long time in UnixStreamEndpoint::Close

Reported by:	jmairboeck	Owned by:	nobody
Priority:	critical	Milestone:	R1/beta5
Component:	Network & Internet	Version:	R1/beta4
Keywords:		Cc:
Blocked By:		Blocking:
Platform:	All

Description (last modified by jmairboeck)

I just got this KDL when running the git tests with haikuporter (see https://github.com/haikuports/haikuports/pull/10649):

PANIC: acquire_spinlock(): Failed to acquire spinlock 0xffffffff82f0cd18 for a long time (last caller: 0x0000000000000000, value: deadbeef)
Welcome to Kernel Debugging Land...
Thread 68293 "pthread func" running on CPU 1
stack trace for thread 68293 "pthread func"
    kernel stack: 0xffffffff8a23c000 to 0xffffffff8a241000
      user stack: 0x00007f6d48355000 to 0x00007f6d48395000
frame                       caller             <image>:function + offset
 0 ffffffff8a240c40 (+  32) ffffffff8014ca60   <kernel_x86_64> arch_debug_call_with_fault_handler + 0x1a
 1 ffffffff8a240c60 (+  80) ffffffff800b48b8   <kernel_x86_64> debug_call_with_fault_handler + 0x78
 2 ffffffff8a240cb0 (+  96) ffffffff800b5f64   <kernel_x86_64> kernel_debugger_loop(char const*, char const*, __va_list_tag*, int) + 0xf4
 3 ffffffff8a240d10 (+  80) ffffffff800b62fe   <kernel_x86_64> kernel_debugger_internal(char const*, char const*, __va_list_tag*, int) + 0x6e
 4 ffffffff8a240d60 (+ 240) ffffffff800b6697   <kernel_x86_64> panic + 0xb7
 5 ffffffff8a240e50 (+  48) ffffffff80078755   <kernel_x86_64> acquire_spinlock + 0x105
 6 ffffffff8a240e80 (+  48) ffffffff8009ae57   <kernel_x86_64> _mutex_unlock + 0x27
 7 ffffffff8a240eb0 (+  64) ffffffff81f3c3e9   </boot/system/add-ons/kernel/network/protocols/unix> UnixStreamEndpoint::Close[clone .localalias] () + 0x149
 8 ffffffff8a240ef0 (+  48) ffffffff800ee8f9   <kernel_x86_64> close_fd_index + 0xa9
 9 ffffffff8a240f20 (+  16) ffffffff8014e63f   <kernel_x86_64> x86_64_syscall_entry + 0xfb
user iframe at 0xffffffff8a240f30 (end = 0xffffffff8a240ff8)
 rax 0x9e                  rbx 0x0                   rcx 0x9f11267c79
 rdx 0x1146ed9d4fe0        rsi 0x0                   rdi 0xc
 rbp 0x7f6d483940d0         r8 0x1146eda5ab70         r9 0x1146eda5ab70
 r10 0x1146eda644a0        r11 0x206                 r12 0x1146ed9f1d00
 r13 0x7f6d48394120        r14 0x1146ed9f1cc0        r15 0x1146ed9f1cc0
 rip 0x9f11267c79          rsp 0x7f6d483940b8     rflags 0x206
 vector: 0x63, error code: 0x0
10 ffffffff8a240f30 (+140109317222816) 0000009f11267c79   <libroot.so> _kern_close + 0x09
11 00007f6d483940d0 (+ 160) 00000134cbcf55aa   <test-tool> ipc_server_stop_async (nearest) + 0x32a
12 00007f6d48394170 (+  32) 0000009f11276538   <libroot.so> pthread_exit (nearest) + 0x38
13 00007f6d48394190 (+   0) 00007fffffdf7258   <commpage> commpage_thread_exit + 0x00
kdebug>

The current running test was t0052-simple-ipc.sh after ok 7 - sendbytes.

The KDL is not contiuable (it just results in the same KDL again).

Running hrev57800 x86_64 in VirtualBox.

Is this maybe related to #18535?

Change History (5)

comment:1 by jmairboeck, 5 months ago

Description:	modified (diff)

comment:2 by waddlesplash, 5 months ago

Component:	Network & Internet/TCP → Network & Internet
Milestone:	Unscheduled → R1/beta5
Owner:	changed from axeld to nobody
Priority:	normal → critical

Yes, this is a use-after-free.

comment:3 by waddlesplash, 5 months ago

jmairboeck reports that it didn't reproduce a second time.

comment:4 by waddlesplash, 3 months ago

I ran the particular testcase in a loop and managed to reproduce this within not too many runs.

comment:5 by waddlesplash, 3 months ago

Resolution:	→ fixed
Status:	new → closed

Fixed in hrev58032 +beta5.

Note: See TracTickets for help on using tickets.

Download in other formats: