From rea-fbsd@codelabs.ru  Wed Sep 17 16:16:36 2008
Return-Path: <rea-fbsd@codelabs.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9E352106569D
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 17 Sep 2008 16:16:36 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id 51AA98FC12
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 17 Sep 2008 16:16:36 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from shadow.codelabs.ru (shadow.codelabs.ru [144.206.177.8])
	by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256)
	id 1Kfzhi-000Dp5-Be for FreeBSD-gnats-submit@freebsd.org; Wed, 17 Sep 2008 20:16:34 +0400
Received: by shadow.localdomain (Postfix, from userid 1001)
	id 9E2F717101; Wed, 17 Sep 2008 20:16:33 +0400 (MSD)
Message-Id: <20080917161633.9E2F717101@shadow.codelabs.ru>
Date: Wed, 17 Sep 2008 20:16:33 +0400 (MSD)
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Reply-To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [patch] fix race in sys/dev/kbdmux/kbdmux.c
X-Send-Pr-Version: 3.113
X-GNATS-Notify: ed@freebsd.org, emax@freebsd.org

>Number:         127446
>Category:       kern
>Synopsis:       [kbdmux] [patch] fix race in sys/dev/kbdmux/kbdmux.c
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    emax
>State:          patched
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 17 16:20:02 UTC 2008
>Closed-Date:    
>Last-Modified:  Mon Dec 15 15:00:12 UTC 2008
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD XXX 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #55: Wed Sep 17 19:57:25 MSD 2008 root@XXX:/usr/src/sys/amd64/compile/XXX amd64

CVSupped system yesterday late at the evening (aroung 17:00 UTC).

>Description:

Since kbdmux(4) is not MPSAFE now, its interrupt routines are running
under Giant.  But there is kbdmux_read_char() routine that runs unlocked
and can race with the interrupt handler.  When there is no input data
in the keyboard queue and kbdmux(4) is in the POLLING mode, routine will
try to poll each mux member for the scancode.  And if user presses the
key at that time, KBDMUX_READ_CHAR() can race with the interrupt handler
kbdmux_kbd_event() since we don't lock polling loop.

>How-To-Repeat:

I see this on my laptop: sometimes during boot, when system asks me for
the password of geli(8)-encrypted volume, it doubles the symbols or even
panics.  I don't see this on the other systems, so perhaps my laptop is
just so lucky ;))

But one can try to enable echoing of the input symbols during the geli's
bootup password dialog (setting g_eli_visible_passphrase to 1
unconditionally) and maybe symbols will be doubled.  I see this issue
only during boot-up phase, but I feel that this is due to the fact that
for the rest of the system's operation only interrupt handler is
working, at least I see it from the debug printf()s.

>Fix:

The following patch fixes the things for me.  It just acquires Giant for
the time of polling.  I did a limited testing at my systems and there
were no signs of regressions yet.

Seems like in the properly locked situation (with non-dummy KBDMUX_LOCK
and KBDMUX_UNLOCK) this issue will vanish, so I had conditionalized
Giant grabbing.

--- kbdmux-read-race.patch begins here ---
--- sys/dev/kbdmux/kbdmux.c.orig	2008-09-17 10:41:00.000000000 +0400
+++ sys/dev/kbdmux/kbdmux.c	2008-09-17 19:52:00.000000000 +0400
@@ -79,6 +79,10 @@
  */
 
 #if 0 /* not yet */
+#define KBDMUX_LOCK_POLLER(dummy)
+
+#define KBDMUX_UNLOCK_POLLER(dummy)
+
 #define KBDMUX_LOCK_DECL_GLOBAL \
 	struct mtx ks_lock
 #define KBDMUX_LOCK_INIT(s) \
@@ -98,6 +102,10 @@
 #define KBDMUX_QUEUE_INTR(s) \
 	taskqueue_enqueue(taskqueue_swi_giant, &(s)->ks_task)
 #else
+#define	KBDMUX_LOCK_POLLER(dummy) \
+	mtx_lock(&Giant)
+#define	KBDMUX_UNLOCK_POLLER(dummy) \
+	mtx_unlock(&Giant)
 #define KBDMUX_LOCK_DECL_GLOBAL
 
 #define KBDMUX_LOCK_INIT(s)
@@ -661,6 +669,14 @@
 		if (state->ks_flags & POLLING) {
 			kbdmux_kbd_t	*k;
 
+			/*
+			 * Grab Giant: we don't want to race with
+			 * the keyboard interrupt handler.  And this
+			 * can happen, because when a key will be
+			 * pressed, our READ_CHAR will be competing
+			 * with the kbdmux_kbd_event()'s one.
+			 */
+			KBDMUX_LOCK_POLLER();
 			SLIST_FOREACH(k, &state->ks_kbds, next) {
 				while (KBDMUX_CHECK_CHAR(k->kbd)) {
 					scancode = KBDMUX_READ_CHAR(k->kbd, 0);
@@ -674,6 +690,7 @@
 					putc(scancode, &state->ks_inq);
 				}
 			}
+			KBDMUX_UNLOCK_POLLER();
 
 			if (state->ks_inq.c_cc > 0)
 				goto next_code;
--- kbdmux-read-race.patch ends here ---
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->emax 
Responsible-Changed-By: emax 
Responsible-Changed-When: Wed Sep 17 16:58:04 UTC 2008 
Responsible-Changed-Why:  

i will take a look at it 

http://www.freebsd.org/cgi/query-pr.cgi?pr=127446 

From: linimon@lonesome.com (Mark Linimon)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/127446: [patch] fix race in sys/dev/kbdmux/kbdmux.c
Date: Wed, 17 Sep 2008 22:22:34 -0500

 ----- Forwarded message from Eygene Ryabinkin <rea-fbsd@codelabs.ru> -----
 
 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
 To: Maksim Yevmenkin <maksim.yevmenkin@gmail.com>
 Cc: rik@freebsd.org, hackers@freebsd.org
 Subject: Re: kern/127446: [patch] fix race in sys/dev/kbdmux/kbdmux.c
 
 Maxim, good day.
 
 Cc'ing this discuission to hackers@ -- I was just going to write
 the separate letter on this topic to the list.
 
 Wed, Sep 17, 2008 at 09:56:14AM -0700, Maksim Yevmenkin wrote:
 > have you tried to simply set KBDMUX_LOCK/UNLOCK() to
 > mtx_lock/unlock(&Giant) ?
 
 Since kbdmux callout is initialized as non-MPSAFE, this will result in
 double locking the Giant (at least I see it from the code).  I am not
 sure that this is very good -- had not yet verified that Giant is
 recursive.
 
 Can try it tomorrow.
 
 Since you had written the code and #if 0'ed the locking part, may I ask,
 why?  Are there any known issues or it was just not very good to
 introduce locking at that time (rev. 1.1, 3 years ago)?
 
 Thanks!
 
 -- 
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual   
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook 
     {_.-``-'         {_/            #
 
 
 
 ----- End forwarded message -----

From: linimon@lonesome.com (Mark Linimon)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/127446: [patch] fix race in sys/dev/kbdmux/kbdmux.c
Date: Wed, 17 Sep 2008 22:24:14 -0500

 ----- Forwarded message from Maksim Yevmenkin <maksim.yevmenkin@gmail.com> -----
 
 From: Maksim Yevmenkin <maksim.yevmenkin@gmail.com>
 To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
 Cc: rik@freebsd.org, hackers@freebsd.org
 Subject: Re: kern/127446: [patch] fix race in sys/dev/kbdmux/kbdmux.c
 
 > Since kbdmux callout is initialized as non-MPSAFE, this will result in
 >  double locking the Giant (at least I see it from the code).  I am not
 >  sure that this is very good -- had not yet verified that Giant is
 >  recursive.
 
 yes, giant is recursive. i think it should be fine for now (and yes, i
 agree, its not very clean)
 
 >  Can try it tomorrow.
 
 thanks
 
 >  Since you had written the code and #if 0'ed the locking part, may I ask,
 >  why?  Are there any known issues or it was just not very good to
 >  introduce locking at that time (rev. 1.1, 3 years ago)?
 
 because i did not want to touch every single keyboard driver, keyboard
 subsystem and syscons :) back then. since kbdmux is pretty much
 keyboard driver it was easier to leave it under giant locking.
 
 thanks,
 max
 
 ----- End forwarded message -----

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: Maksim Yevmenkin <maksim.yevmenkin@gmail.com>
Cc: hackers@freebsd.org, rik@freebsd.org, bug-followup@freebsd.org
Subject: Re: kern/127446: [patch] fix race in sys/dev/kbdmux/kbdmux.c
Date: Thu, 18 Sep 2008 11:10:17 +0400

 --RwxaKO075aXzzOz0
 Content-Type: text/plain; charset=koi8-r
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Maksim, good day.
 
 Wed, Sep 17, 2008 at 10:52:15AM -0700, Maksim Yevmenkin wrote:
 > yes, giant is recursive. i think it should be fine for now (and yes, i
 > agree, its not very clean)
 
 OK, I had tried substituting KBDMUX_LOCK/UNLOCK with Giant operations --
 it works as expected.  I am sligtly concerned with the fact that, for
 example, kbdmux_kbd_event() will grab Giant for some more time than the
 initial version that protects only polling loop.
 
 Probably it is not a big concern: the call chain from syscons's cngetc()
 (via cncheckc(), syscons->cn_getc() =3D=3D sc_cngetc(), sccngetch(),
 scgetc() and kbd_read_char()) to the kbdmux_read_char() is the only code
 path that is not protected by Giant, being called from the kernel
 directly:
 
 - user-level code is notified about key presses by syscons that signals
   tty layer about key press from sckbdevent();
 
 - no other kbdmux routine seem to be called without being
   Giant-protected (at least, I see no parts that can race with the
   low-level keyboard events).
 
 So the typical overhead of mangling with Giant at KBDMUX_{LOCK,UNLOCK}
 is only in extra calls to the _mtx_lock_flags/_mtx_unlock_flags.  The
 only extra code that will hold Giant for a longer time is the kernel's
 interactive input routines, but their performance is user-bounded ;))
 
 There is one interesting question: I assume that clock interrupts are
 lost when Giant is hold?  If so, then holding Giant for some extra time
 upon system's initialization when kernel waits for user input will
 enable the system to drop bigger amounts of clock interrupts -- I assume
 that the code in kbdmux_read_char() that translates the scancode takes
 the biggest amount of run-time compared to the polling loop.  Sure, the
 overhead will be added just for the typed characters -- when there is no
 input, overhead is rather small.
 
 May be this will not lead to any bad (or visible/measurable)
 consequences -- can't tell now.
 --=20
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual  =20
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook=20
     {_.-``-'         {_/            #
 
 --RwxaKO075aXzzOz0
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (FreeBSD)
 
 iEYEARECAAYFAkjR/tkACgkQthUKNsbL7Yg0aQCfWt7wmcfpSO+b6MUYqatkYCLt
 RjcAn24xyFKL23AE2lCIAQDV1ht0/Igi
 =1kiS
 -----END PGP SIGNATURE-----
 
 --RwxaKO075aXzzOz0--

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: Maksim Yevmenkin <maksim.yevmenkin@gmail.com>
Cc: hackers@freebsd.org, rik@freebsd.org, bug-followup@freebsd.org
Subject: Re: kern/127446: [patch] fix race in sys/dev/kbdmux/kbdmux.c
Date: Thu, 18 Sep 2008 13:15:10 +0400

 --Osvg0bgWkLaeQPMj
 Content-Type: text/plain; charset=koi8-r
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Me again.
 
 Thu, Sep 18, 2008 at 11:10:17AM +0400, Eygene Ryabinkin wrote:
 > OK, I had tried substituting KBDMUX_LOCK/UNLOCK with Giant operations --
 > it works as expected.
 
 Tried my initial patch on some 7.0-PRERELEASE -- it locks keyboard when
 geli asks for the password.  Had not much time to dig it out, will try
 to do it as soon as I can.  Substituting KBDMUX_LOCK/UNLOCK with Giant
 locking helps even on this FreeBSD version.
 
 More testing needed, may be there are some other issues that aren't
 revealing themselves...
 --=20
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual  =20
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook=20
     {_.-``-'         {_/            #
 
 --Osvg0bgWkLaeQPMj
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (FreeBSD)
 
 iEYEARECAAYFAkjSHB4ACgkQthUKNsbL7YioXQCdFW6oiOEMnP3H1H7GottuoSVM
 4xEAoJszdX8jUpmfbXxXd9Yy2Bms7K39
 =Qchb
 -----END PGP SIGNATURE-----
 
 --Osvg0bgWkLaeQPMj--

From: "Maksim Yevmenkin" <maksim.yevmenkin@gmail.com>
To: "Eygene Ryabinkin" <rea-fbsd@codelabs.ru>
Cc: current@freebsd.org, rik@freebsd.org, bug-followup@freebsd.org
Subject: Re: kern/127446: [patch] fix race in sys/dev/kbdmux/kbdmux.c
Date: Fri, 19 Sep 2008 09:20:41 -0700

 [moving to -current]
 
 On 9/18/08, Eygene Ryabinkin <rea-fbsd@codelabs.ru> wrote:
 > Me again.
 >
 >
 >  Thu, Sep 18, 2008 at 11:10:17AM +0400, Eygene Ryabinkin wrote:
 >  > OK, I had tried substituting KBDMUX_LOCK/UNLOCK with Giant operations --
 >  > it works as expected.
 >
 >
 > Tried my initial patch on some 7.0-PRERELEASE -- it locks keyboard when
 >  geli asks for the password.  Had not much time to dig it out, will try
 >  to do it as soon as I can.  Substituting KBDMUX_LOCK/UNLOCK with Giant
 >  locking helps even on this FreeBSD version.
 >
 >  More testing needed, may be there are some other issues that aren't
 >  revealing themselves...
 
 did you have a chance to do some testing? i tried substituting
 KBDMUX_LOCK/UNLOCK with Giant locking here locally and played with a
 couple of keyboards under X and console. no apparent issues or witness
 complains.
 
 would it be ok for me to commit this?
 
 --- kbdmux.c.orig       2008-07-29 14:21:20.000000000 -0700
 +++ kbdmux.c    2008-09-19 09:02:54.000000000 -0700
 @@ -104,9 +104,11 @@
 
  #define KBDMUX_LOCK_DESTROY(s)
 
 -#define KBDMUX_LOCK(s)
 +#define KBDMUX_LOCK(s) \
 +       mtx_lock(&Giant)
 
 -#define KBDMUX_UNLOCK(s)
 +#define KBDMUX_UNLOCK(s) \
 +       mtx_unlock(&Giant)
 
  #define KBDMUX_LOCK_ASSERT(s, w)
 
 thanks,
 max

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/127446: commit references a PR
Date: Mon, 22 Sep 2008 22:09:05 +0000 (UTC)

 emax        2008-09-22 22:08:43 UTC
 
   FreeBSD src repository
 
   Modified files:
     sys/dev/kbdmux       kbdmux.c 
   Log:
   SVN rev 183283 on 2008-09-22 22:08:43Z by emax
   
   Use Giant for kbdmux(4) locking. This is to workaround the problem
   where interrupt handlers may race with kbdmux(4) in polling mode.
   
   PR:             kern/127446
   Reported by:    Eygene Ryabinkin rea-fbsd at codelabs dot ru
   Tested by:      Eygene Ryabinkin rea-fbsd at codelabs dot ru
   MFC after:      1 week
   
   Revision  Changes    Path
   1.18      +4 -4      src/sys/dev/kbdmux/kbdmux.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: Maksim Yevmenkin <maksim.yevmenkin@gmail.com>
Cc: current@freebsd.org, rik@freebsd.org, bug-followup@freebsd.org,
	ed@freebsd.org
Subject: Re: kern/127446: [patch] fix race in sys/dev/kbdmux/kbdmux.c
Date: Tue, 23 Sep 2008 12:28:24 +0400

 --Nx8xdmI2KD3LNVVP
 Content-Type: multipart/mixed; boundary="Vy6UCbb9EK60RK4A"
 Content-Disposition: inline
 
 
 --Vy6UCbb9EK60RK4A
 Content-Type: text/plain; charset=koi8-r
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Maksim, good day.
 
 Fri, Sep 19, 2008 at 09:20:41AM -0700, Maksim Yevmenkin wrote:
 > > Tried my initial patch on some 7.0-PRERELEASE -- it locks keyboard when
 > >  geli asks for the password.  Had not much time to dig it out, will try
 > >  to do it as soon as I can.  Substituting KBDMUX_LOCK/UNLOCK with Giant
 > >  locking helps even on this FreeBSD version.
 > >
 > >  More testing needed, may be there are some other issues that aren't
 > >  revealing themselves...
 >=20
 > did you have a chance to do some testing? i tried substituting
 > KBDMUX_LOCK/UNLOCK with Giant locking here locally and played with a
 > couple of keyboards under X and console. no apparent issues or witness
 > complains.
 
 Sorry for being a bit slow, but I have good news: another race was found
 and patched.  Now it is in the syscons code: high-level procedures are
 racing with sckbdevent(): on my (magical ;))) notebook scgetc() from
 syscons.c got the right key, but on return to sccngetch() the code was
 substituted with 0x100 (NOKEY) and scancode was effectively throwed out.
 
 So what I had seen was not the keyboard lock, but just the visual effect
 of it.
 
 Since syscons.c has some splx()/spltty() calls still hanging around and
 comments are saying that these are to protect from the sckbdevent() and
 scrn_timer().  I had wrapped these procedures with Giant operations.
 There is one suspicious function, scstart(): I had not touched it, but
 may be it should also be protected with some kind of lock.
 
 The attached patch does this.  I did some limited testing for it: still
 continuing to do it on all available systems.
 
 > would it be ok for me to commit this?
 >=20
 > --- kbdmux.c.orig       2008-07-29 14:21:20.000000000 -0700
 > +++ kbdmux.c    2008-09-19 09:02:54.000000000 -0700
 > @@ -104,9 +104,11 @@
 >=20
 >  #define KBDMUX_LOCK_DESTROY(s)
 >=20
 > -#define KBDMUX_LOCK(s)
 > +#define KBDMUX_LOCK(s) \
 > +       mtx_lock(&Giant)
 >=20
 > -#define KBDMUX_UNLOCK(s)
 > +#define KBDMUX_UNLOCK(s) \
 > +       mtx_unlock(&Giant)
 >=20
 >  #define KBDMUX_LOCK_ASSERT(s, w)
 
 Yes, I think it will be fine -- I have no issues with this patch.
 Although now I am testing the new patch together with my old one.
 Will try to roll this patch on some systems too.
 
 Thanks!
 --=20
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual  =20
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook=20
     {_.-``-'         {_/            #
 
 --Vy6UCbb9EK60RK4A
 Content-Type: text/x-diff; charset=koi8-r
 Content-Disposition: attachment; filename="syscons-read-race.patch"
 Content-Transfer-Encoding: quoted-printable
 
 Avoids races of high-level syscons code with the sckbdevent handler.
 
 --- sys/dev/syscons/syscons.c.orig	2008-09-23 11:46:45.000000000 +0400
 +++ sys/dev/syscons/syscons.c	2008-09-23 12:16:32.000000000 +0400
 @@ -1569,7 +1569,9 @@
      scp->ts =3D save;
 =20
      s =3D spltty();	/* block sckbdevent and scrn_timer */
 +    mtx_lock(&Giant);
      sccnupdate(scp);
 +    mtx_unlock(&Giant);
      splx(s);
  }
 =20
 @@ -1590,6 +1592,7 @@
      int s =3D spltty();	/* block sckbdevent and scrn_timer while we poll */
      int c;
 =20
 +    mtx_lock(&Giant);
      /* assert(sc_console !=3D NULL) */
 =20
      /*=20
 @@ -1601,11 +1604,13 @@
      sccnupdate(scp);
 =20
      if (fkeycp < fkey.len) {
 +	mtx_unlock(&Giant);
  	splx(s);
  	return fkey.str[fkeycp++];
      }
 =20
      if (scp->sc->kbd =3D=3D NULL) {
 +	mtx_unlock(&Giant);
  	splx(s);
  	return -1;
      }
 @@ -1628,6 +1633,7 @@
      scp->kbd_mode =3D cur_mode;
      kbd_ioctl(scp->sc->kbd, KDSKBMODE, (caddr_t)&scp->kbd_mode);
      kbd_disable(scp->sc->kbd);
 +    mtx_unlock(&Giant);
      splx(s);
 =20
      switch (KEYFLAGS(c)) {
 
 --Vy6UCbb9EK60RK4A--
 
 --Nx8xdmI2KD3LNVVP
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (FreeBSD)
 
 iEYEARECAAYFAkjYqKgACgkQthUKNsbL7Yh1KQCeJ6p2maQenUEwO8SQs4rpA1Y0
 bjkAn2NmJVhuu1lcSMiOaf9tydIJxRv/
 =/vb6
 -----END PGP SIGNATURE-----
 
 --Nx8xdmI2KD3LNVVP--

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: Maksim Yevmenkin <maksim.yevmenkin@gmail.com>
Cc: rik@freebsd.org, ed@freebsd.org, current@freebsd.org,
	bug-followup@freebsd.org
Subject: Re: kern/127446: [patch] fix race in sys/dev/kbdmux/kbdmux.c
Date: Tue, 23 Sep 2008 13:09:03 +0400

 --pkBzO0lo80FoaZii
 Content-Type: text/plain; charset=koi8-r
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Me again.
 
 Tue, Sep 23, 2008 at 12:28:24PM +0400, Eygene Ryabinkin wrote:
 > The attached patch does this.  I did some limited testing for it: still
 > continuing to do it on all available systems.
 
 New patch works on 7.0 and 7.0-PRERELEASE, but currently hangs my
 7.1-PRERELEASE just before activation of the single-user mode.  I am
 investigating -- I did the original patch for the syscons.c 1.453.2.1.
 Changes in 1.453.2.2 look innocently, but 1.453.2.3 changed some
 functionality, may be it is the culprit.  Will inform on my findings.
 --=20
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual  =20
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook=20
     {_.-``-'         {_/            #
 
 --pkBzO0lo80FoaZii
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (FreeBSD)
 
 iEUEARECAAYFAkjYsi8ACgkQthUKNsbL7YjwmgCWLA15gffo1cmwo9fGys6rZGEL
 wACgjE7eJ1eLEFVp7OrV8T3wfHiAx+4=
 =WTpN
 -----END PGP SIGNATURE-----
 
 --pkBzO0lo80FoaZii--

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: Maksim Yevmenkin <maksim.yevmenkin@gmail.com>
Cc: rik@freebsd.org, ed@freebsd.org, current@freebsd.org,
	bug-followup@freebsd.org
Subject: Re: kern/127446: [patch] fix race in sys/dev/kbdmux/kbdmux.c
Date: Tue, 23 Sep 2008 14:02:50 +0400

 --OwLcNYc0lM97+oe1
 Content-Type: multipart/mixed; boundary="5vNYLRcllDrimb99"
 Content-Disposition: inline
 
 
 --5vNYLRcllDrimb99
 Content-Type: text/plain; charset=koi8-r
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Tue, Sep 23, 2008 at 01:09:03PM +0400, Eygene Ryabinkin wrote:
 > New patch works on 7.0 and 7.0-PRERELEASE, but currently hangs my
 > 7.1-PRERELEASE just before activation of the single-user mode.  I am
 > investigating -- I did the original patch for the syscons.c 1.453.2.1.
 > Changes in 1.453.2.2 look innocently, but 1.453.2.3 changed some
 > functionality, may be it is the culprit.  Will inform on my findings.
 
 It turned that locking inside sc_cnputc() was redundant and errorneous:
 WITNESS quicky advised me not to do it.  Forgot to run locking subsystem
 checks, sorry for that.
 
 The attached patch was tested on two 7.1-PRERELEASE systems (i386 and
 amd64, both with and without X), on 7.0-STABLE and 7.0-RELEASE-p3 (i386,
 only console, no X) and on rather old 8-CURRENT from Jul 1, syscons.c
 revision 1.459 (amd64 both with and without X).  Works fine for me.
 
 8.x needs slightly modified patch due to the naming changes.  Also
 attached it.  Will try a fresher -CURRENT in some hours: Ed did massive
 changes due to the MPSAFE tty layer, so may be this patch won't be
 needed for the modern 8-CURRENT.
 --=20
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual  =20
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook=20
     {_.-``-'         {_/            #
 
 --5vNYLRcllDrimb99
 Content-Type: text/x-diff; charset=koi8-r
 Content-Disposition: attachment; filename="syscons-read-race.FreeBSD-8.patch"
 Content-Transfer-Encoding: quoted-printable
 
 Avoids races of high-level syscons code with the sckbdevent handler.
 Patch for the syscons.c 1.459 (8-CURRENT from July 1st 2008).
 
 --- sys/dev/syscons/syscons.c.orig	2008-05-25 19:30:27.000000000 +0400
 +++ sys/dev/syscons/syscons.c	2008-09-23 13:51:14.000000000 +0400
 @@ -1583,6 +1583,7 @@
      int s =3D spltty();	/* block sckbdevent and scrn_timer while we poll */
      int c;
 =20
 +    mtx_lock(&Giant);
      /* assert(sc_console !=3D NULL) */
 =20
      /*=20
 @@ -1594,11 +1595,13 @@
      sccnupdate(scp);
 =20
      if (fkeycp < fkey.len) {
 +	mtx_unlock(&Giant);
  	splx(s);
  	return fkey.str[fkeycp++];
      }
 =20
      if (scp->sc->kbd =3D=3D NULL) {
 +	mtx_unlock(&Giant);
  	splx(s);
  	return -1;
      }
 @@ -1621,6 +1624,7 @@
      scp->kbd_mode =3D cur_mode;
      kbdd_ioctl(scp->sc->kbd, KDSKBMODE, (caddr_t)&scp->kbd_mode);
      kbdd_disable(scp->sc->kbd);
 +    mtx_unlock(&Giant);
      splx(s);
 =20
      switch (KEYFLAGS(c)) {
 
 --5vNYLRcllDrimb99
 Content-Type: text/x-diff; charset=koi8-r
 Content-Disposition: attachment; filename="syscons-read-race.patch"
 Content-Transfer-Encoding: quoted-printable
 
 Avoids races of high-level syscons code with the sckbdevent handler.
 
 Made for FreeBSD 7.x (syscons.c 1.453.2.1); was tested on
 7.0-PRERELEASE, 7.0-STABLE, 7.0-RELEASE-p3 and 7.1-PRERELEASE (up to
 the revision 1.453.2.3 of syscons.c).
 
 --- sys/dev/syscons/syscons.c.orig	2008-09-23 11:46:45.000000000 +0400
 +++ sys/dev/syscons/syscons.c	2008-09-23 12:16:32.000000000 +0400
 @@ -1590,6 +1592,7 @@
      int s =3D spltty();	/* block sckbdevent and scrn_timer while we poll */
      int c;
 =20
 +    mtx_lock(&Giant);
      /* assert(sc_console !=3D NULL) */
 =20
      /*=20
 @@ -1601,11 +1604,13 @@
      sccnupdate(scp);
 =20
      if (fkeycp < fkey.len) {
 +	mtx_unlock(&Giant);
  	splx(s);
  	return fkey.str[fkeycp++];
      }
 =20
      if (scp->sc->kbd =3D=3D NULL) {
 +	mtx_unlock(&Giant);
  	splx(s);
  	return -1;
      }
 @@ -1628,6 +1633,7 @@
      scp->kbd_mode =3D cur_mode;
      kbd_ioctl(scp->sc->kbd, KDSKBMODE, (caddr_t)&scp->kbd_mode);
      kbd_disable(scp->sc->kbd);
 +    mtx_unlock(&Giant);
      splx(s);
 =20
      switch (KEYFLAGS(c)) {
 
 --5vNYLRcllDrimb99--
 
 --OwLcNYc0lM97+oe1
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (FreeBSD)
 
 iEYEARECAAYFAkjYvsoACgkQthUKNsbL7YjJFQCffM8DomRrMBOwhQPnqn3ab3Js
 e80An0f7H0egC+dEcV0jDgCFK0MmEVKQ
 =v79M
 -----END PGP SIGNATURE-----
 
 --OwLcNYc0lM97+oe1--

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: Maksim Yevmenkin <maksim.yevmenkin@gmail.com>
Cc: rik@freebsd.org, ed@freebsd.org, current@freebsd.org,
	bug-followup@freebsd.org
Subject: Re: kern/127446: [patch] fix race in sys/dev/kbdmux/kbdmux.c
Date: Wed, 24 Sep 2008 09:26:26 +0400

 --Q8BnQc91gJZX4vDc
 Content-Type: text/plain; charset=koi8-r
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Good day.
 
 Tue, Sep 23, 2008 at 02:02:50PM +0400, Eygene Ryabinkin wrote:
 > The attached patch was tested on two 7.1-PRERELEASE systems (i386 and
 > amd64, both with and without X), on 7.0-STABLE and 7.0-RELEASE-p3 (i386,
 > only console, no X) and on rather old 8-CURRENT from Jul 1, syscons.c
 > revision 1.459 (amd64 both with and without X).  Works fine for me.
 >=20
 > 8.x needs slightly modified patch due to the naming changes.  Also
 > attached it.  Will try a fresher -CURRENT in some hours: Ed did massive
 > changes due to the MPSAFE tty layer, so may be this patch won't be
 > needed for the modern 8-CURRENT.
 
 Tested the patches on the 8-CURRENT from yesterday: system is stable, no
 side effects both in console and X.  As the bonus, I had noticed that
 the strange keyboard behaviour that I used to see on my laptop is
 disappeared.  The effect was the following: after some hours of laptop
 inactivity, keyboard input was slow as if a delay of about a second was
 introduced between keyboard clicks.  I had this only on console, X
 worked fine.  But now, after 12 hours of laptop inactivity, all works
 fine, no delays.  May be this is due to the locking changes introduced
 by the current patches.
 --=20
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual  =20
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook=20
     {_.-``-'         {_/            #
 
 --Q8BnQc91gJZX4vDc
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (FreeBSD)
 
 iEYEARECAAYFAkjZz4IACgkQthUKNsbL7YgRWACgq173xE1Gm/gB2rN+nx+vOJfv
 q5kAnRlvnqMvLHd9lcvSE+5ZQB7zHm9y
 =zNYs
 -----END PGP SIGNATURE-----
 
 --Q8BnQc91gJZX4vDc--
State-Changed-From-To: open->feedback 
State-Changed-By: emax 
State-Changed-When: Wed Sep 24 23:46:32 UTC 2008 
State-Changed-Why:  
patch committed to -current 

http://www.freebsd.org/cgi/query-pr.cgi?pr=127446 

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: emax@FreeBSD.org
Cc: ed@freebsd.org, bug-followup@freebsd.org
Subject: Re: kern/127446: [kbdmux] [patch] fix race in
	sys/dev/kbdmux/kbdmux.c
Date: Thu, 25 Sep 2008 08:30:35 +0400

 --FilwpOHBrTVNlmJ3
 Content-Type: text/plain; charset=koi8-r
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Maksim, good day.
 
 Wed, Sep 24, 2008 at 11:46:50PM +0000, emax@FreeBSD.org wrote:
 > patch committed to -current
 
 Thanks!
 
 Will you be able to glance over the second patch for syscons?  Or may be
 Ed would be so kind to do it?
 --=20
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual  =20
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook=20
     {_.-``-'         {_/            #
 
 --FilwpOHBrTVNlmJ3
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (FreeBSD)
 
 iEYEARECAAYFAkjbE+sACgkQthUKNsbL7YhO/gCeOQqF4hfePJu6qq9sev9BTRtS
 jjgAnipYv7ud/BZpnWL6nRdRDlQDweZJ
 =jw7H
 -----END PGP SIGNATURE-----
 
 --FilwpOHBrTVNlmJ3--

From: Ed Schouten <ed@80386.nl>
To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Cc: emax@FreeBSD.org, bug-followup@freebsd.org
Subject: Re: kern/127446: [kbdmux] [patch] fix race in
	sys/dev/kbdmux/kbdmux.c
Date: Thu, 25 Sep 2008 06:55:16 +0200

 --3+4H5zObBQkbFbMG
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Hello Eygene,
 
 * Eygene Ryabinkin <rea-fbsd@codelabs.ru> wrote:
 > Will you be able to glance over the second patch for syscons?  Or may be
 > Ed would be so kind to do it?
 
 I noticed there are some things messed up with locking in syscons. I
 also committed some similar locking things when I integrated MPSAFE TTY.
 Because the new TTY layer enforces a more strict locking approach (a lot
 of assertions when INVARIANTS is turned on), I spotted some code paths
 that called into the TTY layer without picking up any locks.
 
 I'll take a look at the patch this evening. Thanks!
 
 --=20
  Ed Schouten <ed@80386.nl>
  WWW: http://80386.nl/
 
 --3+4H5zObBQkbFbMG
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (FreeBSD)
 
 iEYEARECAAYFAkjbGbMACgkQ52SDGA2eCwXJbwCdEcsUKdudkIgu2JXMrjLQI6Pz
 yx4An1v1VYkLIEuIGTmcbbTZsNmdn8+C
 =/I0d
 -----END PGP SIGNATURE-----
 
 --3+4H5zObBQkbFbMG--

From: Ed Schouten <ed@80386.nl>
To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Cc: emax@FreeBSD.org, bug-followup@freebsd.org
Subject: Re: kern/127446: [kbdmux] [patch] fix race in
	sys/dev/kbdmux/kbdmux.c
Date: Fri, 26 Sep 2008 14:31:59 +0200

 --XrEgl6YxVIw5fRRT
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Hello Eygene,
 
 * Ed Schouten <ed@80386.nl> wrote:
 > I'll take a look at the patch this evening. Thanks!
 
 Even though I've got confidence in your work, I am not conviced I should
 be the person to commit this. I think I don't know enough of our input
 layer to understand what's going on. Sorry. Maksim, could you take a
 look at the patch in the PR?
 
 --=20
  Ed Schouten <ed@80386.nl>
  WWW: http://80386.nl/
 
 --XrEgl6YxVIw5fRRT
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (FreeBSD)
 
 iEYEARECAAYFAkjc1j8ACgkQ52SDGA2eCwVBXwCePB95bGFt8PgSMsnatyWJ+jCt
 7l0AnimKVc3wDbrZYznddwpUb2u8hwMe
 =rvHH
 -----END PGP SIGNATURE-----
 
 --XrEgl6YxVIw5fRRT--

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: Ed Schouten <ed@80386.nl>
Cc: emax@FreeBSD.org, bug-followup@freebsd.org, wkoszek@freebsd.org,
	rwatson@freebsd.org, marcus@freebsd.org, kib@freebsd.org
Subject: Re: kern/127446: [kbdmux] [patch] fix race in
	sys/dev/kbdmux/kbdmux.c
Date: Fri, 26 Sep 2008 18:35:11 +0400

 --GvXjxJ+pjyke8COw
 Content-Type: text/plain; charset=koi8-r
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Ed, good day.
 
 Fri, Sep 26, 2008 at 02:31:59PM +0200, Ed Schouten wrote:
 > * Ed Schouten <ed@80386.nl> wrote:
 > > I'll take a look at the patch this evening. Thanks!
 >=20
 > Even though I've got confidence in your work, I am not conviced I should
 > be the person to commit this.
 
 OK, no problems.  Thanks for looking at this.
 
 > I think I don't know enough of our input
 > layer to understand what's going on. Sorry. Maksim, could you take a
 > look at the patch in the PR?
 
 I am CC'eing to some people who used to commit to the syscons code.
 Robert, Konstantin, Joe Marcus, Wojciech, Maksim, would you be so kind
 to glance over the second patch?
 
 Thanks!
 --=20
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual  =20
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook=20
     {_.-``-'         {_/            #
 
 --GvXjxJ+pjyke8COw
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (FreeBSD)
 
 iEYEARECAAYFAkjc8x4ACgkQthUKNsbL7YjrBgCePbP0ivaPQc0kr6jHJFTvQV2z
 kOEAoIbOheWfuAiRrDc3EU+vFIt/qooH
 =++/Q
 -----END PGP SIGNATURE-----
 
 --GvXjxJ+pjyke8COw--

From: Joe Marcus Clarke <marcus@FreeBSD.org>
To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Cc: Ed Schouten <ed@80386.nl>, emax@FreeBSD.org, bug-followup@FreeBSD.org,
        wkoszek@FreeBSD.org, rwatson@FreeBSD.org, kib@FreeBSD.org
Subject: Re: kern/127446: [kbdmux] [patch] fix race in
	sys/dev/kbdmux/kbdmux.c
Date: Fri, 26 Sep 2008 16:52:07 -0400

 --=-f0IurqAAi1/8bgQdEKzM
 Content-Type: text/plain
 Content-Transfer-Encoding: quoted-printable
 
 On Fri, 2008-09-26 at 18:35 +0400, Eygene Ryabinkin wrote:
 > Ed, good day.
 >=20
 > Fri, Sep 26, 2008 at 02:31:59PM +0200, Ed Schouten wrote:
 > > * Ed Schouten <ed@80386.nl> wrote:
 > > > I'll take a look at the patch this evening. Thanks!
 > >=20
 > > Even though I've got confidence in your work, I am not conviced I shoul=
 d
 > > be the person to commit this.
 >=20
 > OK, no problems.  Thanks for looking at this.
 >=20
 > > I think I don't know enough of our input
 > > layer to understand what's going on. Sorry. Maksim, could you take a
 > > look at the patch in the PR?
 >=20
 > I am CC'eing to some people who used to commit to the syscons code.
 > Robert, Konstantin, Joe Marcus, Wojciech, Maksim, would you be so kind
 > to glance over the second patch?
 
 My commit to syscons was to fix a problem with VT_WAITACTIVE.  This
 doesn't appear to affect that code, so I have no objection (though that
 is no comment on how correct the patch is).
 
 Joe
 
 --=20
 Joe Marcus Clarke
 FreeBSD GNOME Team      ::      gnome@FreeBSD.org
 FreeNode / #freebsd-gnome
 http://www.FreeBSD.org/gnome
 
 --=-f0IurqAAi1/8bgQdEKzM
 Content-Type: application/pgp-signature; name=signature.asc
 Content-Description: This is a digitally signed message part
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (FreeBSD)
 
 iEYEABECAAYFAkjdS3UACgkQb2iPiv4Uz4cv6QCdHWO7S5ftprk3MSR2LKO874fl
 CwUAniw707MKD1OhuvmAE7Q5mAOgBLBN
 =lbgc
 -----END PGP SIGNATURE-----
 
 --=-f0IurqAAi1/8bgQdEKzM--
 
State-Changed-From-To: feedback->patched 
State-Changed-By: emax 
State-Changed-When: Sun Nov 16 22:43:14 UTC 2008 
State-Changed-Why:  
Patch was committed to -current 

http://www.freebsd.org/cgi/query-pr.cgi?pr=127446 

From: Jaakko Heinonen <jh@saunalahti.fi>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/127446: [kbdmux] [patch] fix race in
	sys/dev/kbdmux/kbdmux.c
Date: Mon, 15 Dec 2008 16:52:55 +0200

 After r183283 calling printf(9) with a mutex held and scroll lock
 enabled on syscons(4) causes LOR. Here is an example of such:
 
 lock order reversal: (Giant after non-sleepable)
  1st 0xc5761500 re0 (network driver) @
 /home/jaakko/src/head/sys/kern/kern_mutex.c:137
  2nd 0xc0d31010 Giant (Giant) @
 /home/jaakko/src/head/sys/dev/kbdmux/kbdmux.c:1103
 KDB: stack backtrace:
 db_trace_self_wrapper(c0be87a9,c52da8a8,c0865595,4,c0be3b75,...) at
 db_trace_self_wrapper+0x26
 kdb_backtrace(4,c0be3b75,c551fea0,c551f1a0,c52da904,...) at
 kdb_backtrace+0x29
 _witness_debugger(c0beb4d0,c0d31010,c0c0595f,c551f1a0,c0bb5fb6,...) at
 _witness_debugger+0x25
 witness_checkorder(c0d31010,9,c0bb5fb6,44f,0,...) at
 witness_checkorder+0x839
 _mtx_lock_flags(c0d31010,0,c0bb5fb6,44f,a0,...) at _mtx_lock_flags+0xc4
 kbdmux_ioctl(c5664a00,40044b13,c52da984,100202,4,...) at
 kbdmux_ioctl+0x76e
 update_kbd_state(c08578bb,c1862fe4,a,9d0,c0c86900,...) at
 update_kbd_state+0x44
 sc_cnputc(c0c86900,72,c52dab50,5,72,...) at sc_cnputc+0x39
 cnputc(72,c52dab50,c52daa00,c08579e1,5,...) at cnputc+0x5f
 putcons(5,a,195eb11,c5625bed,c0857980,...) at putcons+0x17
 putchar(72,c52dab50,1000000,5,c5625bee,...) at putchar+0x61
 kvprintf(c0b8121e,c0857980,c52dab50,a,c52dab7c,...) at kvprintf+0xa27
 printf(c0b8121e,c5625bec,0,3e8,c5760000,...) at printf+0x4e
 device_print_prettyname(c575a700,3e7,c5760000,3e8,c52dabc0,...) at
 device_print_prettyname+0x4c
 device_printf(c575a700,c0bc544a,c575a700,c5763800,1,...) at
 device_printf+0x12
 re_miibus_readreg(c575a700,1,0) at re_miibus_readreg+0xdf
 miibus_readreg(c5763800,1,0,c55672e4,c57689c0,...) at
 miibus_readreg+0x5b
 rgephy_service(c57689c0,c5769480,1,c5761500,c5760000,...) at
 rgephy_service+0x6ff
 mii_tick(c5769480,4,c0bc53de,7ff,0,...) at mii_tick+0x24
 re_tick(c5760000,1,c0be6796,16b,c0d31834,...) at re_tick+0x44
 softclock(c0d31800,c52dacc8,c0817704,c0d35bc0,c55ab938,...) at
 softclock+0x24a
 intr_event_execute_handlers(c55657ec,c55ab900,c0be154d,4dd,c55ab970,...)
 at intr_event_execute_handlers+0x125
 ithread_loop(c5564110,c52dad38,c0be12ac,32d,c55657ec,...) at
 ithread_loop+0x9f
 fork_exit(c0806470,c5564110,c52dad38) at fork_exit+0xb8
 fork_trampoline() at fork_trampoline+0x8
 --- trap 0, eip = 0, esp = 0xc52dad70, ebp = 0 ---
 
 syscons(4) calls kbdd_ioctl() to get/set the scroll lock state.
 
 -- 
 Jaakko
>Unformatted:
