From owner-freebsd-current@FreeBSD.ORG Wed Jun 22 14:31:37 2005 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B9A016A41C; Wed, 22 Jun 2005 14:31:37 +0000 (GMT) (envelope-from jhb@FreeBSD.org) Received: from mv.twc.weather.com (mv.twc.weather.com [65.212.71.225]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2BA1543D58; Wed, 22 Jun 2005 14:31:37 +0000 (GMT) (envelope-from jhb@FreeBSD.org) Received: from [10.50.41.231] (Not Verified[65.202.103.25]) by mv.twc.weather.com with NetIQ MailMarshal (v6, 0, 3, 8) id ; Wed, 22 Jun 2005 10:44:50 -0400 From: John Baldwin To: freebsd-amd64@freebsd.org Date: Wed, 22 Jun 2005 10:31:54 -0400 User-Agent: KMail/1.8 References: <20050510223636.GA49927@xor.obsecurity.org> <200506171434.49008.jhb@FreeBSD.org> <17080.29141.918333.170950@grasshopper.cs.duke.edu> In-Reply-To: <17080.29141.918333.170950@grasshopper.cs.duke.edu> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200506221031.55875.jhb@FreeBSD.org> Cc: sobomax@FreeBSD.org, Kris Kennaway , Andrew Gallatin , current@freebsd.org Subject: Re: Fatal trap 12 in exec_copyout_strings() X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2005 14:31:37 -0000 On Tuesday 21 June 2005 04:00 pm, Andrew Gallatin wrote: > John Baldwin writes: > > On Sunday 29 May 2005 01:50 pm, Kris Kennaway wrote: > > > On Tue, May 10, 2005 at 03:36:36PM -0700, Kris Kennaway wrote: > > > > Got this on a dual amd64 with 8GB RAM running 6.0 from last week: > > > > > > > > Fatal trap 12: page fault while in kernel mode > > > > cpuid = 1; apic id = 01 > > > > fault virtual address = 0xffffffffa9cdc000 > > > > fault code = supervisor read, page not present > > > > instruction pointer = 0x8:0xffffffff8037759f > > > > stack pointer = 0x10:0xffffffffba1637d0 > > > > frame pointer = 0x10:0xffffffffba163820 > > > > code segment = base 0x0, limit 0xfffff, type 0x1b > > > > = DPL 0, pres 1, long 1, def32 0, gran 1 > > > > processor eflags = interrupt enabled, resume, IOPL = 0 > > > > current process = 52247 (sh) > > > > [thread pid 52247 tid 100149 ] > > > > Stopped at exec_copyout_strings+0x12f: > > > > db> wh > > > > Tracing pid 52247 tid 100149 td 0xffffff016e5724c0 > > > > exec_copyout_strings() at exec_copyout_strings+0x12f > > > > do_execve() at do_execve+0x39a > > > > kern_execve() at kern_execve+0xab > > > > execve() at execve+0x49 > > > > syscall() at syscall+0x382 > > > > Xfast_syscall() at Xfast_syscall+0xa8 > > > > --- syscall (59, FreeBSD ELF64, execve), rip = 0x80090622c, rsp = > > > > 0x7fffffffe058, rbp = 0xffffffff --- db> > > > > > > I've got this panic twice more since. > > > > Do you have a kernel.debug? Can you do 'list > > *exec_copyout_strings+0x12f'? I think I've seen reports of the > > linux32_exec_copyout_strings() having a similar fault as well on amd64. > > I just got this on my freshly installed UP, 512MB athlon64. For me, > its 100% reproducable when running a cross-compiler built on > FreeBSD-4. > > (kgdb) p *imgp->args > $33 = { > buf = 0xffffffff90ba3000
, > begin_argv = 0xffffffff90ba3000
bounds>, begin_envv = 0xffffffff90ba313d
bounds>, endp = 0xffffffff90ba389f
bounds>, fname = 0xffffffff90be3000 > "/home/gallatin/lanaitools/intel_FreeBSD/lib/gcc-lib/lanai/2.95.2..1.6/cc1" >, stringspace = 259937, > argc = 23, > envc = 46 > } > > I'm puzzled. fname seems to be buf+ARGV_MAX, so its not > like something randomly scribbled on this memory. > > In the debugger, the memory just below buf+ARGV_MAX seems to be > unmapped. But we've done copyins in freebsd32_exec_copyin_args(), > otherwise endp would not have been advanced. So we've written to this > memory. > > It is almost like somebody freed buf through buf + 262144. I think I figured it out. sobomax@ changed how much memory exec_copyin_args() and exec_free_args() allocated and freed without updating freebsd32_exec_copyin_args() and linux_exec_copyin_args(), so more memory was freed than was allocated which would free memory out from other execs. Patch is below. Let me know if it fixes the problem. Index: amd64/linux32/linux32_machdep.c =================================================================== RCS file: /usr/cvs/src/sys/amd64/linux32/linux32_machdep.c,v retrieving revision 1.9 diff -u -r1.9 linux32_machdep.c --- amd64/linux32/linux32_machdep.c 5 Apr 2005 15:28:06 -0000 1.9 +++ amd64/linux32/linux32_machdep.c 22 Jun 2005 14:26:03 -0000 @@ -113,7 +113,8 @@ * Allocate temporary demand zeroed space for argument and * environment strings */ - args->buf = (char *) kmem_alloc_wait(exec_map, PATH_MAX + ARG_MAX); + args->buf = (char *) kmem_alloc_wait(exec_map, + PATH_MAX + ARG_MAX + MAXSHELLCMDLEN); if (args->buf == NULL) return (ENOMEM); args->begin_argv = args->buf; Index: compat/freebsd32/freebsd32_misc.c =================================================================== RCS file: /usr/cvs/src/sys/compat/freebsd32/freebsd32_misc.c,v retrieving revision 1.35 diff -u -r1.35 freebsd32_misc.c --- compat/freebsd32/freebsd32_misc.c 11 Jun 2005 14:58:20 -0000 1.35 +++ compat/freebsd32/freebsd32_misc.c 22 Jun 2005 14:26:11 -0000 @@ -237,7 +237,8 @@ * Allocate temporary demand zeroed space for argument and * environment strings */ - args->buf = (char *) kmem_alloc_wait(exec_map, PATH_MAX + ARG_MAX); + args->buf = (char *) kmem_alloc_wait(exec_map, + PATH_MAX + ARG_MAX + MAXSHELLCMDLEN); if (args->buf == NULL) return (ENOMEM); args->begin_argv = args->buf; -- John Baldwin <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve" = http://www.FreeBSD.org