Date: Mon, 15 Mar 1999 06:56:51 -0500 (EST) From: Brian Feldman <green@unixhelp.org> To: Dmitrij Tejblum <dima@tejblum.dnttm.rssi.ru> Cc: Matthew Dillon <dillon@apollo.backplane.com>, current@FreeBSD.ORG Subject: Re: Simple DOS against 3.x locks box solid Message-ID: <Pine.BSF.4.05.9903150654440.20897-100000@janus.syracuse.net> In-Reply-To: <199903151024.NAA00520@tejblum.dnttm.rssi.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 15 Mar 1999, Dmitrij Tejblum wrote:
> Matthew Dillon wrote:
> >=20
> > We'll get a quick fix committed but the lockmgr stuff needs a real
> > going-over... having interrupts using the general lockmgr call is
> > a disaster waiting to happen.
>=20
> Hmmm. After I looked a bit further, it looks like a bug in the=20
> scheduler (?). Here is the stack trace:
>=20
> #9 0xc01ff64e in trap (frame=3D{tf_es =3D 16, tf_ds =3D 16, tf_edi =3D 0=
,=20
> tf_esi =3D 16777216, tf_ebp =3D -999002708, tf_isp =3D -999002744,=
=20
> tf_ebx =3D -1071228500, tf_edx =3D -2, tf_ecx =3D 0, tf_eax =3D 0,=
=20
> tf_trapno =3D 12, tf_err =3D 0, tf_eip =3D -1072584332, tf_cs =3D 8=
,=20
> tf_eflags =3D 66050, tf_esp =3D -999002524, tf_ss =3D -1071228500})
> at ../../i386/i386/trap.c:438
> #10 0xc011a974 in lockmgr (lkp=3D0xc02659ac, flags=3D1, interlkp=3D0x0, p=
=3D0x0)
> at ../../kern/kern_lock.c:217
> #11 0xc01d8c5b in vm_map_lookup (var_map=3D0xc4746e64, vaddr=3D3294351360=
,=20
> fault_typea=3D1 '\001', out_entry=3D0xc4746e68, object=3D0xc4746e5c,=
=20
> pindex=3D0xc4746e60, out_prot=3D0xc4746e4b "=C0\a", wired=3D0xc4746e4=
4)
> at ../../vm/vm_map.c:2463
> #12 0xc01d4153 in vm_fault (map=3D0xc02659ac, vaddr=3D3294351360,=20
> fault_type=3D1 '\001', fault_flags=3D0) at ../../vm/vm_fault.c:197
> #13 0xc01ff9ac in trap_pfault (frame=3D0xc4746f18, usermode=3D0, eva=3D32=
94351360)
> at ../../i386/i386/trap.c:825
> #14 0xc01ff64e in trap (frame=3D{tf_es =3D 16, tf_ds =3D 16, tf_edi =3D 4=
6137344,=20
> tf_esi =3D -1071149988, tf_ebp =3D -999002244, tf_isp =3D -99900230=
4,=20
> tf_ebx =3D 18341888, tf_edx =3D -1000615936, tf_ecx =3D -1005747008=
,=20
> tf_eax =3D 0, tf_trapno =3D 12, tf_err =3D 0, tf_eip =3D -107165079=
6, tf_cs =3D 8,=20
> tf_eflags =3D 65606, tf_esp =3D -1072552121, tf_ss =3D -999654400})
> at ../../i386/i386/trap.c:438
> #15 0xc01fe814 in swtch_com ()
> #16 0xc01ff859 in trap (frame=3D{tf_es =3D 47, tf_ds =3D 47, tf_edi =3D 2=
0,=20
> tf_esi =3D 136019608, tf_ebp =3D -1077948228, tf_isp =3D -999002156=
,=20
> tf_ebx =3D 307, tf_edx =3D 136220264, tf_ecx =3D 136630944,=20
> tf_eax =3D 135716928, tf_trapno =3D 7, tf_err =3D 0, tf_eip =3D 134=
536416,=20
> tf_cs =3D 31, tf_eflags =3D 514, tf_esp =3D -1077948244, tf_ss =3D =
47})
> at ../../i386/i386/trap.c:195
> #17 0xc01f5aa3 in swi_ast_user ()
>=20
> the trap in swtch_com() (frame #15) is here:
> /* switch address space */=09=09<----- line 622
> movl %cr3,%ebx
> cmpl PCB_CR3(%edx),%ebx =09=09<----- trap
> je 4f
>=20
> I don't think this line is supposed to cause a trap...
When it says "switch address space" What exactly do you think it's going to
do? What I mean is, I'm pretty certain this is a good trap =3D)
The real problem did seem to be the NULL p dereference, as it was obvious
that it could happen in the code.
>=20
> Dima
>=20
>=20
>=20
>=20
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-current" in the body of the message
>=20
Brian Feldman=09=09=09=09=09 _ __ ___ ___ ___ =20
green@unixhelp.org=09=09=09 _ __ ___ | _ ) __| \=20
=09 http://www.freebsd.org/=09 _ __ ___ ____ | _ \__ \ |) |
FreeBSD: The Power to Serve!=09 _ __ ___ ____ _____ |___/___/___/=20
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9903150654440.20897-100000>