Date: Thu, 12 May 2005 13:05:43 +0300 From: Patrik Backlund <pbacklun@cc.hut.fi> To: Kris Kennaway <kris@obsecurity.org> Cc: amd64@FreeBSD.org Subject: Re: Fatal trap 12 in exec_copyout_strings() Message-ID: <20050512100543.GA30528@backi.iki.fi> In-Reply-To: <20050510223636.GA49927@xor.obsecurity.org> References: <20050510223636.GA49927@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--jRHKVT23PllUwdXP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Tue, May 10, 2005 at 03:36:36PM -0700, Kris Kennaway wrote:
> Got this on a dual amd64 with 24GB RAM running 6.0 from last week:
>
> Fatal trap 12: page fault while in kernel mode
I get something similar from the linux emulation execve syscall when
trying to run skype. It is reproducable, happens every time I start
skype. This is a single processor amd64 machine running current from
1-2 weeks back. Skype worked fine before when I was running
5.4-PRERELEASE.
Attached is a stacktrace from the dump.
-Patrik
--jRHKVT23PllUwdXP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="panic.log"
Script started on Thu May 12 12:31:44 2005
GNU gdb 20040810 [GDB v6.x for FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "x86_64-portbld-freebsd6.0"...
panic: from debugger
panic messages:
---
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0xffffffff9daed000
fault code = supervisor read, page not present
instruction pointer = 0x8:0xffffffff8046437a
stack pointer = 0x10:0xffffffffa6b7a820
frame pointer = 0x10:0xffffffffa6b7a860
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 1610 (skype_bin)
panic: from debugger
Uptime: 12m4s
Dumping 991 MB
16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 256 272 288 304 320 336 352 368 384 400 416 432 448 464 480 496 512 528 544 560 576 592 608 624 640 656 672 688 704 720 736 752 768 784 800 816 832 848 864 880 896 912 928 944 960 976
---
#0 doadump () at pcpu.h:172
172 pcpu.h: No such file or directory.
in pcpu.h
doadump () at pcpu.h:172
172 in pcpu.h
(kgdb) where
#0 doadump () at pcpu.h:172
#1 0xffffffff802878cb in boot (howto=0)
at /usr/src/sys/kern/kern_shutdown.c:397
#2 0xffffffff80288017 in panic (fmt=---Can't read userspace from dump, or kernel process---
) at /usr/src/sys/kern/kern_shutdown.c:553
#3 0xffffffff80194de2 in db_panic (addr=0, have_addr=0, count=-1098509946112,
modif=---Can't read userspace from dump, or kernel process---
) at /usr/src/sys/ddb/db_command.c:435
#4 0xffffffff801951a5 in db_command_loop ()
at /usr/src/sys/ddb/db_command.c:349
#5 0xffffffff80197063 in db_trap (type=-1497913936, code=0)
at /usr/src/sys/ddb/db_main.c:221
#6 0xffffffff802a55db in kdb_trap (type=12, code=0, tf=0xffffffffa6b7a770)
at /usr/src/sys/kern/subr_kdb.c:471
#7 0xffffffff804323df in trap_fatal (frame=0xffffffffa6b7a770,
eva=18446742974941993344) at /usr/src/sys/amd64/amd64/trap.c:634
#8 0xffffffff80432773 in trap_pfault (frame=0xffffffffa6b7a770, usermode=0)
at /usr/src/sys/amd64/amd64/trap.c:562
#9 0xffffffff804329e4 in trap (frame=
{tf_rdi = 4294957904, tf_rsi = 4294958136, tf_rdx = -1497912048, tf_rcx = -1497912048, tf_r8 = 4294962232, tf_r9 = -2141055024, tf_rax = 0, tf_rbx = -1649487872, tf_rbp = -1497913248, tf_r10 = -1098819118728, tf_r11 = -2141055024, tf_r12 = 4294958136, tf_r13 = 4294957908, tf_r14 = 3, tf_r15 = 23, tf_trapno = 12, tf_addr = -1649487872, tf_flags = -2143085049, tf_err = 0, tf_rip = -2142878854, tf_cs = 8, tf_rflags = 66118, tf_rsp = -1497913296, tf_ss = 16})
---Type <return> to continue, or q <return> to quit---
at /usr/src/sys/amd64/amd64/trap.c:341
#10 0xffffffff804224ab in calltrap ()
at /usr/src/sys/amd64/amd64/exception.S:171
#11 0x00000000ffffdb50 in ?? ()
#12 0x00000000ffffdc38 in ?? ()
#13 0xffffffffa6b7ad10 in ?? ()
#14 0xffffffffa6b7ad10 in ?? ()
#15 0x00000000ffffec38 in ?? ()
#16 0xffffffff806217d0 in sysctl___kern_elf32 ()
#17 0x0000000000000000 in ?? ()
#18 0xffffffff9daed000 in ?? ()
#19 0xffffffffa6b7a860 in ?? ()
#20 0xffffff002946d978 in ?? ()
#21 0xffffffff806217d0 in sysctl___kern_elf32 ()
#22 0x00000000ffffdc38 in ?? ()
#23 0x00000000ffffdb54 in ?? ()
#24 0x0000000000000003 in ?? ()
#25 0x0000000000000017 in ?? ()
#26 0x000000000000000c in ?? ()
#27 0xffffffff9daed000 in ?? ()
#28 0xffffffff80431e07 in suword32 () at /usr/src/sys/amd64/amd64/support.S:452
#29 0x0000000000000000 in ?? ()
#30 0xffffffff8046437a in linux_copyout_strings (imgp=0xffffffff9daed000)
---Type <return> to continue, or q <return> to quit---
at /usr/src/sys/amd64/linux32/linux32_sysvec.c:899
#31 0xffffffff80269d18 in kern_execve (td=0xffffff002c599980,
args=0xffffffff806229a0, mac_p=0xffffff003bb47300)
at /usr/src/sys/kern/kern_exec.c:452
#32 0xffffffff80461ef1 in linux_execve (td=0xffffff002c599980, args=0x0)
at /usr/src/sys/amd64/linux32/linux32_machdep.c:206
#33 0xffffffff8045db6e in ia32_syscall (frame=
{tf_rdi = 686021798, tf_rsi = 4276086956, tf_rdx = 4294957984, tf_rcx = 4276086956, tf_r8 = 0, tf_r9 = 0, tf_rax = 11, tf_rbx = 686021798, tf_rbp = 4276086932, tf_r10 = 0, tf_r11 = 0, tf_r12 = 0, tf_r13 = 0, tf_r14 = 0, tf_r15 = 0, tf_trapno = 12, tf_addr = 686062424, tf_flags = 0, tf_err = 2, tf_rip = 685529770, tf_cs = 27, tf_rflags = 642, tf_rsp = 4276086904, tf_ss = 35})
at /usr/src/sys/amd64/ia32/ia32_syscall.c:186
#34 0xffffffff8042271d in Xint0x80_syscall () at ia32_exception.S:64
#35 0x0000000028e3dca6 in ?? ()
#36 0x00000000fedfe8ac in ?? ()
#37 0x00000000ffffdba0 in ?? ()
#38 0x00000000fedfe8ac in ?? ()
#39 0x0000000000000000 in ?? ()
#40 0x0000000000000000 in ?? ()
#41 0x000000000000000b in ?? ()
#42 0x0000000028e3dca6 in ?? ()
#43 0x00000000fedfe894 in ?? ()
---Type <return> to continue, or q <return> to quit---
#44 0x0000000000000000 in ?? ()
#45 0x0000000000000000 in ?? ()
#46 0x0000000000000000 in ?? ()
#47 0x0000000000000000 in ?? ()
#48 0x0000000000000000 in ?? ()
#49 0x0000000000000000 in ?? ()
#50 0x000000000000000c in ?? ()
#51 0x0000000028e47b58 in ?? ()
#52 0x0000000000000000 in ?? ()
#53 0x0000000000000002 in ?? ()
#54 0x0000000028dc5aaa in ?? ()
#55 0x000000000000001b in ?? ()
#56 0x0000000000000282 in ?? ()
#57 0x00000000fedfe878 in ?? ()
#58 0x0000000000000023 in ?? ()
#59 0x00000000fedff8bc in ?? ()
#60 0x0000000000000023 in ?? ()
#61 0x0000000000000000 in ?? ()
#62 0x0000000000000000 in ?? ()
#63 0x0000000000000000 in ?? ()
#64 0x0000000000000000 in ?? ()
#65 0x0000000000000000 in ?? ()
#66 0x0000000000000000 in ?? ()
---Type <return> to continue, or q <return> to quit---
#67 0x0000000000000000 in ?? ()
#68 0x0000000000000000 in ?? ()
#69 0x000000002a472000 in ?? ()
#70 0x0000000000000000 in ?? ()
#71 0x0000000000000001 in ?? ()
#72 0xffffff002946d978 in ?? ()
#73 0xffffff003bcd6260 in ?? ()
#74 0xffffffffa6b7a350 in ?? ()
#75 0xffffffffa6b7a328 in ?? ()
#76 0xffffff002c599980 in ?? ()
#77 0xffffffff8029ccaf in sched_switch (td=0x28e3dca6, newtd=0x0, flags=0)
at /usr/src/sys/kern/sched_4bsd.c:971
Previous frame inner to this frame (corrupt stack?)
(kgdb) where full
#0 doadump () at pcpu.h:172
No locals.
#1 0xffffffff802878cb in boot (howto=0)
at /usr/src/sys/kern/kern_shutdown.c:397
first_buf_printf = 1
#2 0xffffffff80288017 in panic (fmt=---Can't read userspace from dump, or kernel process---
) at /usr/src/sys/kern/kern_shutdown.c:553
bootopt = 260
newpanic = 0
ap = {{gp_offset = 8, fp_offset = 48,
overflow_arg_area = 0xffffffffa6b7a4b0,
reg_save_area = 0xffffffffa6b7a3d0}}
buf = "from debugger", '\0' <repeats 242 times>
#3 0xffffffff80194de2 in db_panic (addr=0, have_addr=0, count=-1098509946112,
modif=---Can't read userspace from dump, or kernel process---
) at /usr/src/sys/ddb/db_command.c:435
No locals.
#4 0xffffffff801951a5 in db_command_loop ()
at /usr/src/sys/ddb/db_command.c:349
No locals.
#5 0xffffffff80197063 in db_trap (type=-1497913936, code=0)
at /usr/src/sys/ddb/db_main.c:221
jb = {{_jb = {-1497913936, -1497913960, -1497913824, 0, 12,
-1098767558272, -1098767558272, -2145816486, 4096, -1649754112,
-1098764179024, 4}}}
---Type <return> to continue, or q <return> to quit---
prev_jb = (void *) 0x0
bkpt = 0
#6 0xffffffff802a55db in kdb_trap (type=12, code=0, tf=0xffffffffa6b7a770)
at /usr/src/sys/kern/subr_kdb.c:471
handled = -1497913488
#7 0xffffffff804323df in trap_fatal (frame=0xffffffffa6b7a770,
eva=18446742974941993344) at /usr/src/sys/amd64/amd64/trap.c:634
code = 744069504
type = 12
ss = 692509048
esp = -1098509946112
softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27,
ssd_dpl = 0, ssd_p = 1, ssd_long = 1, ssd_def32 = 0, ssd_gran = 1}
#8 0xffffffff80432773 in trap_pfault (frame=0xffffffffa6b7a770, usermode=0)
at /usr/src/sys/amd64/amd64/trap.c:562
va = 18446744072060063744
vm = (struct vmspace *) 0x0
map = 0xffffff003c270000
rv = 1
ftype = 1 '\001'
p = (struct proc *) 0x0
eva = 18446744072060063744
#9 0xffffffff804329e4 in trap (frame=
---Type <return> to continue, or q <return> to quit---
{tf_rdi = 4294957904, tf_rsi = 4294958136, tf_rdx = -1497912048, tf_rcx = -1497912048, tf_r8 = 4294962232, tf_r9 = -2141055024, tf_rax = 0, tf_rbx = -1649487872, tf_rbp = -1497913248, tf_r10 = -1098819118728, tf_r11 = -2141055024, tf_r12 = 4294958136, tf_r13 = 4294957908, tf_r14 = 3, tf_r15 = 23, tf_trapno = 12, tf_addr = -1649487872, tf_flags = -2143085049, tf_err = 0, tf_rip = -2142878854, tf_cs = 8, tf_rflags = 66118, tf_rsp = -1497913296, tf_ss = 16})
at /usr/src/sys/amd64/amd64/trap.c:341
p = (struct proc *) 0xffffff002946d978
sticks = 4294967295
i = 9
ucode = 0
type = 12
code = 0
#10 0xffffffff804224ab in calltrap ()
at /usr/src/sys/amd64/amd64/exception.S:171
No locals.
#11 0x00000000ffffdb50 in ?? ()
No symbol table info available.
#12 0x00000000ffffdc38 in ?? ()
No symbol table info available.
#13 0xffffffffa6b7ad10 in ?? ()
No symbol table info available.
#14 0xffffffffa6b7ad10 in ?? ()
---Type <return> to continue, or q <return> to quit---
No symbol table info available.
#15 0x00000000ffffec38 in ?? ()
No symbol table info available.
#16 0xffffffff806217d0 in sysctl___kern_elf32 ()
No symbol table info available.
#17 0x0000000000000000 in ?? ()
No symbol table info available.
#18 0xffffffff9daed000 in ?? ()
No symbol table info available.
#19 0xffffffffa6b7a860 in ?? ()
No symbol table info available.
#20 0xffffff002946d978 in ?? ()
No symbol table info available.
#21 0xffffffff806217d0 in sysctl___kern_elf32 ()
No symbol table info available.
#22 0x00000000ffffdc38 in ?? ()
No symbol table info available.
#23 0x00000000ffffdb54 in ?? ()
No symbol table info available.
#24 0x0000000000000003 in ?? ()
No symbol table info available.
#25 0x0000000000000017 in ?? ()
No symbol table info available.
---Type <return> to continue, or q <return> to quit---
#26 0x000000000000000c in ?? ()
No symbol table info available.
#27 0xffffffff9daed000 in ?? ()
No symbol table info available.
#28 0xffffffff80431e07 in suword32 () at /usr/src/sys/amd64/amd64/support.S:452
No locals.
#29 0x0000000000000000 in ?? ()
No symbol table info available.
#30 0xffffffff8046437a in linux_copyout_strings (imgp=0xffffffff9daed000)
at /usr/src/sys/amd64/linux32/linux32_sysvec.c:899
argc = 3
envc = 23
vectp = (u_int32_t *) 0xffffdb54
can not access 0xffffffff9daed000, invalid address (9daed000)
can not access 0xffffffff9daed000, invalid address (9daed000)
can not access 0xffffffff9daed000, invalid address (9daed000)
can not access 0xffffffff9daed000, invalid address (9daed000)
can not access 0xffffffff9daed000, invalid address (9daed000)
can not access 0xffffffff9daed000, invalid address (9daed000)
stringp = 0xffffffff9daed000 <Address 0xffffffff9daed000 out of bounds>
destp = 0xffffdc38---Can't read userspace from dump, or kernel process---
(kgdb) quit
Script done on Thu May 12 12:31:55 2005
--jRHKVT23PllUwdXP--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050512100543.GA30528>