Date: Sat, 27 May 2006 20:16:35 GMT From: Marcin Koziej <lolownia@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/98034: dereference of NULL pointer in acd_geom_detach by g_event Message-ID: <200605272016.k4RKGZII039799@www.freebsd.org> Resent-Message-ID: <200605272020.k4RKKIEi060782@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 98034
>Category: kern
>Synopsis: dereference of NULL pointer in acd_geom_detach by g_event
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat May 27 20:20:18 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Marcin Koziej
>Release: 6.1-STABLE
>Organization:
>Environment:
FreeBSD carnivore 6.1-STABLE FreeBSD 6.1-STABLE #0: Sat May 20 17:39:08 CEST 2006 creep@carnivore:/home/src/sys/i386/compile/KALI i386
>Description:
A spontaneous kernel panic caused by g_event process. There was a dvd in the drive mounted. Machine was doing some swapping but was not under any big load. Backtrace and dmesg attached. Please e-mail for data from core dump or the core-dump itself if needed.
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".
Unread portion of the kernel message buffer:
acpi: suspend request ignored (not ready yet)
acd0: FAILURE - device detached
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x3b0
fault code = supervisor read, page not present
instruction pointer = 0x20:0xc052f561
stack pointer = 0x28:0xd49e9c98
frame pointer = 0x28:0xd49e9ca8
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 2 (g_event)
trap number = 12
panic: page fault
Uptime: 8h33m21s
Dumping 511 MB (2 chunks)
chunk 0: 1MB (159 pages) ... ok
chunk 1: 511MB (130672 pages) 495 (CTRL-C to abort) 479 463 447 431 415 399 383 367 351 335 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15
#0 doadump () at pcpu.h:165
165 pcpu.h: No such file or directory.
in pcpu.h
(kgdb) bt
#0 doadump () at pcpu.h:165
#1 0xc06d91d4 in boot (howto=16644) at ../../../kern/kern_shutdown.c:409
#2 0xc06d9506 in panic (fmt=0xc096b8e7 "%s") at ../../../kern/kern_shutdown.c:565
#3 0xc091985c in trap_fatal (frame=0xd49e9c58, eva=0) at ../../../i386/i386/trap.c:836
#4 0xc0919562 in trap_pfault (frame=0xd49e9c58, usermode=0, eva=944) at ../../../i386/i386/trap.c:744
#5 0xc091912d in trap (frame=
{tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = 0, tf_esi = 0, tf_ebp = -727802712, tf_isp = -727802748, tf_ebx = -1008491648, tf_edx = -1012605424, tf_ecx = 4, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1068305055, tf_cs = 32, tf_eflags = 590466, tf_esp = -1008491648, tf_ss = 6}) at ../../../i386/i386/trap.c:434
#6 0xc090678a in calltrap () at ../../../i386/i386/exception.s:139
#7 0xc052f561 in acd_geom_detach (arg=0xc3e3a380, flag=0) at ../../../dev/ata/atapi-cd.c:197
#8 0xc0691dbd in one_event () at ../../../geom/geom_event.c:206
#9 0xc0691ecb in g_run_events () at ../../../geom/geom_event.c:226
#10 0xc0693767 in g_event_procbody () at ../../../geom/geom_kern.c:141
#11 0xc06be4df in fork_exit (callout=0xc06936f0 <g_event_procbody>, arg=0x0, frame=0x0)
at ../../../kern/kern_fork.c:805
#12 0xc09067ec in fork_trampoline () at ../../../i386/i386/exception.s:208
(kgdb) f 7
#7 0xc052f561 in acd_geom_detach (arg=0xc3e3a380, flag=0) at ../../../dev/ata/atapi-cd.c:197
197 g_wither_geom(cdp->gp, ENXIO);
(kgdb) info local
cdp = (struct acd_softc *) 0x0
(kgdb) info args
arg = (void *) 0xc3e3a380
flag = 0
(kgdb) p *arg
Attempt to dereference a generic pointer.
(kgdb) up
#8 0xc0691dbd in one_event () at ../../../geom/geom_event.c:206
206 ep->func(ep->arg, 0);
(kgdb) info args
No arguments.
(kgdb) info local
ep = (struct g_event *) 0xc53f2280
pp = (struct g_provider *) 0xc53f2280
(kgdb) p *ep
$1 = {events = {tqe_next = 0x0, tqe_prev = 0xc09e0eac}, func = 0xc052f540 <acd_geom_detach>, arg = 0xc3e3a380,
flag = 262144, ref = {0x0 <repeats 20 times>}}
(kgdb) p *pp
$2 = {name = 0x0, provider = {le_next = 0xc09e0eac, le_prev = 0xc052f540}, geom = 0xc3e3a380, consumers = {
lh_first = 0x40000}, acr = 0, acw = 0, ace = 0, error = 0, orphan = {tqe_next = 0x0, tqe_prev = 0x0},
mediasize = 0, sectorsize = 0, stripesize = 0, stripeoffset = 0, stat = 0x0, nstart = 0, nend = 0, flags = 0,
private = 0x0, index = 0}
(kgdb) up
#9 0xc0691ecb in g_run_events () at ../../../geom/geom_event.c:226
226 while (one_event())
(kgdb) info local
i = 0
(kgdb) info args
No arguments.
(kgdb) up
#10 0xc0693767 in g_event_procbody () at ../../../geom/geom_kern.c:141
141 g_run_events();
(kgdb) info args
No arguments.
(kgdb) info local
p = (struct proc *) 0x0
tp = (struct thread *) 0xc3a4de10
(kgdb) p *tp
$3 = {td_proc = 0xc3a4c20c, td_ksegrp = 0xc3a4fea0, td_plist = {tqe_next = 0x0, tqe_prev = 0xc3a4c21c},
td_kglist = {tqe_next = 0x0, tqe_prev = 0xc3a4feac}, td_slpq = {tqe_next = 0x0, tqe_prev = 0xc3a190e0},
td_lockq = {tqe_next = 0x0, tqe_prev = 0xe70a2aa8}, td_runq = {tqe_next = 0x0, tqe_prev = 0x0}, td_selq = {
tqh_first = 0x0, tqh_last = 0x0}, td_sleepqueue = 0xc3a190e0, td_turnstile = 0xc3a43c80,
td_umtxq = 0xc3a43c40, td_tid = 100001, td_flags = 65538, td_inhibitors = 0, td_pflags = 65536, td_dupfd = 0,
td_wchan = 0x0, td_wmesg = 0x0, td_lastcpu = 0 '\0', td_oncpu = 0 '\0', td_owepreempt = 0 '\0', td_locks = 0,
td_blocked = 0x0, td_ithd = 0x0, td_lockname = 0x0, td_contested = {lh_first = 0x0}, td_sleeplocks = 0x0,
td_intr_nesting_level = 0, td_pinned = 0, td_mailbox = 0x0, td_ucred = 0xc3a37d00, td_standin = 0x0,
td_upcall = 0x0, td_sticks = 2587, td_uuticks = 0, td_usticks = 0, td_intrval = 0, td_oldsigmask = {__bits = {
0, 0, 0, 0}}, td_sigmask = {__bits = {0, 0, 0, 0}}, td_siglist = {__bits = {0, 0, 0, 0}},
td_generation = 296981, td_sigstk = {ss_sp = 0x0, ss_size = 0, ss_flags = 0}, td_kflags = 0, td_xsig = 0,
td_profil_addr = 0, td_profil_ticks = 0, td_base_pri = 76 'L', td_priority = 76 'L', td_pcb = 0xd49e9d90,
td_state = TDS_RUNNING, td_retval = {0, 0}, td_slpcallout = {c_links = {sle = {sle_next = 0xc0a5572c}, tqe = {
tqe_next = 0xc0a5572c, tqe_prev = 0xcdcdacd8}}, c_time = 29736265, c_arg = 0xc3a4de10,
c_func = 0xc06fdfa0 <sleepq_timeout>, c_mtx = 0x0, c_flags = 18}, td_frame = 0xd49e9d38,
td_kstack_obj = 0xc1844a50, td_kstack = 3567157248, td_kstack_pages = 2, td_altkstack_obj = 0x0,
td_altkstack = 0, td_altkstack_pages = 0, td_critnest = 1, td_md = {md_spinlock_count = 1,
md_saved_flags = 524870}, td_sched = 0xc3a4df64}
(kgdb) p *tp->td_proc
$4 = {p_list = {le_next = 0xc3a4c418, le_prev = 0xc3a4c000}, p_ksegrps = {tqh_first = 0xc3a4fea0,
tqh_last = 0xc3a4fea4}, p_threads = {tqh_first = 0xc3a4de10, tqh_last = 0xc3a4de18}, p_suspended = {
tqh_first = 0x0, tqh_last = 0xc3a4c224}, p_ucred = 0xc3a37d00, p_fd = 0xc3a51c00, p_fdtol = 0x0,
p_stats = 0xc3a39100, p_limit = 0xc3a39400, p_sigacts = 0xc3a94000, p_flag = 516, p_sflag = 1,
p_state = PRS_NORMAL, p_pid = 2, p_hash = {le_next = 0x0, le_prev = 0xc3a16008}, p_pglist = {
le_next = 0xc3a4c418, le_prev = 0xc3a4c050}, p_pptr = 0xc0a49d00, p_sibling = {le_next = 0xc3a4c418,
le_prev = 0xc3a4c05c}, p_children = {lh_first = 0x0}, p_mtx = {mtx_object = {lo_class = 0xc09e7184,
lo_name = 0xc09851eb "process lock", lo_type = 0xc09851eb "process lock", lo_flags = 4390912, lo_list = {
tqe_next = 0x0, tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 4, mtx_recurse = 0}, p_oppid = 0,
p_vmspace = 0xc0a4a080, p_swtime = 10000, p_realtimer = {it_interval = {tv_sec = 0, tv_usec = 0}, it_value = {
tv_sec = 0, tv_usec = 0}}, p_rux = {rux_runtime = {sec = 1, frac = 10376793096921630720}, rux_uticks = 0,
rux_sticks = 2587, rux_iticks = 0, rux_uu = 0, rux_su = 1444000, rux_iu = 0}, p_crux = {rux_runtime = {
sec = 0, frac = 0}, rux_uticks = 0, rux_sticks = 0, rux_iticks = 0, rux_uu = 0, rux_su = 0, rux_iu = 0},
p_profthreads = 0, p_maxthrwaits = 0, p_traceflag = 0, p_tracevp = 0x0, p_tracecred = 0x0, p_textvp = 0x0,
p_siglist = {__bits = {0, 0, 0, 0}}, p_lock = 0 '\0', p_sigiolst = {slh_first = 0x0}, p_sigparent = 20,
p_sig = 0, p_code = 0, p_stops = 0, p_stype = 0, p_step = 0 '\0', p_pfsflags = 0 '\0', p_nlminfo = 0x0,
p_aioinfo = 0x0, p_singlethread = 0x0, p_suspcount = 0, p_xthread = 0x0, p_boundary_count = 0,
p_procscopegrp = 0x0, p_magic = 3203398350, p_comm = "g_event", '\0' <repeats 12 times>, p_pgrp = 0xc0a4a240,
p_sysent = 0xc09e2240, p_args = 0x0, p_cpulimit = 9223372036854775807, p_nice = 0 '\0', p_xstat = 0,
p_klist = {kl_list = {slh_first = 0x0}, kl_lock = 0xc06b7b60 <knlist_mtx_lock>,
kl_unlock = 0xc06b7bb0 <knlist_mtx_unlock>, kl_locked = 0xc06b7c00 <knlist_mtx_locked>,
kl_lockarg = 0xc3a4c274}, p_numthreads = 1, p_numksegrps = 1, p_md = {md_ldt = 0x0}, p_itcallout = {
c_links = {sle = {sle_next = 0x0}, tqe = {tqe_next = 0x0, tqe_prev = 0x0}}, c_time = 0, c_arg = 0x0,
c_func = 0, c_mtx = 0x0, c_flags = 16}, p_acflag = 1, p_ru = 0x0, p_peers = 0x0, p_leader = 0xc3a4c20c,
p_emuldata = 0x0, p_label = 0x0, p_sched = 0xc3a4c418}
(kgdb) up
#11 0xc06be4df in fork_exit (callout=0xc06936f0 <g_event_procbody>, arg=0x0, frame=0x0)
at ../../../kern/kern_fork.c:805
805 callout(arg, frame);
Dmesg:
Copyright (c) 1992-2006 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 6.1-STABLE #0: Sat May 20 17:39:08 CEST 2006
creep@carnivore:/home/src/sys/i386/compile/KALI
WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant
WARNING: MPSAFE network stack disabled, expect reduced performance.
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: AMD Athlon(tm) 64 Processor 3700+ (2401.37-MHz 686-class CPU)
Origin = "AuthenticAMD" Id = 0xf4a Stepping = 10
Features=0x78bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,SSE,SSE2>
AMD Features=0xe0500800<SYSCALL,NX,MMX+,LM,3DNow+,3DNow>
real memory = 536281088 (511 MB)
avail memory = 506437632 (482 MB)
ACPI APIC Table: <PTLTD APIC >
MADT: Forcing active-low polarity and level trigger for SCI
ioapic0 <Version 0.3> irqs 0-23 on motherboard
acpi0: <PTLTD RSDT> on motherboard
acpi0: Power Button (fixed)
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x4008-0x400b on acpi0
acpi_ec0: <Embedded Controller: GPE 0xb> port 0x62,0x66 on acpi0
cpu0: <ACPI CPU> on acpi0
powernow0: <PowerNow! K8> on cpu0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
agp0: <VIA 8380 host to PCI bridge> mem 0xd0000000-0xdfffffff at device 0.0 on pci0
pcib1: <ACPI PCI-PCI bridge> at device 1.0 on pci0
pci1: <ACPI PCI bus> on pcib1
nvidia0: <GeForce FX Go5700> mem 0xc1000000-0xc1ffffff,0xe0000000-0xefffffff irq 16 at device 0.0 on pci1
nvidia0: [GIANT-LOCKED]
ndis0: <INPROCOMM IPN2220 Wireless LAN Card> port 0x1c00-0x1c1f mem 0xc0006000-0xc000601f,0xc0005000-0xc00057ff irq 21 at device 10.0 on pci0
ndis0: [GIANT-LOCKED]
ndis0: NDIS API version: 5.1
ndis0: Ethernet address: 00:0e:9b:99:ee:a8
cbb0: <PCI-CardBus Bridge> irq 17 at device 11.0 on pci0
cardbus0: <CardBus bus> on cbb0
pccard0: <16-bit PCCard bus> on cbb0
cbb1: <PCI-CardBus Bridge> irq 18 at device 11.1 on pci0
cardbus1: <CardBus bus> on cbb1
pccard1: <16-bit PCCard bus> on cbb1
fwohci0: <1394 Open Host Controller Interface> mem 0xc0005800-0xc0005fff,0xc0000000-0xc0003fff irq 19 at device 11.2 on pci0
fwohci0: [GIANT-LOCKED]
fwohci0: OHCI version 1.10 (ROM=0)
fwohci0: No. of Isochronous channels is 4.
fwohci0: EUI64 00:0a:e4:05:10:10:5b:ee
fwohci0: Phy 1394a available S400, 2 ports.
fwohci0: Link S400, max_rec 2048 bytes.
firewire0: <IEEE1394(FireWire) bus> on fwohci0
fwe0: <Ethernet over FireWire> on firewire0
if_fwe0: Fake Ethernet address: 02:0a:e4:10:5b:ee
fwe0: Ethernet address: 02:0a:e4:10:5b:ee
sbp0: <SBP-2/SCSI over FireWire> on firewire0
fwohci0: Initiate bus reset
fwohci0: node_id=0xc800ffc0, gen=1, CYCLEMASTER mode
firewire0: 1 nodes, maxhop <= 0, cable IRM = 0 (me)
firewire0: bus manager 0 (me)
re0: <RealTek 8169SB Single-chip Gigabit Ethernet> port 0x1000-0x10ff mem 0xc0006400-0xc00064ff irq 22 at device 12.0 on pci0
miibus0: <MII bus> on re0
rgephy0: <RTL8169S/8110S media interface> on miibus0
rgephy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX, 1000baseTX-FDX, auto
re0: Ethernet address: 00:0a:e4:a7:d3:4a
re0: [GIANT-LOCKED]
uhci0: <VIA 83C572 USB controller> port 0x1c20-0x1c3f at device 16.0 on pci0
uhci0: [GIANT-LOCKED]
usb0: <VIA 83C572 USB controller> on uhci0
usb0: USB revision 1.0
uhub0: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1: <VIA 83C572 USB controller> port 0x1c40-0x1c5f at device 16.1 on pci0
uhci1: [GIANT-LOCKED]
usb1: <VIA 83C572 USB controller> on uhci1
usb1: USB revision 1.0
uhub1: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2: <VIA 83C572 USB controller> port 0x1c60-0x1c7f at device 16.2 on pci0
uhci2: [GIANT-LOCKED]
usb2: <VIA 83C572 USB controller> on uhci2
usb2: USB revision 1.0
uhub2: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
ehci0: <VIA VT6202 USB 2.0 controller> mem 0xc0006800-0xc00068ff at device 16.3 on pci0
ehci0: [GIANT-LOCKED]
usb3: EHCI version 1.0
usb3: companion controllers, 2 ports each: usb0 usb1 usb2
usb3: <VIA VT6202 USB 2.0 controller> on ehci0
usb3: USB revision 2.0
uhub3: VIA EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
uhub3: 6 ports with 6 removable, self powered
isab0: <PCI-ISA bridge> at device 17.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <VIA 8235 UDMA133 controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x1c80-0x1c8f at device 17.1 on pci0
ata0: <ATA channel 0> on atapci0
ata1: <ATA channel 1> on atapci0
pcm0: <VIA VT8235> port 0x1400-0x14ff irq 22 at device 17.5 on pci0
pcm0: <VIA Technologies VIA1612A AC97 Codec>
pcm0: <VIA DXS Enabled: DXS 4 / SGD 1 / REC 1>
pci0: <simple comms> at device 17.6 (no driver attached)
acpi_acad0: <AC Adapter> on acpi0
battery0: <ACPI Control Method Battery> on acpi0
acpi_lid0: <Control Method Lid Switch> on acpi0
acpi_button0: <Sleep Button> on acpi0
acpi_tz0: <Thermal Zone> on acpi0
acpi_tz1: <Thermal Zone> on acpi0
atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: [GIANT-LOCKED]
psm0: model Synaptics Touchpad, device ID 0
ppc0: <ECP parallel printer port> port 0x378-0x37f,0x778-0x77f irq 7 drq 3 on acpi0
ppc0: Generic chipset (ECP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/8 bytes threshold
ppbus0: <Parallel port bus> on ppc0
plip0: <PLIP network interface> on ppbus0
lpt0: <Printer> on ppbus0
lpt0: Interrupt-driven port
ppi0: <Parallel I/O> on ppbus0
sio0 port 0x2f8-0x2ff irq 3 drq 1 flags 0x10 on acpi0
sio0: type 16550A
pmtimer0 on isa0
orm0: <ISA Option ROMs> at iomem 0xc0000-0xcffff,0xd8000-0xdbfff,0xdc000-0xdffff on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
Timecounter "TSC" frequency 2401373988 Hz quality 800
Timecounters tick every 1.000 msec
IPsec: Initialized Security Association Processing.
ad0: 95396MB <Seagate ST9100822A 3.01> at ata0-master UDMA100
acd0: DVDR <TSSTcorpCD/DVDW TS-L532A/TI50> at ata1-master UDMA33
cd0 at ata1 bus 0 target 0 lun 0
cd0: <TSSTcorp CD/DVDW TS-L532A TI50> Removable CD-ROM SCSI-0 device
cd0: 33.000MB/s transfers
cd0: cd present [1429248 x 2048 byte records]
Trying to mount root from ufs:/dev/ad0s1a
>How-To-Repeat:
no idea.
>Fix:
no idea.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200605272016.k4RKGZII039799>