From owner-freebsd-bugs@FreeBSD.ORG Sat May 27 20:20:19 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F4A016A8F4 for ; Sat, 27 May 2006 20:20:19 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 068E043D53 for ; Sat, 27 May 2006 20:20:19 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k4RKKIat060783 for ; Sat, 27 May 2006 20:20:18 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k4RKKIEi060782; Sat, 27 May 2006 20:20:18 GMT (envelope-from gnats) Resent-Date: Sat, 27 May 2006 20:20:18 GMT Resent-Message-Id: <200605272020.k4RKKIEi060782@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Marcin Koziej Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 66AB216A8AD for ; Sat, 27 May 2006 20:16:36 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1367A43D46 for ; Sat, 27 May 2006 20:16:36 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k4RKGZhL039800 for ; Sat, 27 May 2006 20:16:35 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id k4RKGZII039799; Sat, 27 May 2006 20:16:35 GMT (envelope-from nobody) Message-Id: <200605272016.k4RKGZII039799@www.freebsd.org> Date: Sat, 27 May 2006 20:16:35 GMT From: Marcin Koziej To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Cc: Subject: kern/98034: dereference of NULL pointer in acd_geom_detach by g_event X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 May 2006 20:20:53 -0000 >Number: 98034 >Category: kern >Synopsis: dereference of NULL pointer in acd_geom_detach by g_event >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat May 27 20:20:18 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Marcin Koziej >Release: 6.1-STABLE >Organization: >Environment: FreeBSD carnivore 6.1-STABLE FreeBSD 6.1-STABLE #0: Sat May 20 17:39:08 CEST 2006 creep@carnivore:/home/src/sys/i386/compile/KALI i386 >Description: A spontaneous kernel panic caused by g_event process. There was a dvd in the drive mounted. Machine was doing some swapping but was not under any big load. Backtrace and dmesg attached. Please e-mail for data from core dump or the core-dump itself if needed. GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd". Unread portion of the kernel message buffer: acpi: suspend request ignored (not ready yet) acd0: FAILURE - device detached Fatal trap 12: page fault while in kernel mode fault virtual address = 0x3b0 fault code = supervisor read, page not present instruction pointer = 0x20:0xc052f561 stack pointer = 0x28:0xd49e9c98 frame pointer = 0x28:0xd49e9ca8 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 2 (g_event) trap number = 12 panic: page fault Uptime: 8h33m21s Dumping 511 MB (2 chunks) chunk 0: 1MB (159 pages) ... ok chunk 1: 511MB (130672 pages) 495 (CTRL-C to abort) 479 463 447 431 415 399 383 367 351 335 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15 #0 doadump () at pcpu.h:165 165 pcpu.h: No such file or directory. in pcpu.h (kgdb) bt #0 doadump () at pcpu.h:165 #1 0xc06d91d4 in boot (howto=16644) at ../../../kern/kern_shutdown.c:409 #2 0xc06d9506 in panic (fmt=0xc096b8e7 "%s") at ../../../kern/kern_shutdown.c:565 #3 0xc091985c in trap_fatal (frame=0xd49e9c58, eva=0) at ../../../i386/i386/trap.c:836 #4 0xc0919562 in trap_pfault (frame=0xd49e9c58, usermode=0, eva=944) at ../../../i386/i386/trap.c:744 #5 0xc091912d in trap (frame= {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = 0, tf_esi = 0, tf_ebp = -727802712, tf_isp = -727802748, tf_ebx = -1008491648, tf_edx = -1012605424, tf_ecx = 4, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1068305055, tf_cs = 32, tf_eflags = 590466, tf_esp = -1008491648, tf_ss = 6}) at ../../../i386/i386/trap.c:434 #6 0xc090678a in calltrap () at ../../../i386/i386/exception.s:139 #7 0xc052f561 in acd_geom_detach (arg=0xc3e3a380, flag=0) at ../../../dev/ata/atapi-cd.c:197 #8 0xc0691dbd in one_event () at ../../../geom/geom_event.c:206 #9 0xc0691ecb in g_run_events () at ../../../geom/geom_event.c:226 #10 0xc0693767 in g_event_procbody () at ../../../geom/geom_kern.c:141 #11 0xc06be4df in fork_exit (callout=0xc06936f0 , arg=0x0, frame=0x0) at ../../../kern/kern_fork.c:805 #12 0xc09067ec in fork_trampoline () at ../../../i386/i386/exception.s:208 (kgdb) f 7 #7 0xc052f561 in acd_geom_detach (arg=0xc3e3a380, flag=0) at ../../../dev/ata/atapi-cd.c:197 197 g_wither_geom(cdp->gp, ENXIO); (kgdb) info local cdp = (struct acd_softc *) 0x0 (kgdb) info args arg = (void *) 0xc3e3a380 flag = 0 (kgdb) p *arg Attempt to dereference a generic pointer. (kgdb) up #8 0xc0691dbd in one_event () at ../../../geom/geom_event.c:206 206 ep->func(ep->arg, 0); (kgdb) info args No arguments. (kgdb) info local ep = (struct g_event *) 0xc53f2280 pp = (struct g_provider *) 0xc53f2280 (kgdb) p *ep $1 = {events = {tqe_next = 0x0, tqe_prev = 0xc09e0eac}, func = 0xc052f540 , arg = 0xc3e3a380, flag = 262144, ref = {0x0 }} (kgdb) p *pp $2 = {name = 0x0, provider = {le_next = 0xc09e0eac, le_prev = 0xc052f540}, geom = 0xc3e3a380, consumers = { lh_first = 0x40000}, acr = 0, acw = 0, ace = 0, error = 0, orphan = {tqe_next = 0x0, tqe_prev = 0x0}, mediasize = 0, sectorsize = 0, stripesize = 0, stripeoffset = 0, stat = 0x0, nstart = 0, nend = 0, flags = 0, private = 0x0, index = 0} (kgdb) up #9 0xc0691ecb in g_run_events () at ../../../geom/geom_event.c:226 226 while (one_event()) (kgdb) info local i = 0 (kgdb) info args No arguments. (kgdb) up #10 0xc0693767 in g_event_procbody () at ../../../geom/geom_kern.c:141 141 g_run_events(); (kgdb) info args No arguments. (kgdb) info local p = (struct proc *) 0x0 tp = (struct thread *) 0xc3a4de10 (kgdb) p *tp $3 = {td_proc = 0xc3a4c20c, td_ksegrp = 0xc3a4fea0, td_plist = {tqe_next = 0x0, tqe_prev = 0xc3a4c21c}, td_kglist = {tqe_next = 0x0, tqe_prev = 0xc3a4feac}, td_slpq = {tqe_next = 0x0, tqe_prev = 0xc3a190e0}, td_lockq = {tqe_next = 0x0, tqe_prev = 0xe70a2aa8}, td_runq = {tqe_next = 0x0, tqe_prev = 0x0}, td_selq = { tqh_first = 0x0, tqh_last = 0x0}, td_sleepqueue = 0xc3a190e0, td_turnstile = 0xc3a43c80, td_umtxq = 0xc3a43c40, td_tid = 100001, td_flags = 65538, td_inhibitors = 0, td_pflags = 65536, td_dupfd = 0, td_wchan = 0x0, td_wmesg = 0x0, td_lastcpu = 0 '\0', td_oncpu = 0 '\0', td_owepreempt = 0 '\0', td_locks = 0, td_blocked = 0x0, td_ithd = 0x0, td_lockname = 0x0, td_contested = {lh_first = 0x0}, td_sleeplocks = 0x0, td_intr_nesting_level = 0, td_pinned = 0, td_mailbox = 0x0, td_ucred = 0xc3a37d00, td_standin = 0x0, td_upcall = 0x0, td_sticks = 2587, td_uuticks = 0, td_usticks = 0, td_intrval = 0, td_oldsigmask = {__bits = { 0, 0, 0, 0}}, td_sigmask = {__bits = {0, 0, 0, 0}}, td_siglist = {__bits = {0, 0, 0, 0}}, td_generation = 296981, td_sigstk = {ss_sp = 0x0, ss_size = 0, ss_flags = 0}, td_kflags = 0, td_xsig = 0, td_profil_addr = 0, td_profil_ticks = 0, td_base_pri = 76 'L', td_priority = 76 'L', td_pcb = 0xd49e9d90, td_state = TDS_RUNNING, td_retval = {0, 0}, td_slpcallout = {c_links = {sle = {sle_next = 0xc0a5572c}, tqe = { tqe_next = 0xc0a5572c, tqe_prev = 0xcdcdacd8}}, c_time = 29736265, c_arg = 0xc3a4de10, c_func = 0xc06fdfa0 , c_mtx = 0x0, c_flags = 18}, td_frame = 0xd49e9d38, td_kstack_obj = 0xc1844a50, td_kstack = 3567157248, td_kstack_pages = 2, td_altkstack_obj = 0x0, td_altkstack = 0, td_altkstack_pages = 0, td_critnest = 1, td_md = {md_spinlock_count = 1, md_saved_flags = 524870}, td_sched = 0xc3a4df64} (kgdb) p *tp->td_proc $4 = {p_list = {le_next = 0xc3a4c418, le_prev = 0xc3a4c000}, p_ksegrps = {tqh_first = 0xc3a4fea0, tqh_last = 0xc3a4fea4}, p_threads = {tqh_first = 0xc3a4de10, tqh_last = 0xc3a4de18}, p_suspended = { tqh_first = 0x0, tqh_last = 0xc3a4c224}, p_ucred = 0xc3a37d00, p_fd = 0xc3a51c00, p_fdtol = 0x0, p_stats = 0xc3a39100, p_limit = 0xc3a39400, p_sigacts = 0xc3a94000, p_flag = 516, p_sflag = 1, p_state = PRS_NORMAL, p_pid = 2, p_hash = {le_next = 0x0, le_prev = 0xc3a16008}, p_pglist = { le_next = 0xc3a4c418, le_prev = 0xc3a4c050}, p_pptr = 0xc0a49d00, p_sibling = {le_next = 0xc3a4c418, le_prev = 0xc3a4c05c}, p_children = {lh_first = 0x0}, p_mtx = {mtx_object = {lo_class = 0xc09e7184, lo_name = 0xc09851eb "process lock", lo_type = 0xc09851eb "process lock", lo_flags = 4390912, lo_list = { tqe_next = 0x0, tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 4, mtx_recurse = 0}, p_oppid = 0, p_vmspace = 0xc0a4a080, p_swtime = 10000, p_realtimer = {it_interval = {tv_sec = 0, tv_usec = 0}, it_value = { tv_sec = 0, tv_usec = 0}}, p_rux = {rux_runtime = {sec = 1, frac = 10376793096921630720}, rux_uticks = 0, rux_sticks = 2587, rux_iticks = 0, rux_uu = 0, rux_su = 1444000, rux_iu = 0}, p_crux = {rux_runtime = { sec = 0, frac = 0}, rux_uticks = 0, rux_sticks = 0, rux_iticks = 0, rux_uu = 0, rux_su = 0, rux_iu = 0}, p_profthreads = 0, p_maxthrwaits = 0, p_traceflag = 0, p_tracevp = 0x0, p_tracecred = 0x0, p_textvp = 0x0, p_siglist = {__bits = {0, 0, 0, 0}}, p_lock = 0 '\0', p_sigiolst = {slh_first = 0x0}, p_sigparent = 20, p_sig = 0, p_code = 0, p_stops = 0, p_stype = 0, p_step = 0 '\0', p_pfsflags = 0 '\0', p_nlminfo = 0x0, p_aioinfo = 0x0, p_singlethread = 0x0, p_suspcount = 0, p_xthread = 0x0, p_boundary_count = 0, p_procscopegrp = 0x0, p_magic = 3203398350, p_comm = "g_event", '\0' , p_pgrp = 0xc0a4a240, p_sysent = 0xc09e2240, p_args = 0x0, p_cpulimit = 9223372036854775807, p_nice = 0 '\0', p_xstat = 0, p_klist = {kl_list = {slh_first = 0x0}, kl_lock = 0xc06b7b60 , kl_unlock = 0xc06b7bb0 , kl_locked = 0xc06b7c00 , kl_lockarg = 0xc3a4c274}, p_numthreads = 1, p_numksegrps = 1, p_md = {md_ldt = 0x0}, p_itcallout = { c_links = {sle = {sle_next = 0x0}, tqe = {tqe_next = 0x0, tqe_prev = 0x0}}, c_time = 0, c_arg = 0x0, c_func = 0, c_mtx = 0x0, c_flags = 16}, p_acflag = 1, p_ru = 0x0, p_peers = 0x0, p_leader = 0xc3a4c20c, p_emuldata = 0x0, p_label = 0x0, p_sched = 0xc3a4c418} (kgdb) up #11 0xc06be4df in fork_exit (callout=0xc06936f0 , arg=0x0, frame=0x0) at ../../../kern/kern_fork.c:805 805 callout(arg, frame); Dmesg: Copyright (c) 1992-2006 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 6.1-STABLE #0: Sat May 20 17:39:08 CEST 2006 creep@carnivore:/home/src/sys/i386/compile/KALI WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant WARNING: MPSAFE network stack disabled, expect reduced performance. Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: AMD Athlon(tm) 64 Processor 3700+ (2401.37-MHz 686-class CPU) Origin = "AuthenticAMD" Id = 0xf4a Stepping = 10 Features=0x78bfbff AMD Features=0xe0500800 real memory = 536281088 (511 MB) avail memory = 506437632 (482 MB) ACPI APIC Table: MADT: Forcing active-low polarity and level trigger for SCI ioapic0 irqs 0-23 on motherboard acpi0: on motherboard acpi0: Power Button (fixed) Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x4008-0x400b on acpi0 acpi_ec0: port 0x62,0x66 on acpi0 cpu0: on acpi0 powernow0: on cpu0 pcib0: port 0xcf8-0xcff on acpi0 pci0: on pcib0 agp0: mem 0xd0000000-0xdfffffff at device 0.0 on pci0 pcib1: at device 1.0 on pci0 pci1: on pcib1 nvidia0: mem 0xc1000000-0xc1ffffff,0xe0000000-0xefffffff irq 16 at device 0.0 on pci1 nvidia0: [GIANT-LOCKED] ndis0: port 0x1c00-0x1c1f mem 0xc0006000-0xc000601f,0xc0005000-0xc00057ff irq 21 at device 10.0 on pci0 ndis0: [GIANT-LOCKED] ndis0: NDIS API version: 5.1 ndis0: Ethernet address: 00:0e:9b:99:ee:a8 cbb0: irq 17 at device 11.0 on pci0 cardbus0: on cbb0 pccard0: <16-bit PCCard bus> on cbb0 cbb1: irq 18 at device 11.1 on pci0 cardbus1: on cbb1 pccard1: <16-bit PCCard bus> on cbb1 fwohci0: <1394 Open Host Controller Interface> mem 0xc0005800-0xc0005fff,0xc0000000-0xc0003fff irq 19 at device 11.2 on pci0 fwohci0: [GIANT-LOCKED] fwohci0: OHCI version 1.10 (ROM=0) fwohci0: No. of Isochronous channels is 4. fwohci0: EUI64 00:0a:e4:05:10:10:5b:ee fwohci0: Phy 1394a available S400, 2 ports. fwohci0: Link S400, max_rec 2048 bytes. firewire0: on fwohci0 fwe0: on firewire0 if_fwe0: Fake Ethernet address: 02:0a:e4:10:5b:ee fwe0: Ethernet address: 02:0a:e4:10:5b:ee sbp0: on firewire0 fwohci0: Initiate bus reset fwohci0: node_id=0xc800ffc0, gen=1, CYCLEMASTER mode firewire0: 1 nodes, maxhop <= 0, cable IRM = 0 (me) firewire0: bus manager 0 (me) re0: port 0x1000-0x10ff mem 0xc0006400-0xc00064ff irq 22 at device 12.0 on pci0 miibus0: on re0 rgephy0: on miibus0 rgephy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX, 1000baseTX-FDX, auto re0: Ethernet address: 00:0a:e4:a7:d3:4a re0: [GIANT-LOCKED] uhci0: port 0x1c20-0x1c3f at device 16.0 on pci0 uhci0: [GIANT-LOCKED] usb0: on uhci0 usb0: USB revision 1.0 uhub0: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1: port 0x1c40-0x1c5f at device 16.1 on pci0 uhci1: [GIANT-LOCKED] usb1: on uhci1 usb1: USB revision 1.0 uhub1: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2: port 0x1c60-0x1c7f at device 16.2 on pci0 uhci2: [GIANT-LOCKED] usb2: on uhci2 usb2: USB revision 1.0 uhub2: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered ehci0: mem 0xc0006800-0xc00068ff at device 16.3 on pci0 ehci0: [GIANT-LOCKED] usb3: EHCI version 1.0 usb3: companion controllers, 2 ports each: usb0 usb1 usb2 usb3: on ehci0 usb3: USB revision 2.0 uhub3: VIA EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub3: 6 ports with 6 removable, self powered isab0: at device 17.0 on pci0 isa0: on isab0 atapci0: port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x1c80-0x1c8f at device 17.1 on pci0 ata0: on atapci0 ata1: on atapci0 pcm0: port 0x1400-0x14ff irq 22 at device 17.5 on pci0 pcm0: pcm0: pci0: at device 17.6 (no driver attached) acpi_acad0: on acpi0 battery0: on acpi0 acpi_lid0: on acpi0 acpi_button0: on acpi0 acpi_tz0: on acpi0 acpi_tz1: on acpi0 atkbdc0: port 0x60,0x64 irq 1 on acpi0 atkbd0: irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] psm0: irq 12 on atkbdc0 psm0: [GIANT-LOCKED] psm0: model Synaptics Touchpad, device ID 0 ppc0: port 0x378-0x37f,0x778-0x77f irq 7 drq 3 on acpi0 ppc0: Generic chipset (ECP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/8 bytes threshold ppbus0: on ppc0 plip0: on ppbus0 lpt0: on ppbus0 lpt0: Interrupt-driven port ppi0: on ppbus0 sio0 port 0x2f8-0x2ff irq 3 drq 1 flags 0x10 on acpi0 sio0: type 16550A pmtimer0 on isa0 orm0: at iomem 0xc0000-0xcffff,0xd8000-0xdbfff,0xdc000-0xdffff on isa0 sc0: at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 Timecounter "TSC" frequency 2401373988 Hz quality 800 Timecounters tick every 1.000 msec IPsec: Initialized Security Association Processing. ad0: 95396MB at ata0-master UDMA100 acd0: DVDR at ata1-master UDMA33 cd0 at ata1 bus 0 target 0 lun 0 cd0: Removable CD-ROM SCSI-0 device cd0: 33.000MB/s transfers cd0: cd present [1429248 x 2048 byte records] Trying to mount root from ufs:/dev/ad0s1a >How-To-Repeat: no idea. >Fix: no idea. >Release-Note: >Audit-Trail: >Unformatted: