From owner-freebsd-current@FreeBSD.ORG Sat Jun 22 22:26:21 2013 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id A08B5B44 for ; Sat, 22 Jun 2013 22:26:21 +0000 (UTC) (envelope-from hps@bitfrost.no) Received: from mta.bitpro.no (mta.bitpro.no [92.42.64.202]) by mx1.freebsd.org (Postfix) with ESMTP id 3881A1138 for ; Sat, 22 Jun 2013 22:26:20 +0000 (UTC) Received: from mail.bitfrost.no (mail.bitfrost.no [46.29.221.36]) by mta.bitpro.no (Postfix) with ESMTP id 165A37A121 for ; Sun, 23 Jun 2013 00:26:19 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at bitfrost.no Received: from laptop015.hselasky.homeunix.org (cm-176.74.213.204.customer.telag.net [176.74.213.204]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: hanspetter) by mail.bitfrost.no (Postfix) with ESMTPSA id 8EBBF206A0 for ; Sun, 23 Jun 2013 00:23:38 +0200 (CEST) Message-ID: <51C62437.8040005@bitfrost.no> Date: Sun, 23 Jun 2013 00:24:55 +0200 From: Hans Petter Selasky Organization: Bitfrost A/S MIME-Version: 1.0 To: freebsd-current@freebsd.org Subject: NULL pointer crash in exit1() when running certain Linux binaries Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jun 2013 22:26:21 -0000 Hi, The following crash has been observed using FreeBSD 9-stable amd64: Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x20 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff81765bb6 stack pointer = 0x28:0xffffff81225cb9a0 frame pointer = 0x28:0xffffff81225cba30 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 2458 (XXXXXXXX) trap number = 12 panic: page fault cpuid = 0 KDB: stack backtrace: #0 0xffffffff809553b6 at kdb_backtrace+0x66 #1 0xffffffff8091c72e at panic+0x1ce #2 0xffffffff80cabb40 at trap_fatal+0x290 #3 0xffffffff80cabea1 at trap_pfault+0x211 #4 0xffffffff80cac454 at trap+0x344 #5 0xffffffff80c957e3 at calltrap+0x8 #6 0xffffffff808e68ab at exit1+0x1bb #7 0xffffffff81773dcf at linux_exit_group+0xaf #8 0xffffffff80d2728e at ia32_syscall+0x57e #9 0xffffffff80c95db1 at Xint0x80_syscall+0x91 Uptime: 40m36s #7 0xffffffff81765bb6 in linux_proc_exit (arg=, p=) at /usr/img/freebsd.9/sys/modules/linux/../../compat/linux/linux_emul.c:326 #8 0xffffffff808e68ab in exit1 (td=0xfffffe0130cce490, rv=) at /usr/img/freebsd.9/sys/kern/kern_exit.c:261 #9 0xffffffff81773dcf in linux_exit_group (td=0xfffffe0130cce490, args=0xffffff81225cbb70) at /usr/img/freebsd.9/sys/modules/linux/../../compat/linux/linux_misc.c:1686 #10 0xffffffff80d2728e in ia32_syscall (frame=0xffffff81225cbc00) at subr_syscall.c:135 #11 0xffffffff80c95db1 in Xint0x80_syscall () at ia32_exception.S:73 #12 0x00000000080f2047 in ?? () Previous frame inner to this frame (corrupt stack?) /* Are we a task leader? */ if (p == p->p_leader) { 364: 4d 8b a6 18 04 00 00 mov 0x418(%r14),%r12 36b: 4d 39 f4 cmp %r14,%r12 36e: 0f 84 c2 0d 00 00 je 1136 /* * Check if any loadable modules need anything done at process exit. * E.g. SYSV IPC stuff * XXX what if one of these generates an error? */ EVENTHANDLER_INVOKE(process_exit, p); 374: 48 c7 c7 00 00 00 00 mov $0x0,%rdi 377: R_X86_64_32S .rodata.str1.1+0xf 37b: e8 00 00 00 00 callq 380 37c: R_X86_64_PC32 eventhandler_find_list+0xfffffffffffffffc 380: 48 85 c0 test %rax,%rax 383: 49 89 c4 mov %rax,%r12 386: 0f 84 e3 00 00 00 je 46f 38c: 8b 40 0c mov 0xc(%rax),%eax 38f: 4d 8b 6c 24 40 mov 0x40(%r12),%r13 394: 83 c0 01 add $0x1,%eax 397: 4d 85 ed test %r13,%r13 39a: 41 89 44 24 0c mov %eax,0xc(%r12) 39f: 0f 84 97 00 00 00 je 43c 3a5: 4d 8d 7c 24 10 lea 0x10(%r12),%r15 3aa: eb 40 jmp 3ec 3ac: 0f 1f 40 00 nopl 0x0(%rax) 3b0: 4c 89 f6 mov %r14,%rsi 3b3: 49 8b 7d 18 mov 0x18(%r13),%rdi 3b7: 41 ff 55 20 callq *0x20(%r13) ^^^ NULL pointer 3bb: 65 48 8b 34 25 00 00 mov %gs:0x0,%rsi 3c2: 00 00 3c4: 48 89 d8 mov %rbx,%rax 3c7: f0 49 0f b1 74 24 28 lock cmpxchg %rsi,0x28(%r12) 3ce: 0f 94 c0 sete %al 3d1: 84 c0 test %al,%al 3d3: 74 4a je 41f 3d5: 8b 3d 00 00 00 00 mov 0x0(%rip),%edi # 3db The issue seems to be reproducable and possibly also exists in -current. Any clues? --HPS