Date: Thu, 20 Jan 2000 09:05:26 +0100 From: Wilco Oelen <wilco.oelen@cmg.nl> To: "'freebsd-bugs@FreeBSD.org'" <freebsd-bugs@FreeBSD.org> Subject: bug in FreeBSD 3.3-RELEASE Message-ID: <77BF6063714DD21188A500104BB3F93C170370@NL-GRO-MAIL01>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_000_01BF631D.1C7AB64E
Content-Type: text/plain;
charset="iso-8859-1"
Hello,
I think I found a bug in FreeBSD, which allows an ordinary user to cause a
kernel panic. The problem (or bug?) is reported in the attached document.
<<BUG.TXT>>
Could you please answer me if you have a soluition for this problem?
Thanks in advance,
Wilco Oelen
A reply can be sent to wilco.oelen@cmg.nl
------_=_NextPart_000_01BF631D.1C7AB64E
Content-Type: text/plain;
name="BUG.TXT"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="BUG.TXT"
Content-Location: ATT-0-9DC01B8808CFD311AB3D00104BC2DC1B-B
UG.TXT
Hello,
I want to report a problem, which might be due to a bug in the memory
management system of FreeBSD. As an ordinary user I can cause the =
system
to panic without the need to have superuser privileges. In order to do
so I used the following program:
-------------------------------------
#include <stdio.h>
#include <stdlib.h>
int main(void)
{
char *a[200];
int i;
for (i=3D0; i<200; i++)
{
if (i%10 =3D=3D 0)
printf("%d\n", i);
a[i] =3D (char *)malloc(1024*1024);
if (!a[i])
exit(1);
}
getchar();
return 0;
}
----------------------------------------
The program is compiled without any options: cc -o largemem largemem.c,
where largemem is the name of the program given above.
The program allocates 200 MBytes of memory, but does not actually write =
to
it, so it does not cause any memory pages to be physically written to.
In order to make the kernel panic I do the following:
Log in as ordinary user (either on the local console or through a =
network
connection with telnet).
Start the program. It prints number 0 up to 19 and waits for a =
character
to be entered. Pressing <ENTER> stops the program.
I use ^Z in order to suspend the program instead of stopping it.
The above is repeated approximately 10 times.
Next, I bring back the processes in the foreground using 'fg' and press
<ENTER> to make the program stop. I repeat this action, until I have
no jobs left in my current login session. This procedure almost =
certainly
causes my system to panic with an error message, which can be found in
the kernel source file /usr/src/sys/i386/i386/pmap.c. One message, =
which
frequently appears is: "pmap_enter: attempted pmap_enter on 4MB page".
Below, I give some info which may help you analyzing the bug report:
Here follows the dmesg output, giving you the kernel info:
-------------------------------------------------------------
Copyright (c) 1992-1999 FreeBSD Inc.
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
FreeBSD 3.3-RELEASE #7: Fri Jan 7 08:17:01 CET 2000
root@ser2.home:/usr/src/sys/compile/HOME
Timecounter "i8254" frequency 1193182 Hz
Timecounter "TSC" frequency 400910606 Hz
CPU: AMD-K6(tm) 3D+ Processor (400.91-MHz 586-class CPU)
Origin =3D "AuthenticAMD" Id =3D 0x591 Stepping =3D 1
Features=3D0x8021bf<FPU,VME,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX>
AMD Features=3D0x80000800<SYSCALL,3DNow!>
real memory =3D 67108864 (65536K bytes)
avail memory =3D 62611456 (61144K bytes)
Preloaded elf kernel "kernel" at 0xc0288000.
Probing for devices on PCI bus 0:
chip0: <Intel 82439TX System Controller (MTXC)> rev 0x01 on pci0.0.0
chip1: <Intel 82371AB PCI to ISA bridge> rev 0x01 on pci0.7.0
ide_pci0: <Intel PIIX4 Bus-master IDE controller> rev 0x01 on pci0.7.1
chip2: <Intel 82371AB Power management controller> rev 0x01 on pci0.7.3
vx0: <3COM 3C595 Fast Etherlink III PCI> rev 0x00 int a irq 11 on =
pci0.14.0
utp/tx[*utp*] address 00:a0:24:cf:41:71
Probing for devices on the ISA bus:
sc0 on isa
sc0: VGA color <16 virtual consoles, flags=3D0x0>
atkbdc0 at 0x60-0x6f on motherboard
atkbd0 irq 1 on isa
sio0 at 0x3f8-0x3ff irq 4 flags 0x10 on isa
sio0: type 16550A
sio1 at 0x2f8-0x2ff irq 3 on isa
sio1: type 16550A
fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa
fdc0: FIFO enabled, 8 bytes threshold
fd0: 1.44MB 3.5in
wdc0 at 0x1f0-0x1f7 irq 14 on isa
wdc0: unit 0 (wd0): <QUANTUM FIREBALL1080A>
wd0: 1039MB (2128896 sectors), 2112 cyls, 16 heads, 63 S/T, 512 B/S
wdc1 at 0x170-0x177 irq 15 on isa
wdc1: unit 0 (wd2): <WDC AC2250>
wd2: 244MB (499950 sectors), 1010 cyls, 9 heads, 55 S/T, 512 B/S
wdc1: unit 1 (wd3): <st3120AT>
wd3: 102MB (208896 sectors), 1024 cyls, 12 heads, 17 S/T, 512 B/S
scd0 at 0x340-0x343 on isa
scd0: <SONY CD-ROM CDU33A Rev 1.0f>
ppc0 at 0x378 irq 7 flags 0x40 on isa
ppc0: Generic chipset (NIBBLE-only) in COMPATIBLE mode
ppi0: <generic parallel i/o> on ppbus 0
plip0: <PLIP network interface> on ppbus 0
vga0 at 0x3b0-0x3df maddr 0xa0000 msize 131072 on isa
npx0 on motherboard
npx0: INT 16 interface
changing root device to wd0s1a
Info about the computer on which FreeBSD 3.3-RELEASE is running:
------------------------------------------------------------------
CPU: AMD K6-III, 450 MHz (underclocked to 400 MHz, it runs on an
old mainboard with 66 MHz busclock, highest multiplier
which can be used equals 6).
Mainboard: Chaintech 5TDM2, socket 7 mainboard (66 MHz busclock).
Memory: 64 MByte PC66 SDRAM
Cache: 512 KByte pipeline burst cache on mainboard, but this cache
is mostly overruled by the processor's L2 cache (K6-III has
256 KBytes of L2 cache).
The /etc/fstab file:
---------------------
# Device Mountpoint FStype Options Dump Pass#
/dev/wd0s1b none swap sw 0 0
/dev/wd2s1b none swap sw 0 0
/dev/wd0s1a / ufs rw 1 1
/dev/wd0s1e /afs1 ufs rw 2 2
/dev/wd0s1f /usr ufs rw 2 2
/dev/wd3s1 /home ufs rw 2 2
proc /proc procfs rw 0 0
The output of df:
-------------------
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/wd0s1a 48415 21978 22564 49% /
/dev/wd0s1e 193767 31693 146573 18% /afs1
/dev/wd0s1f 740783 188265 493256 28% /usr
/dev/wd3s1 100518 43927 48550 48% /home
procfs 4 4 0 100% /proc
Swap partitions:
------------------
/dev/wd0s1b : appr. 50 MByte
/dev/wd2s1b : appr. 250 Mbyte
Kernel configuration:
----------------------
machine "i386"
cpu "I586_CPU"
cpu "I686_CPU"
options "NO_F00F_HACK"
options CPU_WT_ALLOC # K6 feature
options NO_MEMORY_HOLE # K6 feature
makeoptions COPTFLAGS=3D"-O2"
ident HOME
maxusers 32
options INET #InterNETworking
options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep this!]
#options MFS #Memory Filesystem
#options MFS_ROOT #MFS usable as root device, "MFS" req'ed
options NFS #Network Filesystem
options NFS_ROOT #NFS usable as root device, "NFS" req'ed
options MSDOSFS #MSDOS Filesystem
options "CD9660" #ISO 9660 Filesystem
#options "CD9660_ROOT" #CD-ROM usable as root. "CD9660" req'ed
options PROCFS #Process filesystem
options "COMPAT_43" #Compatible with BSD 4.3 [KEEP THIS!]
#options SCSI_DELAY=3D15000 #Be pessimistic about Joe SCSI device
options UCONSOLE #Allow users to grab the console
options FAILSAFE #Be conservative
options USERCONFIG #boot -c editor
options VISUAL_USERCONFIG #visual boot -c editor
options KTRACE #ktrace(1) syscall trace support
options SYSVSHM #SYSV-style shared memory
options SYSVMSG #SYSV-style message queues
options SYSVSEM #SYSV-style semaphores
config kernel root on wd0
controller isa0
controller pci0
# Floppy drives
controller fdc0 at isa? port "IO_FD1" bio irq 6 drq 2
disk fd0 at fdc0 drive 0
# IDE controller and disks
controller wdc0 at isa? port "IO_WD1" bio irq 14
disk wd0 at wdc0 drive 0
#disk wd1 at wdc0 drive 1
controller wdc1 at isa? port "IO_WD2" bio irq 15
disk wd2 at wdc1 drive 0
disk wd3 at wdc1 drive 1
# ATAPI devices
#options ATAPI #Enable ATAPI support for IDE bus
#options ATAPI_STATIC #Don't do it as an LKM
#device acd0 #IDE CD-ROM
# Proprietary or custom CD-ROM Interfaces
device scd0 at isa? port 0x340 bio
# atkbdc0 controls both the keyboard and the PS/2 mouse
controller atkbdc0 at isa? port IO_KBD tty
device atkbd0 at isa? tty irq 1
#device psm0 at isa? tty irq 12
device vga0 at isa? port ? conflicts
# splash screen/screen saver
pseudo-device splash
# syscons is the default console driver, resembling an SCO console
device sc0 at isa? tty
# Enable this and PCVT_FREEBSD for pcvt vt220 compatible console driver
#device vt0 at isa? tty
#options XSERVER # support for X server
#options FAT_CURSOR # start with block cursor
# If you have a ThinkPAD, uncomment this along with the rest of the =
PCVT lines
#options PCVT_SCANSET=3D2 # IBM keyboards are non-std
# Floating point support - do not disable.
device npx0 at isa? port IO_NPX irq 13
# Serial (COM) ports
device sio0 at isa? port "IO_COM1" flags 0x10 tty irq 4
device sio1 at isa? port "IO_COM2" tty irq 3
#device sio2 at isa? disable port "IO_COM3" tty irq 5
#device sio3 at isa? disable port "IO_COM4" tty irq 9
# Parallel port
device ppc0 at isa? port? flags 0x40 net irq 7
controller ppbus0 # Parallel port bus (required)
#device lpt0 at ppbus? # Printer
device plip0 at ppbus? # TCP/IP over parallel
device ppi0 at ppbus? # Parallel port interface device
# PCI Ethernet NICs.
device vx0 # 3Com 3c590, 3c595 (``Vortex'')
#device xl0 # 3Com 3c90x (``Boomerang'', ``Cyclone'')
# Pseudo devices - the number indicates how many units to allocated.
pseudo-device loop # Network loopback
pseudo-device ether # Ethernet support
#pseudo-device sl 1 # Kernel SLIP
pseudo-device ppp 2 # Kernel PPP
options "PPP_BSDCOMP"
pseudo-device tun 1 # Packet tunnel
pseudo-device pty 32 # Pseudo-ttys (telnet etc)
pseudo-device gzip # Exec gzipped a.out's
pseudo-device vn # Allow regular files to be used as devices
I have done the test with the 250 MBytes swap partition removed as =
well,
leaving only appr. 50 MBytes for swap. This has no effect. I still can
easily panic the system, using the procedure mentioned above.
I also did the test with the compiler option -O2 removed and doing a
complete rebuild of the kernel. This does not solve the problem.
I would be pleased to hear more about this bug report. Things are not
bleeding for me if FreeBSD has this bug, but I think it is serious
enough to be worth posting to you.
It might be due to my hardware setup, but if that is the case, could =
you
please let me know? The hardware I have is not very special, however,
so I doubt that it is due to hardware problems.=20
The system runs perfectly stable (also under extreme load, running
350+ processes concurrently which take lots of CPU time and do disk =
I/O)
for extended periods of time, as long as I do not allocate very
large amounts of memory.
Another thing that surprises me is that I can allocate much more memory
than the sum of available swap space and physical memory. I built
a check into the malloc program, but it does not return NULL-pointers
from the malloc() function, not even if I only have 50 MBytes of swap =
and
if I run multiple instances of the program.
As soon as I really use the memory (e.g. by writing to it, using =
memset()),
then I indeed cannot use more than the sum of physical memory and swap. =
If I
use more, then my program stops because of receipt of a BUS signal.
I hope that this bug report helps you in making FreeBSD even better =
than
it is now. If you have any questions, do not hesitate to contact me at
my mail address (wilco.oelen@cmg.nl).
With regards,
Wilco Oelen
------_=_NextPart_000_01BF631D.1C7AB64E--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?77BF6063714DD21188A500104BB3F93C170370>