From owner-freebsd-bugs Thu Jan 20 0: 3:10 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from nl-imail01.cmg.nl (nl-mail-dmz.cmg-gecis.nl [195.109.155.100]) by hub.freebsd.org (Postfix) with ESMTP id C73A415308 for ; Thu, 20 Jan 2000 00:02:53 -0800 (PST) (envelope-from wilco.oelen@cmg.nl) Received: from nl-amv-route01.cmg.nl (NL-AMV-ROUTE01 [10.16.127.107]) by nl-imail01.cmg.nl with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.10) id C9AQ3YKX; Thu, 20 Jan 2000 08:58:39 +0100 Received: by NL-AMV-ROUTE01 with Internet Mail Service (5.5.2232.9) id ; Thu, 20 Jan 2000 09:05:29 +0100 Message-ID: <77BF6063714DD21188A500104BB3F93C170370@NL-GRO-MAIL01> From: Wilco Oelen To: "'freebsd-bugs@FreeBSD.org'" Subject: bug in FreeBSD 3.3-RELEASE Date: Thu, 20 Jan 2000 09:05:26 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2232.9) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01BF631D.1C7AB64E" Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01BF631D.1C7AB64E Content-Type: text/plain; charset="iso-8859-1" Hello, I think I found a bug in FreeBSD, which allows an ordinary user to cause a kernel panic. The problem (or bug?) is reported in the attached document. <> Could you please answer me if you have a soluition for this problem? Thanks in advance, Wilco Oelen A reply can be sent to wilco.oelen@cmg.nl ------_=_NextPart_000_01BF631D.1C7AB64E Content-Type: text/plain; name="BUG.TXT" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="BUG.TXT" Content-Location: ATT-0-9DC01B8808CFD311AB3D00104BC2DC1B-B UG.TXT Hello, I want to report a problem, which might be due to a bug in the memory management system of FreeBSD. As an ordinary user I can cause the = system to panic without the need to have superuser privileges. In order to do so I used the following program: ------------------------------------- #include #include int main(void) { char *a[200]; int i; for (i=3D0; i<200; i++) { if (i%10 =3D=3D 0) printf("%d\n", i); a[i] =3D (char *)malloc(1024*1024); if (!a[i]) exit(1); } getchar(); return 0; } ---------------------------------------- The program is compiled without any options: cc -o largemem largemem.c, where largemem is the name of the program given above. The program allocates 200 MBytes of memory, but does not actually write = to it, so it does not cause any memory pages to be physically written to. In order to make the kernel panic I do the following: Log in as ordinary user (either on the local console or through a = network connection with telnet). Start the program. It prints number 0 up to 19 and waits for a = character to be entered. Pressing stops the program. I use ^Z in order to suspend the program instead of stopping it. The above is repeated approximately 10 times. Next, I bring back the processes in the foreground using 'fg' and press to make the program stop. I repeat this action, until I have no jobs left in my current login session. This procedure almost = certainly causes my system to panic with an error message, which can be found in the kernel source file /usr/src/sys/i386/i386/pmap.c. One message, = which frequently appears is: "pmap_enter: attempted pmap_enter on 4MB page". Below, I give some info which may help you analyzing the bug report: Here follows the dmesg output, giving you the kernel info: ------------------------------------------------------------- Copyright (c) 1992-1999 FreeBSD Inc. Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. FreeBSD 3.3-RELEASE #7: Fri Jan 7 08:17:01 CET 2000 root@ser2.home:/usr/src/sys/compile/HOME Timecounter "i8254" frequency 1193182 Hz Timecounter "TSC" frequency 400910606 Hz CPU: AMD-K6(tm) 3D+ Processor (400.91-MHz 586-class CPU) Origin =3D "AuthenticAMD" Id =3D 0x591 Stepping =3D 1 Features=3D0x8021bf AMD Features=3D0x80000800 real memory =3D 67108864 (65536K bytes) avail memory =3D 62611456 (61144K bytes) Preloaded elf kernel "kernel" at 0xc0288000. Probing for devices on PCI bus 0: chip0: rev 0x01 on pci0.0.0 chip1: rev 0x01 on pci0.7.0 ide_pci0: rev 0x01 on pci0.7.1 chip2: rev 0x01 on pci0.7.3 vx0: <3COM 3C595 Fast Etherlink III PCI> rev 0x00 int a irq 11 on = pci0.14.0 utp/tx[*utp*] address 00:a0:24:cf:41:71 Probing for devices on the ISA bus: sc0 on isa sc0: VGA color <16 virtual consoles, flags=3D0x0> atkbdc0 at 0x60-0x6f on motherboard atkbd0 irq 1 on isa sio0 at 0x3f8-0x3ff irq 4 flags 0x10 on isa sio0: type 16550A sio1 at 0x2f8-0x2ff irq 3 on isa sio1: type 16550A fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa fdc0: FIFO enabled, 8 bytes threshold fd0: 1.44MB 3.5in wdc0 at 0x1f0-0x1f7 irq 14 on isa wdc0: unit 0 (wd0): wd0: 1039MB (2128896 sectors), 2112 cyls, 16 heads, 63 S/T, 512 B/S wdc1 at 0x170-0x177 irq 15 on isa wdc1: unit 0 (wd2): wd2: 244MB (499950 sectors), 1010 cyls, 9 heads, 55 S/T, 512 B/S wdc1: unit 1 (wd3): wd3: 102MB (208896 sectors), 1024 cyls, 12 heads, 17 S/T, 512 B/S scd0 at 0x340-0x343 on isa scd0: ppc0 at 0x378 irq 7 flags 0x40 on isa ppc0: Generic chipset (NIBBLE-only) in COMPATIBLE mode ppi0: on ppbus 0 plip0: on ppbus 0 vga0 at 0x3b0-0x3df maddr 0xa0000 msize 131072 on isa npx0 on motherboard npx0: INT 16 interface changing root device to wd0s1a Info about the computer on which FreeBSD 3.3-RELEASE is running: ------------------------------------------------------------------ CPU: AMD K6-III, 450 MHz (underclocked to 400 MHz, it runs on an old mainboard with 66 MHz busclock, highest multiplier which can be used equals 6). Mainboard: Chaintech 5TDM2, socket 7 mainboard (66 MHz busclock). Memory: 64 MByte PC66 SDRAM Cache: 512 KByte pipeline burst cache on mainboard, but this cache is mostly overruled by the processor's L2 cache (K6-III has 256 KBytes of L2 cache). The /etc/fstab file: --------------------- # Device Mountpoint FStype Options Dump Pass# /dev/wd0s1b none swap sw 0 0 /dev/wd2s1b none swap sw 0 0 /dev/wd0s1a / ufs rw 1 1 /dev/wd0s1e /afs1 ufs rw 2 2 /dev/wd0s1f /usr ufs rw 2 2 /dev/wd3s1 /home ufs rw 2 2 proc /proc procfs rw 0 0 The output of df: ------------------- Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/wd0s1a 48415 21978 22564 49% / /dev/wd0s1e 193767 31693 146573 18% /afs1 /dev/wd0s1f 740783 188265 493256 28% /usr /dev/wd3s1 100518 43927 48550 48% /home procfs 4 4 0 100% /proc Swap partitions: ------------------ /dev/wd0s1b : appr. 50 MByte /dev/wd2s1b : appr. 250 Mbyte Kernel configuration: ---------------------- machine "i386" cpu "I586_CPU" cpu "I686_CPU" options "NO_F00F_HACK" options CPU_WT_ALLOC # K6 feature options NO_MEMORY_HOLE # K6 feature makeoptions COPTFLAGS=3D"-O2" ident HOME maxusers 32 options INET #InterNETworking options FFS #Berkeley Fast Filesystem options FFS_ROOT #FFS usable as root device [keep this!] #options MFS #Memory Filesystem #options MFS_ROOT #MFS usable as root device, "MFS" req'ed options NFS #Network Filesystem options NFS_ROOT #NFS usable as root device, "NFS" req'ed options MSDOSFS #MSDOS Filesystem options "CD9660" #ISO 9660 Filesystem #options "CD9660_ROOT" #CD-ROM usable as root. "CD9660" req'ed options PROCFS #Process filesystem options "COMPAT_43" #Compatible with BSD 4.3 [KEEP THIS!] #options SCSI_DELAY=3D15000 #Be pessimistic about Joe SCSI device options UCONSOLE #Allow users to grab the console options FAILSAFE #Be conservative options USERCONFIG #boot -c editor options VISUAL_USERCONFIG #visual boot -c editor options KTRACE #ktrace(1) syscall trace support options SYSVSHM #SYSV-style shared memory options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores config kernel root on wd0 controller isa0 controller pci0 # Floppy drives controller fdc0 at isa? port "IO_FD1" bio irq 6 drq 2 disk fd0 at fdc0 drive 0 # IDE controller and disks controller wdc0 at isa? port "IO_WD1" bio irq 14 disk wd0 at wdc0 drive 0 #disk wd1 at wdc0 drive 1 controller wdc1 at isa? port "IO_WD2" bio irq 15 disk wd2 at wdc1 drive 0 disk wd3 at wdc1 drive 1 # ATAPI devices #options ATAPI #Enable ATAPI support for IDE bus #options ATAPI_STATIC #Don't do it as an LKM #device acd0 #IDE CD-ROM # Proprietary or custom CD-ROM Interfaces device scd0 at isa? port 0x340 bio # atkbdc0 controls both the keyboard and the PS/2 mouse controller atkbdc0 at isa? port IO_KBD tty device atkbd0 at isa? tty irq 1 #device psm0 at isa? tty irq 12 device vga0 at isa? port ? conflicts # splash screen/screen saver pseudo-device splash # syscons is the default console driver, resembling an SCO console device sc0 at isa? tty # Enable this and PCVT_FREEBSD for pcvt vt220 compatible console driver #device vt0 at isa? tty #options XSERVER # support for X server #options FAT_CURSOR # start with block cursor # If you have a ThinkPAD, uncomment this along with the rest of the = PCVT lines #options PCVT_SCANSET=3D2 # IBM keyboards are non-std # Floating point support - do not disable. device npx0 at isa? port IO_NPX irq 13 # Serial (COM) ports device sio0 at isa? port "IO_COM1" flags 0x10 tty irq 4 device sio1 at isa? port "IO_COM2" tty irq 3 #device sio2 at isa? disable port "IO_COM3" tty irq 5 #device sio3 at isa? disable port "IO_COM4" tty irq 9 # Parallel port device ppc0 at isa? port? flags 0x40 net irq 7 controller ppbus0 # Parallel port bus (required) #device lpt0 at ppbus? # Printer device plip0 at ppbus? # TCP/IP over parallel device ppi0 at ppbus? # Parallel port interface device # PCI Ethernet NICs. device vx0 # 3Com 3c590, 3c595 (``Vortex'') #device xl0 # 3Com 3c90x (``Boomerang'', ``Cyclone'') # Pseudo devices - the number indicates how many units to allocated. pseudo-device loop # Network loopback pseudo-device ether # Ethernet support #pseudo-device sl 1 # Kernel SLIP pseudo-device ppp 2 # Kernel PPP options "PPP_BSDCOMP" pseudo-device tun 1 # Packet tunnel pseudo-device pty 32 # Pseudo-ttys (telnet etc) pseudo-device gzip # Exec gzipped a.out's pseudo-device vn # Allow regular files to be used as devices I have done the test with the 250 MBytes swap partition removed as = well, leaving only appr. 50 MBytes for swap. This has no effect. I still can easily panic the system, using the procedure mentioned above. I also did the test with the compiler option -O2 removed and doing a complete rebuild of the kernel. This does not solve the problem. I would be pleased to hear more about this bug report. Things are not bleeding for me if FreeBSD has this bug, but I think it is serious enough to be worth posting to you. It might be due to my hardware setup, but if that is the case, could = you please let me know? The hardware I have is not very special, however, so I doubt that it is due to hardware problems.=20 The system runs perfectly stable (also under extreme load, running 350+ processes concurrently which take lots of CPU time and do disk = I/O) for extended periods of time, as long as I do not allocate very large amounts of memory. Another thing that surprises me is that I can allocate much more memory than the sum of available swap space and physical memory. I built a check into the malloc program, but it does not return NULL-pointers from the malloc() function, not even if I only have 50 MBytes of swap = and if I run multiple instances of the program. As soon as I really use the memory (e.g. by writing to it, using = memset()), then I indeed cannot use more than the sum of physical memory and swap. = If I use more, then my program stops because of receipt of a BUS signal. I hope that this bug report helps you in making FreeBSD even better = than it is now. If you have any questions, do not hesitate to contact me at my mail address (wilco.oelen@cmg.nl). With regards, Wilco Oelen ------_=_NextPart_000_01BF631D.1C7AB64E-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message