Date: Sat, 6 Jan 2007 13:25:41 +0000 From: Ceri Davies <ceri@submonkey.net> To: Robert Watson <rwatson@FreeBSD.org> Cc: stable@FreeBSD.org Subject: Re: (audit?) Panic in 6.2-PRERELEASE Message-ID: <20070106132540.GG7088@submonkey.net> In-Reply-To: <20070106120040.N46119@fledge.watson.org> References: <20070105111954.GA51511@submonkey.net> <20070105120539.H46119@fledge.watson.org> <20070105131528.GB7088@submonkey.net> <20070105133028.F98541@fledge.watson.org> <20070105150857.GC7088@submonkey.net> <20070106120040.N46119@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--fwqqG+mf3f7vyBCB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Jan 06, 2007 at 12:01:51PM +0000, Robert Watson wrote:
> On Fri, 5 Jan 2007, Ceri Davies wrote:
>=20
> >On Fri, Jan 05, 2007 at 01:34:04PM +0000, Robert Watson wrote:
> >>
> >>On Fri, 5 Jan 2007, Ceri Davies wrote:
> >>
> >>>>Much as I would love to trust the contents of ub there, I suspect the=
y=20
> >>>>can't be trusted. Could you print the contents of *fp in kern_fstat(=
)=20
> >>>>in both of those stacks? I'd particularly like to know the value of=
=20
> >>>>fp->f_type, and then depending on the type, possibly the contents of=
=20
> >>>>*(struct vnode *)fp->f_vnode for DTYPE_VNODE/TYPE_FIFO or *(struct=20
> >>>>socket *)fp->f_data in the case of DTYPE_SOCKET.
> >>>
> >>>Can you tell me how to get at *fp given that the stack trace shows=20
> >>>fstat() and not kern_fstat()? Sorry if I'm being dumb but I don't kno=
w=20
> >>>how to step into the kern_fstat() call from fstat().
> >>
> >>It could be that the stack is hosed losing the frame, or maybe it's=20
> >>inlined (more likely the former I think, as kern_fstat() is a symbol us=
ed=20
> >>elsewhere in the kernel). The best bet may be to use the file descript=
or=20
> >>number (uap->fd) to pull the struct file reference out of the process. =
=20
> >>Something on the order of (td->td_proc->p_fd->fd_ofiles[fd]) should=20
> >>return the right struct file *.
> >
> >OK, got it. They're both sockets, data in the attachments.
> >
> >>How reproduceable is this?
> >
> >So far it's happened this morning and yesterday morning. I haven't seen=
=20
> >it before that. I don't know the cause so I can't reproduce it at will,=
=20
> >but the logs don't give any indication. Chances are that it will happen=
=20
> >again tomorrow, but we'll see.
>=20
> Hmm. It looks like you printf *(td->td_proc->p_fd->fd_ofiles) without th=
e=20
> array index. Could you repeat that, but with the array index -- i.e.,=20
> td->td_proc->p_fd->fd_ofiles[uap->fd]? Also, it would probably be useful=
=20
> to print uap->fd. Right now you're printing stdin (index 0), but if the=
=20
> index is non-0, we want a different file.
Very tactfully put :) Sorry about that.
None of the uap->fd's seem to be valid.
In the first case, uap->fd is way too high for the length of fd_ofiles,
which only has 21 elements:
(kgdb) up 8
#8 0xc04c470d in fstat (td=3D0xc2eeb180, uap=3D0xd610dc74) at /usr/src/sys=
/kern/kern_descrip.c:1075
1075 error =3D kern_fstat(td, uap->fd, &ub);
(kgdb) p uap->fd
$1 =3D 89
(kgdb) p *td->td_proc->p_fd->fd_ofiles[uap->fd]
Cannot access memory at address 0x0
In the second, uap->fd is nonsense:
(kgdb) up 8
#8 0xc04c470d in fstat (td=3D0xc3109300, uap=3D0xd617ec74) at /usr/src/sys=
/kern/kern_descrip.c:1075
1075 error =3D kern_fstat(td, uap->fd, &ub);
(kgdb) p uap->fd
$1 =3D -1023449232
(kgdb)
Ceri
--=20
That must be wonderful! I don't understand it at all.
-- Moliere
--fwqqG+mf3f7vyBCB
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
iD8DBQFFn6NUocfcwTS3JF8RAuGMAJ9NSURkDLMAtJmidmVcDCbseAql5gCdEZ3M
VvijBqCGdsYmBlTpQ7hOIKI=
=UgOl
-----END PGP SIGNATURE-----
--fwqqG+mf3f7vyBCB--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070106132540.GG7088>