Date: Mon, 31 Oct 2005 10:34:23 GMT From: Vladimir Ivanov <wawa@yandex-team.ru> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/88268: yet another null pointer in bpf code Message-ID: <200510311034.j9VAYNfb025132@www.freebsd.org> Resent-Message-ID: <200510311040.j9VAeIPO006422@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 88268
>Category: kern
>Synopsis: yet another null pointer in bpf code
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Oct 31 10:40:17 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Vladimir Ivanov
>Release: FBSD RELENG_5
>Organization:
Yandex LLC
>Environment:
FreeBSD sakura.yandex.net 5.4-STABLE FreeBSD 5.4-STABLE #9: Fri Oct 28 13:38:34 MSD 2005 root@sakura.yandex.net:/usr/obj/usr/src/sys/BORDER-RTR-RELENG_5 i386
>Description:
Kernel panic in bpf code.
Make a look to coredump below (kl_look == 0). I seem this bug caused by inaccurate thread locking in "bpfopen" and "bpfclose".
sakura:/var/crash# kgdb /usr/obj/usr/src/sys/BORDER-RTR-RELENG_5/kernel.debug /var/crash/vmcore.29
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".
Unread portion of the kernel message buffer:
Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address = 0x8
fault code = supervisor read, page not present
instruction pointer = 0x8:0xc0577e07
stack pointer = 0x10:0xe4e58b7c
frame pointer = 0x10:0xe4e58ba0
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 43 (irq30: em0)
trap number = 12
panic: page fault
cpuid = 0
boot() called on cpu#0
Uptime: 2d13h6m3s
GEOM_MIRROR: Device m0: provider mirror/m0 destroyed.
GEOM_MIRROR: Device m0 destroyed.
Dumping 1023 MB
16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 256 272 288 304 320 336 352 368 384 400 416 432 448 464 480 496 512 528 544 560 576 592 608 624 640656 672 688 704 720 736 752 768 784 800 816 832 848 864 880 896 912 928 944 960 976 992 1008
#0 doadump () at pcpu.h:160
160 pcpu.h: No such file or directory.
in pcpu.h
(kgdb) bt full
#0 doadump () at pcpu.h:160
No locals.
#1 0xc0501428 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:412
first_buf_printf = 1
#2 0xc05017d6 in panic (fmt=0xc06614de "%s") at /usr/src/sys/kern/kern_shutdown.c:568
td = (struct thread *) 0xc22e8180
bootopt = 260
newpanic = 0
ap = 0xc22e8180 " ~.б╟\034'б"
buf = "page fault", '\0' <repeats 245 times>
#3 0xc063a639 in trap_fatal (frame=0xe4e58b3c, eva=0) at /usr/src/sys/i386/i386/trap.c:817
code = 16
type = 12
ss = 16
esp = 0
softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27, ssd_dpl = 0, ssd_p = 1, ssd_xx = 1, ssd_xx1 = 0, ssd_def32 = 1, ssd_gran = 1}
#4 0xc063a330 in trap_pfault (frame=0xe4e58b3c, usermode=0, eva=8) at /usr/src/sys/i386/i386/trap.c:735
va = 0
vm = (struct vmspace *) 0x0
map = 0xc06b8c00
rv = 1
ftype = 1 '\001'
td = (struct thread *) 0xc22e8180
p = (struct proc *) 0xc22e7e20
#5 0xc0639f15 in trap (frame=
{tf_fs = -1034813416, tf_es = -454754288, tf_ds = -1068630000, tf_edi = 0, tf_esi = 2048, tf_ebp = -454718560, tf_isp = -454718616, tf_ebx = -1034787840, tf_edx = 1464, tf_ecx = 9014, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1068007929, tf_cs = 8, tf_eflags = 66194, tf_esp = -1067978273, tf_ss= 2}) at /usr/src/sys/i386/i386/trap.c:425
td = (struct thread *) 0xc22e8180
p = (struct proc *) 0xc22e7e20
sticks = 4
i = 0
ucode = 0
type = 12
code = 0
eva = 8
#6 0xc062608a in calltrap () at /usr/src/sys/i386/i386/exception.s:140
No locals.
#7 0xc2520018 in ?? ()
No symbol table info available.
#8 0xe4e50010 in ?? ()
No symbol table info available.
#9 0xc04e0010 in kqueue_task (arg=0x0, pending=-1030851072) at /usr/src/sys/kern/kern_event.c:1083
kq = (struct kqueue *) 0xc2526400
haskqglobal = 0
#10 0xc057ed5a in ether_input (ifp=0xc291e004, m=0xc28e7600) at /usr/src/sys/net/if_ethersubr.c:570
eh = (struct ether_header *) 0x0
etype = 2048
#11 0xc058106c in vlan_input (ifp=0xc2384000, m=0xc28e7600) at /usr/src/sys/net/if_vlan.c:633
evl = (struct ether_vlan_header *) 0x0
ifv = (struct ifvlan *) 0xc2526400
---Type <return> to continue, or q <return> to quit---q
Quit
(kgdb) f 9
#9 0xc04e0010 in kqueue_task (arg=0x0, pending=-1030851072) at /usr/src/sys/kern/kern_event.c:1083
1083 KNOTE_LOCKED(&kq->kq_sel.si_note, 0);
(kgdb) p *kq
$1 = {kq_lock = {mtx_object = {lo_class = 0xc2526400, lo_name = 0xc2527400 "", lo_type = 0xc252ec04 "", lo_flags = 1851878518, lo_list = {
tqe_next = 0x34, tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 3227995382, mtx_recurse = 4}, kq_refcnt = -1034308608, kq_list = {
sle_next = 0xc25cb860}, kq_head = {tqh_first = 0xc06bbfc0, tqh_last = 0x0}, kq_count = 0, kq_sel = {si_thrlist = {tqe_next = 0x0, tqe_prev = 0x0},
si_thread = 0x5, si_note = {kl_lock = 0x0, kl_list = {slh_first = 0x8843}}, si_flags = 0}, kq_sigio = 0x0, kq_fdp = 0xc2526654, kq_state = 20,
kq_knlistsize = 67502215, kq_knlist = 0x50000000, kq_knhashmask = 9000, kq_knhash = 0x0, kq_task = {ta_link = {stqe_next = 0x0},
ta_pending = 907364747, ta_priority = 0, ta_func = 0xea94e83c, ta_context = 0x0}}
>How-To-Repeat:
Let big traffic flow thru interface and do bpf attach/detach often
>Fix:
I seem "knlist_init" call and "knlist_destroy" call in "bpfopen" and "bpfclose" should be protected by global mutex bpf_mtx.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200510311034.j9VAYNfb025132>