Date: Wed, 22 Jun 2005 18:28:26 +0300 From: Patrik Backlund <pbacklun@cc.hut.fi> To: John Baldwin <jhb@freebsd.org> Cc: current@freebsd.org, sobomax@freebsd.org, Andrew Gallatin <gallatin@cs.duke.edu>, freebsd-amd64@freebsd.org, Kris Kennaway <kris@obsecurity.org> Subject: Re: Fatal trap 12 in exec_copyout_strings() Message-ID: <42B9839A.4060006@cc.hut.fi> In-Reply-To: <200506221031.55875.jhb@FreeBSD.org> References: <20050510223636.GA49927@xor.obsecurity.org> <200506171434.49008.jhb@FreeBSD.org> <17080.29141.918333.170950@grasshopper.cs.duke.edu> <200506221031.55875.jhb@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
John Baldwin wrote: > On Tuesday 21 June 2005 04:00 pm, Andrew Gallatin wrote: > >>John Baldwin writes: >> > On Sunday 29 May 2005 01:50 pm, Kris Kennaway wrote: >> > > On Tue, May 10, 2005 at 03:36:36PM -0700, Kris Kennaway wrote: >> > > > Got this on a dual amd64 with 8GB RAM running 6.0 from last week: >> > > > >> > > > Fatal trap 12: page fault while in kernel mode >> > > > cpuid = 1; apic id = 01 >> > > > fault virtual address = 0xffffffffa9cdc000 >> > > > fault code = supervisor read, page not present >> > > > instruction pointer = 0x8:0xffffffff8037759f >> > > > stack pointer = 0x10:0xffffffffba1637d0 >> > > > frame pointer = 0x10:0xffffffffba163820 >> > > > code segment = base 0x0, limit 0xfffff, type 0x1b >> > > > = DPL 0, pres 1, long 1, def32 0, gran 1 >> > > > processor eflags = interrupt enabled, resume, IOPL = 0 >> > > > current process = 52247 (sh) >> > > > [thread pid 52247 tid 100149 ] >> > > > Stopped at exec_copyout_strings+0x12f: >> > > > db> wh >> > > > Tracing pid 52247 tid 100149 td 0xffffff016e5724c0 >> > > > exec_copyout_strings() at exec_copyout_strings+0x12f >> > > > do_execve() at do_execve+0x39a >> > > > kern_execve() at kern_execve+0xab >> > > > execve() at execve+0x49 >> > > > syscall() at syscall+0x382 >> > > > Xfast_syscall() at Xfast_syscall+0xa8 >> > > > --- syscall (59, FreeBSD ELF64, execve), rip = 0x80090622c, rsp = >> > > > 0x7fffffffe058, rbp = 0xffffffff --- db> >> > > >> > > I've got this panic twice more since. >> > >> > Do you have a kernel.debug? Can you do 'list >> > *exec_copyout_strings+0x12f'? I think I've seen reports of the >> > linux32_exec_copyout_strings() having a similar fault as well on amd64. >> >>I just got this on my freshly installed UP, 512MB athlon64. For me, >>its 100% reproducable when running a cross-compiler built on >>FreeBSD-4. >> >>(kgdb) p *imgp->args >>$33 = { >> buf = 0xffffffff90ba3000 <Address 0xffffffff90ba3000 out of bounds>, >> begin_argv = 0xffffffff90ba3000 <Address 0xffffffff90ba3000 out of >>bounds>, begin_envv = 0xffffffff90ba313d <Address 0xffffffff90ba313d out of >>bounds>, endp = 0xffffffff90ba389f <Address 0xffffffff90ba389f out of >>bounds>, fname = 0xffffffff90be3000 >>"/home/gallatin/lanaitools/intel_FreeBSD/lib/gcc-lib/lanai/2.95.2..1.6/cc1" >>, stringspace = 259937, >> argc = 23, >> envc = 46 >>} >> >>I'm puzzled. fname seems to be buf+ARGV_MAX, so its not >>like something randomly scribbled on this memory. >> >>In the debugger, the memory just below buf+ARGV_MAX seems to be >>unmapped. But we've done copyins in freebsd32_exec_copyin_args(), >>otherwise endp would not have been advanced. So we've written to this >>memory. >> >>It is almost like somebody freed buf through buf + 262144. > > > I think I figured it out. sobomax@ changed how much memory exec_copyin_args() > and exec_free_args() allocated and freed without updating > freebsd32_exec_copyin_args() and linux_exec_copyin_args(), so more memory was > freed than was allocated which would free memory out from other execs. Patch > is below. Let me know if it fixes the problem. YES! In May I reported a very similar reproducable panic in linux32_exec_copyout_strings and this patches fixes the problem for me. I can now use skype in current again. Thanks! BR, Patrik
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42B9839A.4060006>