From owner-freebsd-current@freebsd.org Tue Dec 8 16:02:18 2020 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C394B4A46C5 for ; Tue, 8 Dec 2020 16:02:18 +0000 (UTC) (envelope-from pho@holm.cc) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 4Cr4gt2YmFz4YJ5 for ; Tue, 8 Dec 2020 16:02:18 +0000 (UTC) (envelope-from pho@holm.cc) Received: by mailman.nyi.freebsd.org (Postfix) id 52E134A46C4; Tue, 8 Dec 2020 16:02:18 +0000 (UTC) Delivered-To: current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 51BA44A4972 for ; Tue, 8 Dec 2020 16:02:18 +0000 (UTC) (envelope-from pho@holm.cc) Received: from relay05.pair.com (relay05.pair.com [216.92.24.67]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Cr4gs45kFz4YCv; Tue, 8 Dec 2020 16:02:16 +0000 (UTC) (envelope-from pho@holm.cc) Received: from x8.osted.lan (5.186.117.10.cgn.fibianet.dk [5.186.117.10]) by relay05.pair.com (Postfix) with ESMTP id 7E5581A2DC7; Tue, 8 Dec 2020 11:02:14 -0500 (EST) Received: from x8.osted.lan (localhost [127.0.0.1]) by x8.osted.lan (8.15.2/8.15.2) with ESMTPS id 0B8G2D1L036228 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Tue, 8 Dec 2020 17:02:13 +0100 (CET) (envelope-from pho@x8.osted.lan) Received: (from pho@localhost) by x8.osted.lan (8.15.2/8.15.2/Submit) id 0B8G2Dni036227; Tue, 8 Dec 2020 17:02:13 +0100 (CET) (envelope-from pho) Date: Tue, 8 Dec 2020 17:02:12 +0100 From: Peter Holm To: Mark Johnston Cc: current@freebsd.org Subject: Re: panic: general protection fault from uipc_sockaddr+0x4c Message-ID: <20201208160212.GA35933@x8.osted.lan> References: <20201208114718.GA33199@x8.osted.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4Cr4gs45kFz4YCv X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Dec 2020 16:02:18 -0000 On Tue, Dec 08, 2020 at 10:30:41AM -0500, Mark Johnston wrote: > On Tue, Dec 08, 2020 at 12:47:18PM +0100, Peter Holm wrote: > > I just got this panic: > > > > Fatal trap 9: general protection fault while in kernel mode > > cpuid = 9; apic id = 09 > > instruction pointer = 0x20:0xffffffff80bc6e22 > > stack pointer = 0x28:0xfffffe0698887630 > > frame pointer = 0x28:0xfffffe06988876b0 > > code segment = base 0x0, limit 0xfffff, type 0x1b > > = DPL 0, pres 1, long 1, def32 0, gran 1 > > processor eflags = interrupt enabled, resume, IOPL = 0 > > current process = 45966 (fstat) > > trap number = 9 > > panic: general protection fault > > cpuid = 9 > > time = 1607416693 > > KDB: stack backtrace: > > db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0698887340 > > vpanic() at vpanic+0x181/frame 0xfffffe0698887390 > > panic() at panic+0x43/frame 0xfffffe06988873f0 > > trap_fatal() at trap_fatal+0x387/frame 0xfffffe0698887450 > > trap() at trap+0xa4/frame 0xfffffe0698887560 > > calltrap() at calltrap+0x8/frame 0xfffffe0698887560 > > --- trap 0x9, rip = 0xffffffff80bc6e22, rsp = 0xfffffe0698887630, rbp = 0xfffffe06988876b0 --- > > __mtx_lock_sleep() at __mtx_lock_sleep+0xd2/frame 0xfffffe06988876b0 > > __mtx_lock_flags() at __mtx_lock_flags+0xe5/frame 0xfffffe0698887700 > > uipc_sockaddr() at uipc_sockaddr+0x4c/frame 0xfffffe0698887730 > > soo_fill_kinfo() at soo_fill_kinfo+0x11e/frame 0xfffffe0698887770 > > kern_proc_filedesc_out() at kern_proc_filedesc_out+0xb57/frame 0xfffffe0698887810 > > sysctl_kern_proc_filedesc() at sysctl_kern_proc_filedesc+0x7d/frame 0xfffffe0698887890 > > sysctl_root_handler_locked() at sysctl_root_handler_locked+0x9c/frame 0xfffffe06988878e0 > > sysctl_root() at sysctl_root+0x20d/frame 0xfffffe0698887960 > > userland_sysctl() at userland_sysctl+0x180/frame 0xfffffe0698887a10 > > sys___sysctl() at sys___sysctl+0x5f/frame 0xfffffe0698887ac0 > > amd64_syscall() at amd64_syscall+0x147/frame 0xfffffe0698887bf0 > > fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0698887bf0 > > --- syscall (202, FreeBSD ELF64, sys___sysctl), rip = 0x8003948ea, rsp = 0x7fffffffc138, rbp = 0x7fffffffc170 --- > > > > https://people.freebsd.org/~pho/stress/log/log0004.txt > > So here the unpcb is freed, and indeed the file itself has been closed: > > $3 = {f_flag = 0x3, f_count = 0x0, f_data = 0x0, f_ops = 0xffffffff81901f50 , > f_vnode = 0x0, f_cred = 0xfffff80248beb600, f_type = 0x2, f_vnread_flags = 0x0, > {f_seqcount = {0x0, 0x0}, f_pipegen = 0x0}, f_nextoff = {0x0, 0x0}, > f_vnun = {fvn_cdevpriv = 0x0, fvn_advice = 0x0}, f_offset = 0x0} > > However, it must have happened very recently because soo_fill_kinfo() > dereferences fp->f_data and yet we did not panic due to a null > dereference. > > kern_proc_filedesc_out() holds the fdtable shared lock thoughout all of > this, which is supposed to prevent the table entry from being freed > since that requires the exclusive lock. > > Could you show fdp->fd_ofiles[3] and fdp->fd_map[0] from frame 26? Sure: (kgdb) p fdp->fd_files->fdt_ofiles[3] $1 = {fde_file = 0xfffff807306fd0f0, fde_caps = {fc_rights = {cr_rights = {0x0, 0x0}}, fc_ioctls = 0x0, fc_nioctls = 0x0, fc_fcntls = 0x0}, fde_flags = 0x0, fde_seqc = 0x2} (kgdb) p fdp->fd_map[0] $2 = 0x1f (kgdb) - Peter