From owner-freebsd-current@FreeBSD.ORG  Mon Jan 17 01:47:48 2005
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2F64816A4CE; Mon, 17 Jan 2005 01:47:48 +0000 (GMT)
Received: from obsecurity.dyndns.org
	(CPE0050040655c8-CM00111ae02aac.cpe.net.cable.rogers.com [69.199.47.57])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 3056A43D2F; Mon, 17 Jan 2005 01:47:47 +0000 (GMT)
	(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id 6BB6A51506; Sun, 16 Jan 2005 17:47:46 -0800 (PST)
Date: Sun, 16 Jan 2005 17:47:46 -0800
From: Kris Kennaway <kris@obsecurity.org>
To: Alan Cox <alc@cs.rice.edu>
Message-ID: <20050117014746.GA96797@xor.obsecurity.org>
References: <20050115083847.GA47466@xor.obsecurity.org>
	<20050116003432.GA448@xor.obsecurity.org>
	<20050116050433.GA65733@xor.obsecurity.org>
	<20050116211349.GG26214@noel.cs.rice.edu>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="5vNYLRcllDrimb99"
Content-Disposition: inline
In-Reply-To: <20050116211349.GG26214@noel.cs.rice.edu>
User-Agent: Mutt/1.4.2.1i
cc: alc@freebsd.org
cc: current@freebsd.org
cc: Kris Kennaway <kris@obsecurity.org>
Subject: Re: fstat triggered INVARIANTS panic in memrw()
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jan 2005 01:47:48 -0000


--5vNYLRcllDrimb99
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Jan 16, 2005 at 03:13:49PM -0600, Alan Cox wrote:

> The "deadc0de" passed to generic_copyout() comes from the following
> lines in devfs_read_f(c51773b8,eed96c84,ca75c800,flags=3D0):
>=20
>         if ((flags & FOF_OFFSET) =3D=3D 0)
>                 uio->uio_offset =3D fp->f_offset;
>=20
> Can you print the contents of the file structure?

Hmm, I tried with gdb53 but it gave me a weird trace:

(kgdb) bt
#0  doadump () at pcpu.h:159
#1  0xc0528567 in boot (howto=3D260) at ../../../kern/kern_shutdown.c:398
#2  0xc0528037 in panic (fmt=3D0xc071abe1 "../../../kern/kern_shutdown.c") =
at ../../../kern/kern_shutdown.c:554
#3  0xc068921a in vm_fault (map=3D0xc103b000, vaddr=3D3735928832, fault_typ=
e=3D1 '\001', fault_flags=3D0)
    at ../../../vm/vm_fault.c:875
#4  0xc06deef2 in trap_pfault (frame=3D0xe7275b8c, usermode=3D0, eva=3D3735=
929054) at ../../../i386/i386/trap.c:713
#5  0xc06df3e3 in trap (frame=3D
      {tf_fs =3D -1066205160, tf_es =3D 16, tf_ds =3D -1056767984, tf_edi =
=3D 134545408, tf_esi =3D -559038242, tf_ebp =3D -416850940, tf_isp =3D -41=
6851016, tf_ebx =3D 2058814332, tf_edx =3D 1966776, tf_ecx =3D 514703583, t=
f_eax =3D -2101607556, tf_trapno =3D 12, tf_err =3D 0, tf_eip =3D -10665435=
58, tf_cs =3D 8, tf_eflags =3D 66050, tf_esp =3D 2058814332, tf_ss =3D -416=
850812}) at ../../../i386/i386/trap.c:414
#6  0xc06dd63a in generic_copyout () at ../../../i386/i386/support.s:760
#7  0xc06d8aba in memrw (dev=3D0xc22f8200, uio=3D0x8050000, flags=3D0) at .=
./../../i386/i386/mem.c:128
#8  0xc04d8d91 in devfs_read_f (fp=3D0x8050000, uio=3D0xdeadc0de, cred=3D0x=
c3540380, flags=3D0, td=3D0xc3c34170)
    at ../../../fs/devfs/devfs_vnops.c:931
#9  0xc0552632 in dofileread (td=3D0x8050000, fp=3D0x7ab7037c, fd=3D0, buf=
=3D0x0, nbyte=3D2058814332, offset=3D0, flags=3D0)
    at file.h:234
#10 0xc05527f5 in read (td=3D0xc3c34170, uap=3D0xdeadc0de) at ../../../kern=
/sys_generic.c:107
#11 0xc06df7d7 in syscall (frame=3D
      {tf_fs =3D 47, tf_es =3D 47, tf_ds =3D 47, tf_edi =3D 2058814332, tf_=
esi =3D 0, tf_ebp =3D -1077943512, tf_isp =3D -416850572, tf_ebx =3D 671608=
356, tf_edx =3D 134549504, tf_ecx =3D 0, tf_eax =3D 3, tf_trapno =3D 12, tf=
_err =3D 2, tf_eip =3D 671899359, tf_cs =3D 31, tf_eflags =3D 514, tf_esp =
=3D -1077943556, tf_ss =3D 47}) at ../../../i386/i386/trap.c:951
(kgdb) frame 8
#8  0xc04d8d91 in devfs_read_f (fp=3D0x8050000, uio=3D0xdeadc0de, cred=3D0x=
c3540380, flags=3D0, td=3D0xc3c34170)
    at ../../../fs/devfs/devfs_vnops.c:931
931             error =3D dsw->d_read(dev, uio, ioflag);
(kgdb) print fp
$1 =3D (struct file *) 0x8050000
(kgdb) print *fp
---Can't read userspace from dump, or kernel process---

kgdb gave a different kind of weird trace, but at least I could access
something that claimed to be a struct file*:

(kgdb) bt
#0  doadump () at pcpu.h:159
#1  0xc0528567 in boot (howto=3D260) at ../../../kern/kern_shutdown.c:398
#2  0xc0528037 in panic (fmt=3D0xc071abe1 "../../../kern/kern_shutdown.c") =
at ../../../kern/kern_shutdown.c:554
#3  0xc068921a in vm_fault (map=3D0xc103b000, vaddr=3D3735928832, fault_typ=
e=3D1 '\001', fault_flags=3D0)
    at ../../../vm/vm_fault.c:875
#4  0xc06deef2 in trap_pfault (frame=3D0xe7275b8c, usermode=3D0, eva=3D3735=
929054) at ../../../i386/i386/trap.c:713
#5  0xc06df3e3 in trap (frame=3D
      {tf_fs =3D -1066205160, tf_es =3D 16, tf_ds =3D -1056767984, tf_edi =
=3D 134545408, tf_esi =3D -559038242, tf_ebp =3D -416850940, tf_isp =3D -41=
6851016, tf_ebx =3D 2058814332, tf_edx =3D 1966776, tf_ecx =3D 514703583, t=
f_eax =3D -2101607556, tf_trapno =3D 12, tf_err =3D 0, tf_eip =3D -10665435=
58, tf_cs =3D 8, tf_eflags =3D 66050, tf_esp =3D 2058814332, tf_ss =3D -416=
850812}) at ../../../i386/i386/trap.c:414
#6  0xc06d0eaa in calltrap () at ../../../i386/i386/exception.s:139
#7  0xc0730018 in ?? ()
#8  0x00000010 in ?? ()
#9  0xc1030010 in ?? ()
#10 0x08050000 in ?? ()
#11 0xdeadc0de in ?? ()
#12 0xe7275c04 in ?? ()
#13 0xe7275bb8 in ?? ()
#14 0x7ab7037c in ?? ()
#15 0x001e02b8 in ?? ()
#16 0x1eadc0df in ?? ()
#17 0x82bc037c in ?? ()
#18 0x0000000c in ?? ()
#19 0x00000000 in ?? ()
#20 0xc06dd63a in generic_copyout () at ../../../i386/i386/support.s:760
#21 0x00000008 in ?? ()
#22 0x00010202 in ?? ()
#23 0x7ab7037c in ?? ()
#24 0xe7275c84 in ?? ()
#25 0xe7275c7c in ?? ()
#26 0xc052e709 in uiomove (cp=3D0xdeadc0de, n=3D2058814332, uio=3D0x8050000=
) at ../../../kern/kern_subr.c:171
#27 0xc06d8aba in memrw (dev=3D0xc22f8200, uio=3D0xe7275c84, flags=3D0) at =
../../../i386/i386/mem.c:128
#28 0xc04d8d91 in devfs_read_f (fp=3D0xc25f5dd0, uio=3D0xe7275c84, cred=3D0=
xc3540380, flags=3D0, td=3D0xc3c34170)
    at ../../../fs/devfs/devfs_vnops.c:931
#29 0xc0552632 in dofileread (td=3D0xc3c34170, fp=3D0xc25f5dd0, fd=3D0, buf=
=3D0x0, nbyte=3D2058814332, offset=3DUnhandled dwarf expression opcode 0x93
)
    at file.h:234
#30 0xc05527f5 in read (td=3D0xc3c34170, uap=3D0xe7275d14) at ../../../kern=
/sys_generic.c:107
#31 0xc06df7d7 in syscall (frame=3D
---Type <return> to continue, or q <return> to quit---q
{tf_fs =3D 47, tf_es =3D 47, tf_ds =3D 47, tf_edi =3D 2058814332, tf_esi =
=3D 0, tf_ebp =3D -Quit
) at ../../../i386/i386/trap.c:951
#32 0xc06d0eff in Xint0x80_syscall () at ../../../i386/i386/exception.s:200
#33 0x0000002f in ?? ()
#34 0x0000002f in ?? ()
#35 0x0000002f in ?? ()
#36 0x7ab7037c in ?? ()
#37 0x00000000 in ?? ()
#38 0xbfbfe328 in ?? ()
#39 0xe7275d74 in ?? ()
#40 0x2807ee24 in ?? ()
#41 0x08051000 in ?? ()
#42 0x00000000 in ?? ()
#43 0x00000003 in ?? ()
#44 0x0000000c in ?? ()
#45 0x00000002 in ?? ()
#46 0x280c5edf in ?? ()
#47 0x0000001f in ?? ()
#48 0x00000202 in ?? ()
#49 0xbfbfe2fc in ?? ()
#50 0x0000002f in ?? ()
#51 0x0809e8c8 in ?? ()
#52 0x0000001f in ?? ()
#53 0x0809e8b2 in ?? ()
#54 0x0809e89f in ?? ()
#55 0x2b550000 in ?? ()
#56 0xc3c32bd0 in ?? ()
#57 0xc3c34170 in ?? ()
#58 0xe7275c84 in ?? ()
#59 0xe7275c60 in ?? ()
#60 0xc2264170 in ?? ()
#61 0xc053c495 in sched_switch (td=3D0x0, newtd=3D0x2807ee24, flags=3DCanno=
t access memory at address 0xbfbfe338
) at ../../../kern/sched_4bsd.c:963
Previous frame inner to this frame (corrupt stack?)
(kgdb) frame 28
#28 0xc04d8d91 in devfs_read_f (fp=3D0xc25f5dd0, uio=3D0xe7275c84, cred=3D0=
xc3540380, flags=3D0, td=3D0xc3c34170)
    at ../../../fs/devfs/devfs_vnops.c:931
931             error =3D dsw->d_read(dev, uio, ioflag);
(kgdb) print *fp
$1 =3D {f_list =3D {le_next =3D 0xc25f5bf4, le_prev =3D 0xc25f52a8}, f_type=
 =3D 1, f_data =3D 0xc22f8200, f_flag =3D 1,
  f_mtxp =3D 0xc2251fd0, f_ops =3D 0xc074c140, f_cred =3D 0xc2b2a900, f_cou=
nt =3D 2, f_vnode =3D 0xc3c6fbdc,
  f_offset =3D 3735929054, f_gcflag =3D 0, f_msgcount =3D 0, f_seqcount =3D=
 1, f_nextoff =3D 3263609792}

Kris

--5vNYLRcllDrimb99
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQFB6xlCWry0BWjoQKURApVzAKC4p8QoueNwxVbjWGLnAAOVzp9M+wCgle0v
NtIOMXZWnkI22l4MatJUs/Q=
=41x/
-----END PGP SIGNATURE-----

--5vNYLRcllDrimb99--