From owner-freebsd-bugs@FreeBSD.ORG Wed Jan 30 17:00:00 2013 Return-Path: Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9FE96DAA for ; Wed, 30 Jan 2013 17:00:00 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 8784B8D7 for ; Wed, 30 Jan 2013 17:00:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r0UH00ja045306 for ; Wed, 30 Jan 2013 17:00:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r0UH00tY045305; Wed, 30 Jan 2013 17:00:00 GMT (envelope-from gnats) Resent-Date: Wed, 30 Jan 2013 17:00:00 GMT Resent-Message-Id: <201301301700.r0UH00tY045305@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Alan Somers Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 69642D9E for ; Wed, 30 Jan 2013 16:59:00 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 3D9D08CD for ; Wed, 30 Jan 2013 16:59:00 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r0UGwxer074813 for ; Wed, 30 Jan 2013 16:58:59 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.5/8.14.5/Submit) id r0UGwx6n074812; Wed, 30 Jan 2013 16:58:59 GMT (envelope-from nobody) Message-Id: <201301301658.r0UGwx6n074812@red.freebsd.org> Date: Wed, 30 Jan 2013 16:58:59 GMT From: Alan Somers To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: kern/175705: "panic: process not held" when invoking userland dtrace with INVARIANTS enabled X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jan 2013 17:00:00 -0000 >Number: 175705 >Category: kern >Synopsis: "panic: process not held" when invoking userland dtrace with INVARIANTS enabled >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Jan 30 17:00:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Alan Somers >Release: 9.1 >Organization: Spectralogic >Environment: FreeBSD testy 9.1-PRERELEASE FreeBSD 9.1-PRERELEASE #2: Thu Jan 24 19:34:34 MST 2013 root@****:/tb/3a9569b9/tinderbuild/jails/9/obj/net/nexus/scratch/cruise/projects/Strata-debug/SpectraBSD/sys/STRATA_DBG amd64 >Description: I tried using userland dtrace exactly according to the instructions at https://wiki.freebsd.org/DTrace/userland. The following panic resulted: panic: process not held cpuid = 0 KDB: stack backtrace: db_trace_self_wrapper() at 0xffffffff8036266a = db_trace_self_wrapper+0x2a kdb_backtrace() at 0xffffffff8090c4b7 = kdb_backtrace+0x37 panic() at 0xffffffff808d4a48 = panic+0x1d8 proc_ops() at 0xffffffff8232a03a = proc_ops+0x8a fasttrap_pid_probe() at 0xffffffff8232b319 = fasttrap_pid_probe+0x9a9 trap() at 0xffffffff80bd2e85 = trap+0x2c5 calltrap() at 0xffffffff80bbcec3 = calltrap+0x8 --- trap 0x3, rip = 0x80086a911, rsp = 0x7fffffffdb98, rbp = 0x7fffffffdba0 --- KDB: enter: panic [ thread pid 40555 tid 114882 ] Stopped at 0xffffffff8090c17b = kdb_enter+0x3b: movq $0,0xb4d1a2(%rip) Looking at the source, it seems that fasttrap_isa.c acquires a process lock at line 1036, drops it at line 1184, then calls uwrite at line 1737. uwrite calls proc_ops() which panics because it expects a process lock to be held. The subversion history shows that this bug was introduced in change 227291, which replaced fasttrap_copyout (which does not require a process lock) with uwrite (which does). It probably wasn't caught at the time because nobody tested it with INVARIANTS. >How-To-Repeat: 1) Load a kernel with INVARIANTS enabled. 2) kldload dtraceall 3) Try to dtrace a user process according to the instructions at https://wiki.freebsd.org/DTrace/userland >Fix: Possibly could be fixed be reacquiring the process lock before calling uwrite(). >Release-Note: >Audit-Trail: >Unformatted: