From owner-freebsd-stable@FreeBSD.ORG Mon May 18 14:09:09 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B403D106564A for ; Mon, 18 May 2009 14:09:09 +0000 (UTC) (envelope-from avg@freebsd.org) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.freebsd.org (Postfix) with ESMTP id EAF1D8FC1C for ; Mon, 18 May 2009 14:09:08 +0000 (UTC) (envelope-from avg@freebsd.org) Received: from odyssey.starpoint.kiev.ua (alpha-e.starpoint.kiev.ua [212.40.38.101]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id QAA24816 for ; Mon, 18 May 2009 16:50:26 +0300 (EEST) (envelope-from avg@freebsd.org) Message-ID: <4A1167A2.6040407@freebsd.org> Date: Mon, 18 May 2009 16:50:26 +0300 From: Andriy Gapon User-Agent: Thunderbird 2.0.0.21 (X11/20090406) MIME-Version: 1.0 To: freebsd-stable@freebsd.org References: <4A1165A0.6000800@icyb.net.ua> In-Reply-To: <4A1165A0.6000800@icyb.net.ua> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: stack abuse by linux_ioctl_cdrom [Was: double-fault in linux ioctl for atapicam cd device] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2009 14:09:10 -0000 on 18/05/2009 16:41 Andriy Gapon said the following: > This is recent i386 stable/7. The problem is 100% reproducible with the same stack > trace. The problem happens when I start a Linux program that performs a check on a > cd-rom device (atapi cd-rom that is presented as cd0 by atapicam driver). > I examined the crash dump in kgdb but couldn't find anything peculiar in the > variables, so I guess that this must be stack overflow or something like that. > > In fact, difference between values in %esp in frame 4 and frame 22 is 7500 which > is quite close to KSTACK_PAGES * PAGE_SIZE for i386. > If I did my calculations correctly then it seems that linux_ioctl_cdrom uses > slightly more than 4K of stack, then cam_periph_error uses 828 bytes, > scsi_command_string uses 696, cam_error_print uses 540. In fact almost all of stack usage in linux_ioctl_cdrom comes from struct dvd_struct (2060 bytes) and l_dvd_struct (2056 bytes) variables declared on stack (for LINUX_DVD_READ_STRUCT case). Not sure what's the best way to fix - move to heap? > The backtrace is below. I am keeping the dump. > > (kgdb) bt > #0 doadump () at pcpu.h:196 > #1 0xc0556523 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418 > #2 0xc055676f in panic (fmt=Variable "fmt" is not available. > ) at /usr/src/sys/kern/kern_shutdown.c:574 > #3 0xc0712b69 in dblfault_handler () at /usr/src/sys/i386/i386/trap.c:972 > #4 0xc058380a in kvprintf (fmt=0xc075d204 " ", func=0xc05828e0 , > arg=0xdabf0120, radix=10, ap=0xdabf015c "B") at /usr/src/sys/kern/subr_prf.c:823 > #5 0xc0583c0b in vsnprintf (str=0xdabf03eb "", size=49, format=0xc075d202 "%x ", > ap=0xdabf0158 "B") at /usr/src/sys/kern/subr_prf.c:483 > #6 0xc0583cf9 in snprintf (str=0xdabf03eb "", size=49, format=0xc075d202 "%x ") > at /usr/src/sys/kern/subr_prf.c:467 > #7 0xc0449dc0 in scsi_cdb_string (cdb_ptr=0xc3187c9c "B", cdb_string=0xdabf03eb > "", len=49) at /usr/src/sys/cam/scsi/scsi_all.c:2943 > #8 0xc0449ffd in scsi_command_string (csio=0xc3187c00, sb=0xdabf0440) at > /usr/src/sys/cam/scsi/scsi_all.c:3031 > #9 0xc043db61 in cam_error_string (ccb=0xc3187c00, str=0xdabf04bc > "(cd0:ata0:0:0:0): ", str_len=512, flags=Variable "flags" is not available. > ) at /usr/src/sys/cam/cam.c:262 > #10 0xc043dcb4 in cam_error_print (ccb=0xc3187c00, flags=CAM_ESF_ALL, > proto_flags=CAM_EPF_ALL) at /usr/src/sys/cam/cam.c:341 > #11 0xc043e500 in cam_periph_error (ccb=0xc3187c00, camflags=CAM_RETRY_SELTO, > sense_flags=1, save_ccb=0xc32b3034) at /usr/src/sys/cam/cam_periph.c:1548 > #12 0xc044bcb0 in cderror (ccb=0xc3187c00, cam_flags=2, sense_flags=1) at > /usr/src/sys/cam/scsi/scsi_cd.c:3133 > #13 0xc043ee1a in cam_periph_runccb (ccb=0xc3187c00, error_routine=0xc044bc10 > , camflags=CAM_RETRY_SELTO, sense_flags=1, ds=0xc329fb40) at > /usr/src/sys/cam/cam_periph.c:902 > #14 0xc044c2cb in cdrunccb (ccb=0xc3187c00, error_routine=0xc044bc10 , > cam_flags=2, sense_flags=1) at /usr/src/sys/cam/scsi/scsi_cd.c:1318 > #15 0xc044f684 in cdioctl (dp=0xc3286000, cmd=3222037279, addr=0xdabf1c1c, flag=5, > td=0xc354c230) at /usr/src/sys/cam/scsi/scsi_cd.c:3227 > #16 0xc04f9fa4 in g_disk_ioctl (pp=0xc32c7000, cmd=3222037279, data=0xdabf1c1c, > fflag=5, td=0xc354c230) at /usr/src/sys/geom/geom_disk.c:231 > #17 0xc04f92dd in g_dev_ioctl (dev=0xc33faa00, cmd=3222037279, data=0xdabf1c1c > "\001\001", fflag=5, td=0xc354c230) at /usr/src/sys/geom/geom_dev.c:332 > #18 0xc04e5b87 in devfs_ioctl_f (fp=0xc32d1474, com=3222037279, data=0xdabf1c1c, > cred=0xc4077800, td=0xc354c230) at /usr/src/sys/fs/devfs/devfs_vnops.c:602 > #19 0xc3449ea4 in linux_ioctl_cdrom (td=0xc354c230, args=0xdabf1cfc) at file.h:269 > #20 0xc344978a in linux_ioctl (td=0xc354c230, args=0xdabf1cfc) at > /usr/src/sys/modules/linux/../../compat/linux/linux_ioctl.c:2621 > #21 0xc0713495 in syscall (frame=0xdabf1d38) at /usr/src/sys/i386/i386/trap.c:1090 > #22 0xc07006d0 in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:255 > #23 0x00000033 in ?? () > -- Andriy Gapon