Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 15 Sep 2004 12:42:13 -0400 (EDT)
From:      Robert Watson <rwatson@FreeBSD.org>
To:        current@FreeBSD.org
Subject:   Re: Possible NULL pointer deref in sched_add() via maybe_preempt() and	kse_release()
Message-ID:  <Pine.NEB.3.96L.1040915115816.89730E-100000@fledge.watson.org>
In-Reply-To: <Pine.NEB.3.96L.1040915105648.89730A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Wed, 15 Sep 2004, Robert Watson wrote:

>  Fatal trap 12: page fault while in kernel mode
> cpuid =3D 0; apic id =3D 00
> fault virtual address   =3D 0x150
> fault code              =3D supervisor read, page not present
> instruction pointer     =3D 0x8:0xc06224de
> stack pointer           =3D 0x10:0xef1b1b28
> frame pointer           =3D 0x10:0xef1b1b38
> code segment            =3D base 0x0, limit 0xfffff, type 0x1b
>                         =3D DPL 0, pres 1, def32 1, gran 1
> processor eflags        =3D resume, IOPL =3D 0
> current process         =3D 572 (mysqld)

Here's what kgdb has to say about it:

(kgdb) bt
#0  doadump () at pcpu.h:159
#1  0xc045fb46 in db_fncall (dummy1=3D0, dummy2=3D0, dummy3=3D-283436652,=
=20
    dummy4=3D0xef1b197c "=B0\031\033=EF\200%") at ../../../ddb/db_command.c=
:531
#2  0xc045f954 in db_command (last_cmdp=3D0xc08b3444, cmd_table=3D0x0,=20
    aux_cmd_tablep=3D0xc0833e58, aux_cmd_tablep_end=3D0xc0833e74)
    at ../../../ddb/db_command.c:349
#3  0xc045fa1c in db_command_loop () at ../../../ddb/db_command.c:455
#4  0xc0461595 in db_trap (type=3D12, code=3D0) at ../../../ddb/db_main.c:2=
21
#5  0xc0629a6b in kdb_trap (type=3D12, code=3D0, tf=3D0x1)
    at ../../../kern/subr_kdb.c:418
#6  0xc07af89d in trap_fatal (frame=3D0xef1b1ae8, eva=3D336)
    at ../../../i386/i386/trap.c:804
#7  0xc07aefc5 in trap (frame=3D
      {tf_fs =3D -283443176, tf_es =3D -1067319280, tf_ds =3D -1032323056,
tf_edi =3D 3, tf_esi =3D 0, tf_ebp =3D -283436232, tf_isp =3D -283436268, t=
f_ebx =3D
-1032909760, tf_edx =3D 0, tf_ecx =3D 0, tf_eax =3D -1032909672, tf_trapno =
=3D 12,
tf_err =3D 0, tf_eip =3D -1067309858, tf_cs =3D 8, tf_eflags =3D 65670, tf_=
esp =3D
0, tf_ss =3D -1032909760}) at ../../../i386/i386/trap.c:247
#8  0xc079d1fa in calltrap () at ../../../i386/i386/exception.s:140
#9  0xef1b0018 in ?? ()
#10 0xc0620010 in link_elf_preload_parse_symbols (ef=3D0xc26f0c40)
    at ../../../kern/link_elf.c:348
#11 0xc0622c07 in setrunqueue (td=3D0xc27867d0, flags=3D3) at
kern_switch.c:419
---Type <return> to continue, or q <return> to quit---=20
#12 0xc06222ce in sched_switch (td=3D0xc27867d0, newtd=3D0xc2a93af0, flags=
=3D2)
    at ../../../kern/sched_4bsd.c:822
#13 0xc0618882 in mi_switch (flags=3D2, newtd=3D0xc2a93af0)
    at ../../../kern/kern_synch.c:340
#14 0xc0622d93 in maybe_preempt (td=3D0xc2a93af0) at kern_switch.c:544
#15 0xc06225cb in sched_add (td=3D0xc2a93af0, flags=3D0)
    at ../../../kern/sched_4bsd.c:1021
#16 0xc0622c07 in setrunqueue (td=3D0xc2a93af0, flags=3D0) at
kern_switch.c:419
#17 0xc0631bd3 in turnstile_unpend (ts=3D0x0)
    at ../../../kern/subr_turnstile.c:739
#18 0xc060950c in _mtx_unlock_sleep (m=3D0xc2785cac, opts=3D0, file=3D0x0,
line=3D0)
    at ../../../kern/kern_mutex.c:673
#19 0xc062efdc in sleepq_catch_signals (wchan=3D0xc26f0c80)
    at ../../../kern/subr_sleepqueue.c:363
#20 0xc06184e1 in msleep (ident=3D0xc26f0c80, mtx=3D0xc2785cac, priority=3D=
360,=20
    wmesg=3D0xc081471e "kserel", timo=3D127) at ../../../kern/kern_synch.c:=
208
#21 0xc05ffb6f in kse_release (td=3D0xc27867d0, uap=3D0xef1b1d14)
    at ../../../kern/kern_kse.c:419
#22 0xc07afbdb in syscall (frame=3D
      {tf_fs =3D 176750639, tf_es =3D 137363503, tf_ds =3D -1079443409, tf_=
edi =3D
137379840, tf_esi =3D 0, tf_ebp =3D 137400260, tf_isp =3D -283435660, tf_eb=
x =3D
674489788, tf_edx =3D 137372544, tf_ecx =3D 0, tf_eax =3D 383, tf_trapno =
=3D 0,
tf_err =3D 2, tf_eip =3D 674474523, tf_cs =3D 31, tf_eflags =3D 518, tf_esp=
 =3D
137400200, tf_ss =3D 47})
---Type <return> to continue, or q <return> to quit---
    at ../../../i386/i386/trap.c:1001
#23 0xc079d24f in Xint0x80_syscall () at
=2E./../../i386/i386/exception.s:201

It looks like kgdb is somehow confused regarding kern_link.c.  kgdb won't
let me walk up the stack because it complains about a corrupted frame.  I
can jump directly to it, however:

(kgdb) frame 11
#11 0xc0622c07 in setrunqueue (td=3D0xc27867d0, flags=3D3) at
kern_switch.c:419
419                     sched_add(td2, flags);
(kgdb) inspect *td
$1 =3D {td_proc =3D 0xc2785c40, td_ksegrp =3D 0xc26f0c40, td_plist =3D {
    tqe_next =3D 0xc2a93af0, tqe_prev =3D 0xc2785c50}, td_kglist =3D {
    tqe_next =3D 0xc2a93af0, tqe_prev =3D 0xc26f0c4c}, td_slpq =3D {tqe_nex=
t =3D
0x0,=20
    tqe_prev =3D 0xc2a93338}, td_lockq =3D {tqe_next =3D 0x0,=20
    tqe_prev =3D 0xef2d2c44}, td_runq =3D {tqe_next =3D 0x0,=20
    tqe_prev =3D 0xc26f0c54}, td_selq =3D {tqh_first =3D 0x0, tqh_last =3D =
0x0},=20
  td_sleepqueue =3D 0x0, td_turnstile =3D 0xc2960c00, td_tid =3D 100105,=20
  td_flags =3D 16842760, td_inhibitors =3D 0, td_pflags =3D 392, td_dupfd =
=3D 0,=20
  td_wchan =3D 0xc26f0c80, td_wmesg =3D 0xc081471e "kserel", td_lastcpu =3D=
 0
'\0',=20
  td_oncpu =3D 255 '=FF', td_locks =3D 0, td_blocked =3D 0x0, td_ithd =3D 0=
x0,=20
  td_lockname =3D 0x0, td_contested =3D {lh_first =3D 0x0}, td_sleeplocks =
=3D 0x0,=20
  td_intr_nesting_level =3D 0, td_pinned =3D 0, td_mailbox =3D 0x0,=20
  td_ucred =3D 0xc2a7be00, td_standin =3D 0xc3d28af0, td_prticks =3D 0,=20
  td_upcall =3D 0xc2a92000, td_sticks =3D 138, td_uuticks =3D 0, td_usticks=
 =3D 0,=20
  td_intrval =3D 0, td_oldsigmask =3D {__bits =3D {0, 0, 0, 0}}, td_sigmask=
 =3D {
    __bits =3D {4294901503, 4294967295, 4294967295, 4294967295}}, td_siglis=
t
=3D {
    __bits =3D {0, 0, 0, 0}}, td_waitset =3D 0x0, td_umtx =3D {tqe_next =3D=
 0x0,=20
    tqe_prev =3D 0x0}, td_generation =3D 73879, td_sigstk =3D {ss_sp =3D 0x=
0,=20
    ss_size =3D 0, ss_flags =3D 0}, td_kflags =3D 1, td_xsig =3D 0,=20
  td_profil_addr =3D 0, td_profil_ticks =3D 0, td_base_pri =3D 104 'h',=20
  td_priority =3D 104 'h', td_pcb =3D 0xef1b1da0, td_state =3D TDS_RUNQ,=20
  td_retval =3D {0, 137372544}, td_slpcallout =3D {c_links =3D {sle =3D {
        sle_next =3D 0x0}, tqe =3D {tqe_next =3D 0x0, tqe_prev =3D 0xd62cf3=
e8}},=20
    c_time =3D 6666649, c_arg =3D 0xc27867d0,=20
    c_func =3D 0xc062f79c <sleepq_timeout>, c_flags =3D 14},=20
  td_frame =3D 0xef1b1d48, td_kstack_obj =3D 0xc274e084, td_kstack =3D 4011=
524096,=20
  td_kstack_pages =3D 2, td_altkstack_obj =3D 0x0, td_altkstack =3D 0,=20
  td_altkstack_pages =3D 0, td_critnest =3D 2, td_md =3D {md_savecrit =3D 5=
82},=20
  td_sched =3D 0xc2786924}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1040915115816.89730E-100000>