Date: Wed, 15 Sep 2004 10:54:56 -0700 From: Julian Elischer <julian@elischer.org> To: Robert Watson <robert@fledge.watson.org> Cc: current@freebsd.org Subject: Re: Possible NULL pointer deref in sched_add() via maybe_preempt() and kse_release() Message-ID: <414881F0.10807@elischer.org> In-Reply-To: <Pine.NEB.3.96L.1040915115816.89730E-100000@fledge.watson.org> References: <Pine.NEB.3.96L.1040915115816.89730E-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
looks like the same problem as at: http://www.holm.cc/stress/log/julian3.html I'm pulling my hair out over this one :-) Robert Watson wrote: >On Wed, 15 Sep 2004, Robert Watson wrote: > > > >> Fatal trap 12: page fault while in kernel mode >>cpuid = 0; apic id = 00 >>fault virtual address = 0x150 >>fault code = supervisor read, page not present >>instruction pointer = 0x8:0xc06224de >>stack pointer = 0x10:0xef1b1b28 >>frame pointer = 0x10:0xef1b1b38 >>code segment = base 0x0, limit 0xfffff, type 0x1b >> = DPL 0, pres 1, def32 1, gran 1 >>processor eflags = resume, IOPL = 0 >>current process = 572 (mysqld) >> >> > >Here's what kgdb has to say about it: > >(kgdb) bt >#0 doadump () at pcpu.h:159 >#1 0xc045fb46 in db_fncall (dummy1=0, dummy2=0, dummy3=-283436652, > dummy4=0xef1b197c "°\031\033ï\200%") at ../../../ddb/db_command.c:531 >#2 0xc045f954 in db_command (last_cmdp=0xc08b3444, cmd_table=0x0, > aux_cmd_tablep=0xc0833e58, aux_cmd_tablep_end=0xc0833e74) > at ../../../ddb/db_command.c:349 >#3 0xc045fa1c in db_command_loop () at ../../../ddb/db_command.c:455 >#4 0xc0461595 in db_trap (type=12, code=0) at ../../../ddb/db_main.c:221 >#5 0xc0629a6b in kdb_trap (type=12, code=0, tf=0x1) > at ../../../kern/subr_kdb.c:418 >#6 0xc07af89d in trap_fatal (frame=0xef1b1ae8, eva=336) > at ../../../i386/i386/trap.c:804 >#7 0xc07aefc5 in trap (frame= > {tf_fs = -283443176, tf_es = -1067319280, tf_ds = -1032323056, >tf_edi = 3, tf_esi = 0, tf_ebp = -283436232, tf_isp = -283436268, tf_ebx = >-1032909760, tf_edx = 0, tf_ecx = 0, tf_eax = -1032909672, tf_trapno = 12, >tf_err = 0, tf_eip = -1067309858, tf_cs = 8, tf_eflags = 65670, tf_esp = >0, tf_ss = -1032909760}) at ../../../i386/i386/trap.c:247 >#8 0xc079d1fa in calltrap () at ../../../i386/i386/exception.s:140 >#9 0xef1b0018 in ?? () >#10 0xc0620010 in link_elf_preload_parse_symbols (ef=0xc26f0c40) > at ../../../kern/link_elf.c:348 >#11 0xc0622c07 in setrunqueue (td=0xc27867d0, flags=3) at >kern_switch.c:419 >---Type <return> to continue, or q <return> to quit--- >#12 0xc06222ce in sched_switch (td=0xc27867d0, newtd=0xc2a93af0, flags=2) > at ../../../kern/sched_4bsd.c:822 >#13 0xc0618882 in mi_switch (flags=2, newtd=0xc2a93af0) > at ../../../kern/kern_synch.c:340 >#14 0xc0622d93 in maybe_preempt (td=0xc2a93af0) at kern_switch.c:544 >#15 0xc06225cb in sched_add (td=0xc2a93af0, flags=0) > at ../../../kern/sched_4bsd.c:1021 >#16 0xc0622c07 in setrunqueue (td=0xc2a93af0, flags=0) at >kern_switch.c:419 >#17 0xc0631bd3 in turnstile_unpend (ts=0x0) > at ../../../kern/subr_turnstile.c:739 >#18 0xc060950c in _mtx_unlock_sleep (m=0xc2785cac, opts=0, file=0x0, >line=0) > at ../../../kern/kern_mutex.c:673 >#19 0xc062efdc in sleepq_catch_signals (wchan=0xc26f0c80) > at ../../../kern/subr_sleepqueue.c:363 >#20 0xc06184e1 in msleep (ident=0xc26f0c80, mtx=0xc2785cac, priority=360, > wmesg=0xc081471e "kserel", timo=127) at ../../../kern/kern_synch.c:208 >#21 0xc05ffb6f in kse_release (td=0xc27867d0, uap=0xef1b1d14) > at ../../../kern/kern_kse.c:419 >#22 0xc07afbdb in syscall (frame= > {tf_fs = 176750639, tf_es = 137363503, tf_ds = -1079443409, tf_edi = >137379840, tf_esi = 0, tf_ebp = 137400260, tf_isp = -283435660, tf_ebx = >674489788, tf_edx = 137372544, tf_ecx = 0, tf_eax = 383, tf_trapno = 0, >tf_err = 2, tf_eip = 674474523, tf_cs = 31, tf_eflags = 518, tf_esp = >137400200, tf_ss = 47}) >---Type <return> to continue, or q <return> to quit--- > at ../../../i386/i386/trap.c:1001 >#23 0xc079d24f in Xint0x80_syscall () at >../../../i386/i386/exception.s:201 > >It looks like kgdb is somehow confused regarding kern_link.c. kgdb won't >let me walk up the stack because it complains about a corrupted frame. I >can jump directly to it, however: > >(kgdb) frame 11 >#11 0xc0622c07 in setrunqueue (td=0xc27867d0, flags=3) at >kern_switch.c:419 >419 sched_add(td2, flags); >(kgdb) inspect *td >$1 = {td_proc = 0xc2785c40, td_ksegrp = 0xc26f0c40, td_plist = { > tqe_next = 0xc2a93af0, tqe_prev = 0xc2785c50}, td_kglist = { > tqe_next = 0xc2a93af0, tqe_prev = 0xc26f0c4c}, td_slpq = {tqe_next = >0x0, > tqe_prev = 0xc2a93338}, td_lockq = {tqe_next = 0x0, > tqe_prev = 0xef2d2c44}, td_runq = {tqe_next = 0x0, > tqe_prev = 0xc26f0c54}, td_selq = {tqh_first = 0x0, tqh_last = 0x0}, > td_sleepqueue = 0x0, td_turnstile = 0xc2960c00, td_tid = 100105, > td_flags = 16842760, td_inhibitors = 0, td_pflags = 392, td_dupfd = 0, > td_wchan = 0xc26f0c80, td_wmesg = 0xc081471e "kserel", td_lastcpu = 0 >'\0', > td_oncpu = 255 'ÿ', td_locks = 0, td_blocked = 0x0, td_ithd = 0x0, > td_lockname = 0x0, td_contested = {lh_first = 0x0}, td_sleeplocks = 0x0, > td_intr_nesting_level = 0, td_pinned = 0, td_mailbox = 0x0, > td_ucred = 0xc2a7be00, td_standin = 0xc3d28af0, td_prticks = 0, > td_upcall = 0xc2a92000, td_sticks = 138, td_uuticks = 0, td_usticks = 0, > td_intrval = 0, td_oldsigmask = {__bits = {0, 0, 0, 0}}, td_sigmask = { > __bits = {4294901503, 4294967295, 4294967295, 4294967295}}, td_siglist >= { > __bits = {0, 0, 0, 0}}, td_waitset = 0x0, td_umtx = {tqe_next = 0x0, > tqe_prev = 0x0}, td_generation = 73879, td_sigstk = {ss_sp = 0x0, > ss_size = 0, ss_flags = 0}, td_kflags = 1, td_xsig = 0, > td_profil_addr = 0, td_profil_ticks = 0, td_base_pri = 104 'h', > td_priority = 104 'h', td_pcb = 0xef1b1da0, td_state = TDS_RUNQ, > td_retval = {0, 137372544}, td_slpcallout = {c_links = {sle = { > sle_next = 0x0}, tqe = {tqe_next = 0x0, tqe_prev = 0xd62cf3e8}}, > c_time = 6666649, c_arg = 0xc27867d0, > c_func = 0xc062f79c <sleepq_timeout>, c_flags = 14}, > td_frame = 0xef1b1d48, td_kstack_obj = 0xc274e084, td_kstack = 4011524096, > td_kstack_pages = 2, td_altkstack_obj = 0x0, td_altkstack = 0, > td_altkstack_pages = 0, td_critnest = 2, td_md = {md_savecrit = 582}, > td_sched = 0xc2786924} > >_______________________________________________ >freebsd-current@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-current >To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?414881F0.10807>