From owner-freebsd-current@FreeBSD.ORG  Tue Sep 15 12:03:54 2009
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CD8F7106566B
	for <freebsd-current@freebsd.org>; Tue, 15 Sep 2009 12:03:54 +0000 (UTC)
	(envelope-from mel.flynn+fbsd.current@mailing.thruhere.net)
Received: from mailhub.rachie.is-a-geek.net (rachie.is-a-geek.net
	[66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id 72DF38FC12
	for <freebsd-current@freebsd.org>; Tue, 15 Sep 2009 12:03:54 +0000 (UTC)
Received: from smoochies.rachie.is-a-geek.net
	(mailhub.lan.rachie.is-a-geek.net [192.168.2.11])
	by mailhub.rachie.is-a-geek.net (Postfix) with ESMTP id 16F2F7E818;
	Tue, 15 Sep 2009 04:04:06 -0800 (AKDT)
From: Mel Flynn <mel.flynn+fbsd.current@mailing.thruhere.net>
To: freebsd-current@freebsd.org
Date: Tue, 15 Sep 2009 14:03:50 +0200
User-Agent: KMail/1.12.1 (FreeBSD/8.0-BETA4; KDE/4.3.1; i386; ; )
References: <200909142024.49226.mel.flynn+fbsd.current@mailing.thruhere.net>
	<20090915111431.GD47688@deviant.kiev.zoral.com.ua>
In-Reply-To: <20090915111431.GD47688@deviant.kiev.zoral.com.ua>
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <200909151403.50609.mel.flynn+fbsd.current@mailing.thruhere.net>
Cc: Kostik Belousov <kostikbel@gmail.com>
Subject: Re: Panic in kern_access
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2009 12:03:55 -0000

On Tuesday 15 September 2009 13:14:31 Kostik Belousov wrote:
> On Mon, Sep 14, 2009 at 08:24:49PM +0200, Mel Flynn wrote:
> > Hi,
> >
> > below some crash info. However, since kib@ made some fixes that seem
> > to relate to this, I shall rebuild my kernel with new sources.
> 
> No my fixes were related to the issue, AFAIR.
> 
> > At the time I was building various ports in a jail and asleep, so no
> > other contributing factors.
> >
> > panic: free: address 0xc62e0e00(0xc62e0000) has not been allocated.
> >
> > #0  doadump () at pcpu.h:246
> > 246   pcpu.h: No such file or directory.
> >    in pcpu.h
> > (kgdb) #0  doadump () at pcpu.h:246
> > #1  0xc0642b57 in boot (howto=260) at
> > /usr/src/sys/kern/kern_shutdown.c:416 #2  0xc0642e49 in panic
> > (fmt=Variable "fmt" is not available.
> > ) at /usr/src/sys/kern/kern_shutdown.c:579
> > #3  0xc062fcfe in free (addr=0x0, mtp=0xc091c330)
> >     at /usr/src/sys/kern/kern_malloc.c:444
> > #4  0xc063b018 in crfree (cr=0xc795ea80) at
> > /usr/src/sys/kern/kern_prot.c:1840
> 
> I want to see the output of
> p/x cr
> and
> p/x cr->cr_groups
> from the frame 4.

(kgdb) p/x cr
$1 = 0xc795ea80
(kgdb) p/x cr->cr_groups
$2 = 0xc62e0e00
(kgdb) p/x *cr->cr_groups
$3 = 0x0
(kgdb) p/x *cr
$4 = {cr_ref = 0x0, cr_uid = 0x0, cr_ruid = 0x0, cr_svuid = 0x0, cr_ngroups = 0x2,
  cr_rgid = 0x0, cr_svgid = 0x0, cr_uidinfo = 0xc5523380, cr_ruidinfo = 0xc5523380,
  cr_prison = 0xcc3a0800, cr_pspare = 0x0, cr_flags = 0x0, cr_pspare2 = {0x0, 0x0},
  cr_label = 0x0, cr_audit = {ai_auid = 0xffffffff, ai_mask = {am_success = 0x0,
      am_failure = 0x0}, ai_termid = {at_port = 0x0, at_type = 0x4, at_addr = {0x0, 0x0,
        0x0, 0x0}}, ai_asid = 0x0, ai_flags = 0x0}, cr_groups = 0xc62e0e00,
  cr_agroups = 0x10}


Hmm, since this is in credentials, would it be relevant that I have patched kern_jail.c
to allow /dev/io access? I don't touch credentials,though and X wasn't running in the jail
at the crash time. Just in case, patch is below.
-- 
Mel

Index: sys/kern/kern_jail.c
===================================================================
--- sys/kern/kern_jail.c	(revision 197210)
+++ sys/kern/kern_jail.c	(working copy)
@@ -160,6 +160,7 @@
 	"allow.mount",
 	"allow.quotas",
 	"allow.socket_af",
+	"allow.dev_io",
 };
 
 static char *pr_allow_nonames[] = {
@@ -170,6 +171,7 @@
 	"allow.nomount",
 	"allow.noquotas",
 	"allow.nosocket_af",
+	"allow.nodev_io",
 };
 
 #define	JAIL_DEFAULT_ALLOW		PR_ALLOW_SET_HOSTNAME
@@ -3738,6 +3740,17 @@
 	case PRIV_NETINET_GETCRED:
 		return (0);
 
+		/*
+		 * Allow access to /dev/io in a jail if the non-jailed admin
+		 * requests this and if /dev/io exists in the jail. This
+		 * allows Xorg to probe a card.
+		 */
+	case PRIV_IO:
+		if (cred->cr_prison->pr_allow & PR_ALLOW_DEV_IO)
+			return (0);
+		else
+			return (EPERM);
+
 	default:
 		/*
 		 * In all remaining cases, deny the privilege request.  This
@@ -3988,6 +4001,10 @@
     CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
     NULL, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I",
     "Processes in jail can mount/unmount jail-friendly file systems");
+SYSCTL_PROC(_security_jail, OID_AUTO, dev_io_allow,
+    CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
+    NULL, PR_ALLOW_DEV_IO, sysctl_jail_default_allow, "I",
+    "Processes in jail can access /dev/io");
 
 static int
 sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)
@@ -4114,6 +4131,8 @@
     "B", "Jail may set file quotas");
 SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW,
     "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route");
+SYSCTL_JAIL_PARAM(_allow, dev_io, CTLTYPE_INT | CTLFLAG_RW,
+    "B", "Jail can access /dev/io if present");
 
 
 #ifdef DDB
Index: sys/sys/jail.h
===================================================================
--- sys/sys/jail.h	(revision 197210)
+++ sys/sys/jail.h	(working copy)
@@ -207,7 +207,8 @@
 #define	PR_ALLOW_MOUNT			0x0010
 #define	PR_ALLOW_QUOTAS			0x0020
 #define	PR_ALLOW_SOCKET_AF		0x0040
-#define	PR_ALLOW_ALL			0x007f
+#define	PR_ALLOW_DEV_IO			0x0080
+#define	PR_ALLOW_ALL			0x00ff
 
 /*
  * OSD methods