Date: Thu, 20 Jan 2000 09:05:26 +0100 From: Wilco Oelen <wilco.oelen@cmg.nl> To: "'freebsd-bugs@FreeBSD.org'" <freebsd-bugs@FreeBSD.org> Subject: bug in FreeBSD 3.3-RELEASE Message-ID: <77BF6063714DD21188A500104BB3F93C170370@NL-GRO-MAIL01>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Hello,
I think I found a bug in FreeBSD, which allows an ordinary user to cause a
kernel panic. The problem (or bug?) is reported in the attached document.
<<BUG.TXT>>
Could you please answer me if you have a soluition for this problem?
Thanks in advance,
Wilco Oelen
A reply can be sent to wilco.oelen@cmg.nl
[-- Attachment #2 --]
Hello,
I want to report a problem, which might be due to a bug in the memory
management system of FreeBSD. As an ordinary user I can cause the system
to panic without the need to have superuser privileges. In order to do
so I used the following program:
-------------------------------------
#include <stdio.h>
#include <stdlib.h>
int main(void)
{
char *a[200];
int i;
for (i=0; i<200; i++)
{
if (i%10 == 0)
printf("%d\n", i);
a[i] = (char *)malloc(1024*1024);
if (!a[i])
exit(1);
}
getchar();
return 0;
}
----------------------------------------
The program is compiled without any options: cc -o largemem largemem.c,
where largemem is the name of the program given above.
The program allocates 200 MBytes of memory, but does not actually write to
it, so it does not cause any memory pages to be physically written to.
In order to make the kernel panic I do the following:
Log in as ordinary user (either on the local console or through a network
connection with telnet).
Start the program. It prints number 0 up to 19 and waits for a character
to be entered. Pressing <ENTER> stops the program.
I use ^Z in order to suspend the program instead of stopping it.
The above is repeated approximately 10 times.
Next, I bring back the processes in the foreground using 'fg' and press
<ENTER> to make the program stop. I repeat this action, until I have
no jobs left in my current login session. This procedure almost certainly
causes my system to panic with an error message, which can be found in
the kernel source file /usr/src/sys/i386/i386/pmap.c. One message, which
frequently appears is: "pmap_enter: attempted pmap_enter on 4MB page".
Below, I give some info which may help you analyzing the bug report:
Here follows the dmesg output, giving you the kernel info:
-------------------------------------------------------------
Copyright (c) 1992-1999 FreeBSD Inc.
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
FreeBSD 3.3-RELEASE #7: Fri Jan 7 08:17:01 CET 2000
root@ser2.home:/usr/src/sys/compile/HOME
Timecounter "i8254" frequency 1193182 Hz
Timecounter "TSC" frequency 400910606 Hz
CPU: AMD-K6(tm) 3D+ Processor (400.91-MHz 586-class CPU)
Origin = "AuthenticAMD" Id = 0x591 Stepping = 1
Features=0x8021bf<FPU,VME,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX>
AMD Features=0x80000800<SYSCALL,3DNow!>
real memory = 67108864 (65536K bytes)
avail memory = 62611456 (61144K bytes)
Preloaded elf kernel "kernel" at 0xc0288000.
Probing for devices on PCI bus 0:
chip0: <Intel 82439TX System Controller (MTXC)> rev 0x01 on pci0.0.0
chip1: <Intel 82371AB PCI to ISA bridge> rev 0x01 on pci0.7.0
ide_pci0: <Intel PIIX4 Bus-master IDE controller> rev 0x01 on pci0.7.1
chip2: <Intel 82371AB Power management controller> rev 0x01 on pci0.7.3
vx0: <3COM 3C595 Fast Etherlink III PCI> rev 0x00 int a irq 11 on pci0.14.0
utp/tx[*utp*] address 00:a0:24:cf:41:71
Probing for devices on the ISA bus:
sc0 on isa
sc0: VGA color <16 virtual consoles, flags=0x0>
atkbdc0 at 0x60-0x6f on motherboard
atkbd0 irq 1 on isa
sio0 at 0x3f8-0x3ff irq 4 flags 0x10 on isa
sio0: type 16550A
sio1 at 0x2f8-0x2ff irq 3 on isa
sio1: type 16550A
fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa
fdc0: FIFO enabled, 8 bytes threshold
fd0: 1.44MB 3.5in
wdc0 at 0x1f0-0x1f7 irq 14 on isa
wdc0: unit 0 (wd0): <QUANTUM FIREBALL1080A>
wd0: 1039MB (2128896 sectors), 2112 cyls, 16 heads, 63 S/T, 512 B/S
wdc1 at 0x170-0x177 irq 15 on isa
wdc1: unit 0 (wd2): <WDC AC2250>
wd2: 244MB (499950 sectors), 1010 cyls, 9 heads, 55 S/T, 512 B/S
wdc1: unit 1 (wd3): <st3120AT>
wd3: 102MB (208896 sectors), 1024 cyls, 12 heads, 17 S/T, 512 B/S
scd0 at 0x340-0x343 on isa
scd0: <SONY CD-ROM CDU33A Rev 1.0f>
ppc0 at 0x378 irq 7 flags 0x40 on isa
ppc0: Generic chipset (NIBBLE-only) in COMPATIBLE mode
ppi0: <generic parallel i/o> on ppbus 0
plip0: <PLIP network interface> on ppbus 0
vga0 at 0x3b0-0x3df maddr 0xa0000 msize 131072 on isa
npx0 on motherboard
npx0: INT 16 interface
changing root device to wd0s1a
Info about the computer on which FreeBSD 3.3-RELEASE is running:
------------------------------------------------------------------
CPU: AMD K6-III, 450 MHz (underclocked to 400 MHz, it runs on an
old mainboard with 66 MHz busclock, highest multiplier
which can be used equals 6).
Mainboard: Chaintech 5TDM2, socket 7 mainboard (66 MHz busclock).
Memory: 64 MByte PC66 SDRAM
Cache: 512 KByte pipeline burst cache on mainboard, but this cache
is mostly overruled by the processor's L2 cache (K6-III has
256 KBytes of L2 cache).
The /etc/fstab file:
---------------------
# Device Mountpoint FStype Options Dump Pass#
/dev/wd0s1b none swap sw 0 0
/dev/wd2s1b none swap sw 0 0
/dev/wd0s1a / ufs rw 1 1
/dev/wd0s1e /afs1 ufs rw 2 2
/dev/wd0s1f /usr ufs rw 2 2
/dev/wd3s1 /home ufs rw 2 2
proc /proc procfs rw 0 0
The output of df:
-------------------
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/wd0s1a 48415 21978 22564 49% /
/dev/wd0s1e 193767 31693 146573 18% /afs1
/dev/wd0s1f 740783 188265 493256 28% /usr
/dev/wd3s1 100518 43927 48550 48% /home
procfs 4 4 0 100% /proc
Swap partitions:
------------------
/dev/wd0s1b : appr. 50 MByte
/dev/wd2s1b : appr. 250 Mbyte
Kernel configuration:
----------------------
machine "i386"
cpu "I586_CPU"
cpu "I686_CPU"
options "NO_F00F_HACK"
options CPU_WT_ALLOC # K6 feature
options NO_MEMORY_HOLE # K6 feature
makeoptions COPTFLAGS="-O2"
ident HOME
maxusers 32
options INET #InterNETworking
options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep this!]
#options MFS #Memory Filesystem
#options MFS_ROOT #MFS usable as root device, "MFS" req'ed
options NFS #Network Filesystem
options NFS_ROOT #NFS usable as root device, "NFS" req'ed
options MSDOSFS #MSDOS Filesystem
options "CD9660" #ISO 9660 Filesystem
#options "CD9660_ROOT" #CD-ROM usable as root. "CD9660" req'ed
options PROCFS #Process filesystem
options "COMPAT_43" #Compatible with BSD 4.3 [KEEP THIS!]
#options SCSI_DELAY=15000 #Be pessimistic about Joe SCSI device
options UCONSOLE #Allow users to grab the console
options FAILSAFE #Be conservative
options USERCONFIG #boot -c editor
options VISUAL_USERCONFIG #visual boot -c editor
options KTRACE #ktrace(1) syscall trace support
options SYSVSHM #SYSV-style shared memory
options SYSVMSG #SYSV-style message queues
options SYSVSEM #SYSV-style semaphores
config kernel root on wd0
controller isa0
controller pci0
# Floppy drives
controller fdc0 at isa? port "IO_FD1" bio irq 6 drq 2
disk fd0 at fdc0 drive 0
# IDE controller and disks
controller wdc0 at isa? port "IO_WD1" bio irq 14
disk wd0 at wdc0 drive 0
#disk wd1 at wdc0 drive 1
controller wdc1 at isa? port "IO_WD2" bio irq 15
disk wd2 at wdc1 drive 0
disk wd3 at wdc1 drive 1
# ATAPI devices
#options ATAPI #Enable ATAPI support for IDE bus
#options ATAPI_STATIC #Don't do it as an LKM
#device acd0 #IDE CD-ROM
# Proprietary or custom CD-ROM Interfaces
device scd0 at isa? port 0x340 bio
# atkbdc0 controls both the keyboard and the PS/2 mouse
controller atkbdc0 at isa? port IO_KBD tty
device atkbd0 at isa? tty irq 1
#device psm0 at isa? tty irq 12
device vga0 at isa? port ? conflicts
# splash screen/screen saver
pseudo-device splash
# syscons is the default console driver, resembling an SCO console
device sc0 at isa? tty
# Enable this and PCVT_FREEBSD for pcvt vt220 compatible console driver
#device vt0 at isa? tty
#options XSERVER # support for X server
#options FAT_CURSOR # start with block cursor
# If you have a ThinkPAD, uncomment this along with the rest of the PCVT lines
#options PCVT_SCANSET=2 # IBM keyboards are non-std
# Floating point support - do not disable.
device npx0 at isa? port IO_NPX irq 13
# Serial (COM) ports
device sio0 at isa? port "IO_COM1" flags 0x10 tty irq 4
device sio1 at isa? port "IO_COM2" tty irq 3
#device sio2 at isa? disable port "IO_COM3" tty irq 5
#device sio3 at isa? disable port "IO_COM4" tty irq 9
# Parallel port
device ppc0 at isa? port? flags 0x40 net irq 7
controller ppbus0 # Parallel port bus (required)
#device lpt0 at ppbus? # Printer
device plip0 at ppbus? # TCP/IP over parallel
device ppi0 at ppbus? # Parallel port interface device
# PCI Ethernet NICs.
device vx0 # 3Com 3c590, 3c595 (``Vortex'')
#device xl0 # 3Com 3c90x (``Boomerang'', ``Cyclone'')
# Pseudo devices - the number indicates how many units to allocated.
pseudo-device loop # Network loopback
pseudo-device ether # Ethernet support
#pseudo-device sl 1 # Kernel SLIP
pseudo-device ppp 2 # Kernel PPP
options "PPP_BSDCOMP"
pseudo-device tun 1 # Packet tunnel
pseudo-device pty 32 # Pseudo-ttys (telnet etc)
pseudo-device gzip # Exec gzipped a.out's
pseudo-device vn # Allow regular files to be used as devices
I have done the test with the 250 MBytes swap partition removed as well,
leaving only appr. 50 MBytes for swap. This has no effect. I still can
easily panic the system, using the procedure mentioned above.
I also did the test with the compiler option -O2 removed and doing a
complete rebuild of the kernel. This does not solve the problem.
I would be pleased to hear more about this bug report. Things are not
bleeding for me if FreeBSD has this bug, but I think it is serious
enough to be worth posting to you.
It might be due to my hardware setup, but if that is the case, could you
please let me know? The hardware I have is not very special, however,
so I doubt that it is due to hardware problems.
The system runs perfectly stable (also under extreme load, running
350+ processes concurrently which take lots of CPU time and do disk I/O)
for extended periods of time, as long as I do not allocate very
large amounts of memory.
Another thing that surprises me is that I can allocate much more memory
than the sum of available swap space and physical memory. I built
a check into the malloc program, but it does not return NULL-pointers
from the malloc() function, not even if I only have 50 MBytes of swap and
if I run multiple instances of the program.
As soon as I really use the memory (e.g. by writing to it, using memset()),
then I indeed cannot use more than the sum of physical memory and swap. If I
use more, then my program stops because of receipt of a BUS signal.
I hope that this bug report helps you in making FreeBSD even better than
it is now. If you have any questions, do not hesitate to contact me at
my mail address (wilco.oelen@cmg.nl).
With regards,
Wilco Oelen
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?77BF6063714DD21188A500104BB3F93C170370>