From owner-freebsd-stable@FreeBSD.ORG Sat Jan 6 13:25:47 2007 Return-Path: X-Original-To: stable@FreeBSD.org Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6A43416A403; Sat, 6 Jan 2007 13:25:47 +0000 (UTC) (envelope-from ceri@submonkey.net) Received: from shrike.submonkey.net (cpc2-cdif2-0-0-cust107.cdif.cable.ntl.com [81.104.168.108]) by mx1.freebsd.org (Postfix) with ESMTP id 0997413C428; Sat, 6 Jan 2007 13:25:44 +0000 (UTC) (envelope-from ceri@submonkey.net) Received: from ceri by shrike.submonkey.net with local (Exim 4.64 (FreeBSD)) (envelope-from ) id 1H3BYL-000JnI-6p; Sat, 06 Jan 2007 13:25:41 +0000 Date: Sat, 6 Jan 2007 13:25:41 +0000 From: Ceri Davies To: Robert Watson Message-ID: <20070106132540.GG7088@submonkey.net> References: <20070105111954.GA51511@submonkey.net> <20070105120539.H46119@fledge.watson.org> <20070105131528.GB7088@submonkey.net> <20070105133028.F98541@fledge.watson.org> <20070105150857.GC7088@submonkey.net> <20070106120040.N46119@fledge.watson.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="fwqqG+mf3f7vyBCB" Content-Disposition: inline In-Reply-To: <20070106120040.N46119@fledge.watson.org> X-PGP: finger ceri@FreeBSD.org User-Agent: Mutt/1.5.13 (2006-08-11) Sender: Ceri Davies Cc: stable@FreeBSD.org Subject: Re: (audit?) Panic in 6.2-PRERELEASE X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jan 2007 13:25:47 -0000 --fwqqG+mf3f7vyBCB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jan 06, 2007 at 12:01:51PM +0000, Robert Watson wrote: > On Fri, 5 Jan 2007, Ceri Davies wrote: >=20 > >On Fri, Jan 05, 2007 at 01:34:04PM +0000, Robert Watson wrote: > >> > >>On Fri, 5 Jan 2007, Ceri Davies wrote: > >> > >>>>Much as I would love to trust the contents of ub there, I suspect the= y=20 > >>>>can't be trusted. Could you print the contents of *fp in kern_fstat(= )=20 > >>>>in both of those stacks? I'd particularly like to know the value of= =20 > >>>>fp->f_type, and then depending on the type, possibly the contents of= =20 > >>>>*(struct vnode *)fp->f_vnode for DTYPE_VNODE/TYPE_FIFO or *(struct=20 > >>>>socket *)fp->f_data in the case of DTYPE_SOCKET. > >>> > >>>Can you tell me how to get at *fp given that the stack trace shows=20 > >>>fstat() and not kern_fstat()? Sorry if I'm being dumb but I don't kno= w=20 > >>>how to step into the kern_fstat() call from fstat(). > >> > >>It could be that the stack is hosed losing the frame, or maybe it's=20 > >>inlined (more likely the former I think, as kern_fstat() is a symbol us= ed=20 > >>elsewhere in the kernel). The best bet may be to use the file descript= or=20 > >>number (uap->fd) to pull the struct file reference out of the process. = =20 > >>Something on the order of (td->td_proc->p_fd->fd_ofiles[fd]) should=20 > >>return the right struct file *. > > > >OK, got it. They're both sockets, data in the attachments. > > > >>How reproduceable is this? > > > >So far it's happened this morning and yesterday morning. I haven't seen= =20 > >it before that. I don't know the cause so I can't reproduce it at will,= =20 > >but the logs don't give any indication. Chances are that it will happen= =20 > >again tomorrow, but we'll see. >=20 > Hmm. It looks like you printf *(td->td_proc->p_fd->fd_ofiles) without th= e=20 > array index. Could you repeat that, but with the array index -- i.e.,=20 > td->td_proc->p_fd->fd_ofiles[uap->fd]? Also, it would probably be useful= =20 > to print uap->fd. Right now you're printing stdin (index 0), but if the= =20 > index is non-0, we want a different file. Very tactfully put :) Sorry about that. None of the uap->fd's seem to be valid. In the first case, uap->fd is way too high for the length of fd_ofiles, which only has 21 elements: (kgdb) up 8 #8 0xc04c470d in fstat (td=3D0xc2eeb180, uap=3D0xd610dc74) at /usr/src/sys= /kern/kern_descrip.c:1075 1075 error =3D kern_fstat(td, uap->fd, &ub); (kgdb) p uap->fd $1 =3D 89 (kgdb) p *td->td_proc->p_fd->fd_ofiles[uap->fd] Cannot access memory at address 0x0 In the second, uap->fd is nonsense: (kgdb) up 8 #8 0xc04c470d in fstat (td=3D0xc3109300, uap=3D0xd617ec74) at /usr/src/sys= /kern/kern_descrip.c:1075 1075 error =3D kern_fstat(td, uap->fd, &ub); (kgdb) p uap->fd $1 =3D -1023449232 (kgdb) Ceri --=20 That must be wonderful! I don't understand it at all. -- Moliere --fwqqG+mf3f7vyBCB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFFn6NUocfcwTS3JF8RAuGMAJ9NSURkDLMAtJmidmVcDCbseAql5gCdEZ3M VvijBqCGdsYmBlTpQ7hOIKI= =UgOl -----END PGP SIGNATURE----- --fwqqG+mf3f7vyBCB--