From owner-freebsd-stable@FreeBSD.ORG  Sat Jan  6 13:25:47 2007
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: stable@FreeBSD.org
Delivered-To: freebsd-stable@FreeBSD.ORG
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 6A43416A403;
	Sat,  6 Jan 2007 13:25:47 +0000 (UTC)
	(envelope-from ceri@submonkey.net)
Received: from shrike.submonkey.net (cpc2-cdif2-0-0-cust107.cdif.cable.ntl.com
	[81.104.168.108])
	by mx1.freebsd.org (Postfix) with ESMTP id 0997413C428;
	Sat,  6 Jan 2007 13:25:44 +0000 (UTC)
	(envelope-from ceri@submonkey.net)
Received: from ceri by shrike.submonkey.net with local (Exim 4.64 (FreeBSD))
	(envelope-from <ceri@submonkey.net>)
	id 1H3BYL-000JnI-6p; Sat, 06 Jan 2007 13:25:41 +0000
Date: Sat, 6 Jan 2007 13:25:41 +0000
From: Ceri Davies <ceri@submonkey.net>
To: Robert Watson <rwatson@FreeBSD.org>
Message-ID: <20070106132540.GG7088@submonkey.net>
References: <20070105111954.GA51511@submonkey.net>
	<20070105120539.H46119@fledge.watson.org>
	<20070105131528.GB7088@submonkey.net>
	<20070105133028.F98541@fledge.watson.org>
	<20070105150857.GC7088@submonkey.net>
	<20070106120040.N46119@fledge.watson.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="fwqqG+mf3f7vyBCB"
Content-Disposition: inline
In-Reply-To: <20070106120040.N46119@fledge.watson.org>
X-PGP: finger ceri@FreeBSD.org
User-Agent: Mutt/1.5.13 (2006-08-11)
Sender: Ceri Davies <ceri@submonkey.net>
Cc: stable@FreeBSD.org
Subject: Re: (audit?) Panic in 6.2-PRERELEASE
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Jan 2007 13:25:47 -0000


--fwqqG+mf3f7vyBCB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Jan 06, 2007 at 12:01:51PM +0000, Robert Watson wrote:
> On Fri, 5 Jan 2007, Ceri Davies wrote:
>=20
> >On Fri, Jan 05, 2007 at 01:34:04PM +0000, Robert Watson wrote:
> >>
> >>On Fri, 5 Jan 2007, Ceri Davies wrote:
> >>
> >>>>Much as I would love to trust the contents of ub there, I suspect the=
y=20
> >>>>can't be trusted.  Could you print the contents of *fp in kern_fstat(=
)=20
> >>>>in both of those stacks?  I'd particularly like to know the value of=
=20
> >>>>fp->f_type, and then depending on the type, possibly the contents of=
=20
> >>>>*(struct vnode *)fp->f_vnode for DTYPE_VNODE/TYPE_FIFO or *(struct=20
> >>>>socket *)fp->f_data in the case of DTYPE_SOCKET.
> >>>
> >>>Can you tell me how to get at *fp given that the stack trace shows=20
> >>>fstat() and not kern_fstat()?  Sorry if I'm being dumb but I don't kno=
w=20
> >>>how to step into the kern_fstat() call from fstat().
> >>
> >>It could be that the stack is hosed losing the frame, or maybe it's=20
> >>inlined (more likely the former I think, as kern_fstat() is a symbol us=
ed=20
> >>elsewhere in the kernel).  The best bet may be to use the file descript=
or=20
> >>number (uap->fd) to pull the struct file reference out of the process. =
=20
> >>Something on the order of (td->td_proc->p_fd->fd_ofiles[fd]) should=20
> >>return the right struct file *.
> >
> >OK, got it.  They're both sockets, data in the attachments.
> >
> >>How reproduceable is this?
> >
> >So far it's happened this morning and yesterday morning.  I haven't seen=
=20
> >it before that.  I don't know the cause so I can't reproduce it at will,=
=20
> >but the logs don't give any indication.  Chances are that it will happen=
=20
> >again tomorrow, but we'll see.
>=20
> Hmm.  It looks like you printf *(td->td_proc->p_fd->fd_ofiles) without th=
e=20
> array index.  Could you repeat that, but with the array index -- i.e.,=20
> td->td_proc->p_fd->fd_ofiles[uap->fd]?  Also, it would probably be useful=
=20
> to print uap->fd.  Right now you're printing stdin (index 0), but if the=
=20
> index is non-0, we want a different file.

Very tactfully put :)  Sorry about that.

None of the uap->fd's seem to be valid.
In the first case, uap->fd is way too high for the length of fd_ofiles,
which only has 21 elements:

(kgdb) up 8
#8  0xc04c470d in fstat (td=3D0xc2eeb180, uap=3D0xd610dc74) at /usr/src/sys=
/kern/kern_descrip.c:1075
1075            error =3D kern_fstat(td, uap->fd, &ub);
(kgdb) p uap->fd
$1 =3D 89
(kgdb) p *td->td_proc->p_fd->fd_ofiles[uap->fd]
Cannot access memory at address 0x0

In the second, uap->fd is nonsense:

(kgdb) up 8
#8  0xc04c470d in fstat (td=3D0xc3109300, uap=3D0xd617ec74) at /usr/src/sys=
/kern/kern_descrip.c:1075
1075            error =3D kern_fstat(td, uap->fd, &ub);
(kgdb) p uap->fd
$1 =3D -1023449232
(kgdb)

Ceri
--=20
That must be wonderful!  I don't understand it at all.
                                                  -- Moliere

--fwqqG+mf3f7vyBCB
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)

iD8DBQFFn6NUocfcwTS3JF8RAuGMAJ9NSURkDLMAtJmidmVcDCbseAql5gCdEZ3M
VvijBqCGdsYmBlTpQ7hOIKI=
=UgOl
-----END PGP SIGNATURE-----

--fwqqG+mf3f7vyBCB--