Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 18 Jan 2005 18:46:57 -0800
From:      Kris Kennaway <kris@obsecurity.org>
To:        Alan Cox <alc@cs.rice.edu>
Cc:        Kris Kennaway <kris@obsecurity.org>
Subject:   Re: fstat triggered INVARIANTS panic in memrw()
Message-ID:  <20050119024657.GA78197@xor.obsecurity.org>
In-Reply-To: <20050118203153.GM3194@noel.cs.rice.edu>
References:  <20050115083847.GA47466@xor.obsecurity.org> <20050116003432.GA448@xor.obsecurity.org> <20050116050433.GA65733@xor.obsecurity.org> <20050116211349.GG26214@noel.cs.rice.edu> <20050117014746.GA96797@xor.obsecurity.org> <20050117021815.GA8953@xor.obsecurity.org> <20050117023031.GA12825@xor.obsecurity.org> <20050118203153.GM3194@noel.cs.rice.edu>
index | next in thread | previous in thread | raw e-mail 

[-- Attachment #1 --]
On Tue, Jan 18, 2005 at 02:31:53PM -0600, Alan Cox wrote:

> > An interesting datapoint is that none of the non-i386 package machines
> > have hit this problem, but the i386 machines can't stay up for more
> > than a few minutes under load (which translates to only a few fstat
> > invocations).
> 
> The field f_offset is 64 bits wide.  If this were a race between use
> and deallocation of the file structure within the kernel, then I would
> expect f_offset's value to be 0xdeadc0dedeadc0de, not
> 0x00000000deadc0de.  More likely than not, the 0xdeadc0de is being
> passed in from user level.  The i386 kernel is just not handling it
> gracefully.  

Shouldn't this at least be hitting the check in memrw():

                        if (!kernacc((caddr_t)(int)uio->uio_offset, c,
                            uio->uio_rw == UIO_READ ?
                            VM_PROT_READ : VM_PROT_WRITE))
                                return (EFAULT);
                        error = uiomove((caddr_t)(int)uio->uio_offset, (int)c, uio);

(kgdb) print uio->uio_offset
$2 = 3735929054
(kgdb) print uio->uio_rw
$3 = UIO_READ
(kgdb) print c
$4 = 2058814332

Kris

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQFB7cohWry0BWjoQKURApooAJ9KlFXGpVSqaiYJ28IFnnb57i0SIgCeIOO0
wAYlZUacSlbFtFmnt51b5Vo=
=Spg/
-----END PGP SIGNATURE-----
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050119024657.GA78197>