From owner-freebsd-current@FreeBSD.ORG Wed Jan 19 02:46:59 2005 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4625216A4CE for ; Wed, 19 Jan 2005 02:46:59 +0000 (GMT) Received: from obsecurity.dyndns.org (CPE0050040655c8-CM00111ae02aac.cpe.net.cable.rogers.com [69.199.47.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id E91DC43D60 for ; Wed, 19 Jan 2005 02:46:58 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 7B6CC512CB; Tue, 18 Jan 2005 18:46:57 -0800 (PST) Date: Tue, 18 Jan 2005 18:46:57 -0800 From: Kris Kennaway To: Alan Cox Message-ID: <20050119024657.GA78197@xor.obsecurity.org> References: <20050115083847.GA47466@xor.obsecurity.org> <20050116003432.GA448@xor.obsecurity.org> <20050116050433.GA65733@xor.obsecurity.org> <20050116211349.GG26214@noel.cs.rice.edu> <20050117014746.GA96797@xor.obsecurity.org> <20050117021815.GA8953@xor.obsecurity.org> <20050117023031.GA12825@xor.obsecurity.org> <20050118203153.GM3194@noel.cs.rice.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="jI8keyz6grp/JLjh" Content-Disposition: inline In-Reply-To: <20050118203153.GM3194@noel.cs.rice.edu> User-Agent: Mutt/1.4.2.1i cc: current@freebsd.org cc: Kris Kennaway Subject: Re: fstat triggered INVARIANTS panic in memrw() X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jan 2005 02:46:59 -0000 --jI8keyz6grp/JLjh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 18, 2005 at 02:31:53PM -0600, Alan Cox wrote: > > An interesting datapoint is that none of the non-i386 package machines > > have hit this problem, but the i386 machines can't stay up for more > > than a few minutes under load (which translates to only a few fstat > > invocations). >=20 > The field f_offset is 64 bits wide. If this were a race between use > and deallocation of the file structure within the kernel, then I would > expect f_offset's value to be 0xdeadc0dedeadc0de, not > 0x00000000deadc0de. More likely than not, the 0xdeadc0de is being > passed in from user level. The i386 kernel is just not handling it > gracefully. =20 Shouldn't this at least be hitting the check in memrw(): if (!kernacc((caddr_t)(int)uio->uio_offset, c, uio->uio_rw =3D=3D UIO_READ ? VM_PROT_READ : VM_PROT_WRITE)) return (EFAULT); error =3D uiomove((caddr_t)(int)uio->uio_offset, (i= nt)c, uio); (kgdb) print uio->uio_offset $2 =3D 3735929054 (kgdb) print uio->uio_rw $3 =3D UIO_READ (kgdb) print c $4 =3D 2058814332 Kris --jI8keyz6grp/JLjh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFB7cohWry0BWjoQKURApooAJ9KlFXGpVSqaiYJ28IFnnb57i0SIgCeIOO0 wAYlZUacSlbFtFmnt51b5Vo= =Spg/ -----END PGP SIGNATURE----- --jI8keyz6grp/JLjh--