Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 18 Jan 2005 18:46:57 -0800
From:      Kris Kennaway <kris@obsecurity.org>
To:        Alan Cox <alc@cs.rice.edu>
Cc:        Kris Kennaway <kris@obsecurity.org>
Subject:   Re: fstat triggered INVARIANTS panic in memrw()
Message-ID:  <20050119024657.GA78197@xor.obsecurity.org>
In-Reply-To: <20050118203153.GM3194@noel.cs.rice.edu>
References:  <20050115083847.GA47466@xor.obsecurity.org> <20050116003432.GA448@xor.obsecurity.org> <20050116050433.GA65733@xor.obsecurity.org> <20050116211349.GG26214@noel.cs.rice.edu> <20050117014746.GA96797@xor.obsecurity.org> <20050117021815.GA8953@xor.obsecurity.org> <20050117023031.GA12825@xor.obsecurity.org> <20050118203153.GM3194@noel.cs.rice.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 

--jI8keyz6grp/JLjh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jan 18, 2005 at 02:31:53PM -0600, Alan Cox wrote:

> > An interesting datapoint is that none of the non-i386 package machines
> > have hit this problem, but the i386 machines can't stay up for more
> > than a few minutes under load (which translates to only a few fstat
> > invocations).
>=20
> The field f_offset is 64 bits wide.  If this were a race between use
> and deallocation of the file structure within the kernel, then I would
> expect f_offset's value to be 0xdeadc0dedeadc0de, not
> 0x00000000deadc0de.  More likely than not, the 0xdeadc0de is being
> passed in from user level.  The i386 kernel is just not handling it
> gracefully. =20

Shouldn't this at least be hitting the check in memrw():

                        if (!kernacc((caddr_t)(int)uio->uio_offset, c,
                            uio->uio_rw =3D=3D UIO_READ ?
                            VM_PROT_READ : VM_PROT_WRITE))
                                return (EFAULT);
                        error =3D uiomove((caddr_t)(int)uio->uio_offset, (i=
nt)c, uio);

(kgdb) print uio->uio_offset
$2 =3D 3735929054
(kgdb) print uio->uio_rw
$3 =3D UIO_READ
(kgdb) print c
$4 =3D 2058814332

Kris

--jI8keyz6grp/JLjh
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQFB7cohWry0BWjoQKURApooAJ9KlFXGpVSqaiYJ28IFnnb57i0SIgCeIOO0
wAYlZUacSlbFtFmnt51b5Vo=
=Spg/
-----END PGP SIGNATURE-----

--jI8keyz6grp/JLjh--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050119024657.GA78197>