From owner-freebsd-current@FreeBSD.ORG Wed Jan 19 05:02:57 2005 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E17DB16A4CE for ; Wed, 19 Jan 2005 05:02:57 +0000 (GMT) Received: from cs.rice.edu (cs.rice.edu [128.42.1.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id B220A43D5A for ; Wed, 19 Jan 2005 05:02:57 +0000 (GMT) (envelope-from alc@cs.rice.edu) Received: from localhost (calypso.cs.rice.edu [128.42.1.127]) by cs.rice.edu (Postfix) with ESMTP id DB87B4AA7B; Tue, 18 Jan 2005 23:02:56 -0600 (CST) Received: from cs.rice.edu ([128.42.1.30]) by localhost (calypso.cs.rice.edu [128.42.1.127]) (amavisd-new, port 10024) with LMTP id 17748-01-24; Tue, 18 Jan 2005 23:02:56 -0600 (CST) Received: from noel.cs.rice.edu (noel.cs.rice.edu [128.42.1.136]) by cs.rice.edu (Postfix) with ESMTP id E3FC94AA78; Tue, 18 Jan 2005 23:02:55 -0600 (CST) Received: (from alc@localhost) by noel.cs.rice.edu (8.12.10+Sun/8.12.9/Submit) id j0J52K9G009898; Tue, 18 Jan 2005 23:02:20 -0600 (CST) Date: Tue, 18 Jan 2005 23:02:20 -0600 From: Alan Cox To: Kris Kennaway Message-ID: <20050119050220.GU3194@noel.cs.rice.edu> References: <20050115083847.GA47466@xor.obsecurity.org> <20050116003432.GA448@xor.obsecurity.org> <20050116050433.GA65733@xor.obsecurity.org> <20050116211349.GG26214@noel.cs.rice.edu> <20050117014746.GA96797@xor.obsecurity.org> <20050117021815.GA8953@xor.obsecurity.org> <20050117023031.GA12825@xor.obsecurity.org> <20050118203153.GM3194@noel.cs.rice.edu> <20050119024657.GA78197@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050119024657.GA78197@xor.obsecurity.org> User-Agent: Mutt/1.3.28i X-Virus-Scanned: by amavis-20030616-p7 at cs.rice.edu cc: Alan Cox cc: current@freebsd.org cc: krentel@dreamscape.com Subject: Re: fstat triggered INVARIANTS panic in memrw() X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jan 2005 05:02:58 -0000 On Tue, Jan 18, 2005 at 06:46:57PM -0800, Kris Kennaway wrote: > On Tue, Jan 18, 2005 at 02:31:53PM -0600, Alan Cox wrote: > > > > An interesting datapoint is that none of the non-i386 package machines > > > have hit this problem, but the i386 machines can't stay up for more > > > than a few minutes under load (which translates to only a few fstat > > > invocations). > > > > The field f_offset is 64 bits wide. If this were a race between use > > and deallocation of the file structure within the kernel, then I would > > expect f_offset's value to be 0xdeadc0dedeadc0de, not > > 0x00000000deadc0de. More likely than not, the 0xdeadc0de is being > > passed in from user level. The i386 kernel is just not handling it > > gracefully. > > Shouldn't this at least be hitting the check in memrw(): > > if (!kernacc((caddr_t)(int)uio->uio_offset, c, > uio->uio_rw == UIO_READ ? > VM_PROT_READ : VM_PROT_WRITE)) > return (EFAULT); > error = uiomove((caddr_t)(int)uio->uio_offset, (int)c, uio); > > (kgdb) print uio->uio_offset > $2 = 3735929054 > (kgdb) print uio->uio_rw > $3 = UIO_READ > (kgdb) print c > $4 = 2058814332 Yes, it should. :-) The problem is two-fold. First, kernacc() unlike useracc() doesn't check for address wrap, i.e., end < start. Presumably the author of kernacc() assumed that kernel code would never call kernacc() with such dubious arguments. Second, vm_map_check_protection() returns "success" whenever address wrap occurs. Alan