From owner-freebsd-current@FreeBSD.ORG Fri Aug 18 14:00:49 2006 Return-Path: X-Original-To: current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFA3016A4E0; Fri, 18 Aug 2006 14:00:49 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E9A143D49; Fri, 18 Aug 2006 14:00:49 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id 644501A4DCC; Fri, 18 Aug 2006 07:00:49 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id B3B8B5178B; Fri, 18 Aug 2006 10:00:47 -0400 (EDT) Date: Fri, 18 Aug 2006 10:00:47 -0400 From: Kris Kennaway To: current@FreeBSD.org Message-ID: <20060818140047.GA53670@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mYCpIKhGyMATD0i+" Content-Disposition: inline User-Agent: Mutt/1.4.2.2i Cc: mohans@FreeBSD.org Subject: null pointer deref from mount/umount + rm -rf loop X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Aug 2006 14:00:50 -0000 --mYCpIKhGyMATD0i+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I ran mount -o ro -t nfs ...; sleep 2; umount -f nfs together with rm -rf in a loop, and after some time the machine panicked with: Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x34 fault code = supervisor write, page not present instruction pointer = 0x20:0xc052e22a stack pointer = 0x28:0xec8d7a74 frame pointer = 0x28:0xec8d7a94 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 28944 (rm) db> wh Tracing pid 28944 tid 100205 td 0xc5469bd0 _mtx_lock_flags(24,0,c07266be,1a3,0) at _mtx_lock_flags+0x24 vfs_ref(0,ec8d7b28,cf05a900,ec8d7ad4,c06f97a8) at vfs_ref+0x32 vop_stdgetwritemount(ec8d7af8,ec8d7b14,c05a9601,c076a780,ec8d7af8) at vop_stdgetwritemount+0x1d VOP_GETWRITEMOUNT_APV(c076a780,ec8d7af8,f8,3,1) at VOP_GETWRITEMOUNT_APV+0x3a vn_start_write(cf05a900,ec8d7b28,1,cfd2ea20,ffffffff) at vn_start_write+0x34 vn_close(cf05a900,5,d25e8a00,c5469bd0,c071f37b) at vn_close+0x2f vn_closefile(c5c27798,c5469bd0,c071e535,85f,cf05a900) at vn_closefile+0x8b fdrop_locked(c5c27798,c5469bd0,c5469bd0,c5469bd0,c076a780,0,0,cf05a900,c077e840,8201000,c5469bd0,ec8d7c20,246,246,ec8d7c40,c052e311,c077e840,cf05a900,ec8d7c50,c050fcda,3e1,c071e535,0) at fdrop_locked+0x96 closef(c5c27798,c5469bd0,c071e535,3e1,c054ad17) at closef+0x1ed close(c5469bd0,ec8d7d04,4,0,1) at close+0x185 syscall(bfbf003b,3b,bfbf003b,8250130,804b4d8) at syscall+0x163 Xint0x80_syscall() at Xint0x80_syscall+0x1f --- syscall (6, FreeBSD ELF32, close), eip = 0x2815ba4f, esp = 0xbfbfe69c, ebp = 0xbfbfe6b8 --- db> show lockedvnods Locked vnodes 0xcd8ae360: tag ufs, type VDIR usecount 2, writecount 0, refcount 4 mountedhere 0xd07ea548 flags () v_object 0xc6d4ac24 ref 0 pages 1 lock type ufs: EXCL (count 1) by thread 0xcfd2ea20 (pid 28947) ino 353827, on dev da0s1e 0xc6769240: tag nfs, type VDIR usecount 0, writecount 0, refcount 88 mountedhere 0 flags (VI_DOOMED) v_object 0xcce78b90 ref 0 pages 87 lock type nfs: EXCL (count 1) by thread 0xcfd2ea20 (pid 28947) ^-- showlockedvnods hung here. Looks like I forgot to include DEBUG_VFS_LOCKS, I'll try to recreate. Kris --mYCpIKhGyMATD0i+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFE5cgPWry0BWjoQKURAg9uAJ4jpDXnku+b2iwrd4b75pMC46IzrQCfSGDa GbcpJV0+NQkxlFx8pY2OiPY= =7us6 -----END PGP SIGNATURE----- --mYCpIKhGyMATD0i+--