From owner-freebsd-current@FreeBSD.ORG  Sun Aug 19 19:26:46 2007
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: current@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AD95816A41B;
	Sun, 19 Aug 2007 19:26:46 +0000 (UTC)
	(envelope-from kris@obsecurity.org)
Received: from elvis.mu.org (elvis.mu.org [192.203.228.196])
	by mx1.freebsd.org (Postfix) with ESMTP id 9DABD13C465;
	Sun, 19 Aug 2007 19:26:46 +0000 (UTC)
	(envelope-from kris@obsecurity.org)
Received: from rot26.obsecurity.org (elvis.mu.org [192.203.228.196])
	by elvis.mu.org (Postfix) with ESMTP id 28BB31A3C1A;
	Sun, 19 Aug 2007 12:25:00 -0700 (PDT)
Received: by rot26.obsecurity.org (Postfix, from userid 1001)
	id 068C5C3EB; Sun, 19 Aug 2007 15:26:45 -0400 (EDT)
Date: Sun, 19 Aug 2007 15:26:44 -0400
From: Kris Kennaway <kris@obsecurity.org>
To: current@FreeBSD.org
Message-ID: <20070819192644.GA59961@rot26.obsecurity.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="vtzGhvizbBRQ85DL"
Content-Disposition: inline
User-Agent: Mutt/1.4.2.3i
Cc: davidxu@FreeBSD.org
Subject: "panic: ureadc" from aio
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Aug 2007 19:26:46 -0000


--vtzGhvizbBRQ85DL
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

I was running stress2 which hung somehow, so I ^Ced it and it panicked:

panic: ureadc
cpuid = 1
KDB: enter: panic
[thread pid 8507 tid 100609 ]
Stopped at      kdb_enter+0x33: leave
db> wh
Tracing pid 8507 tid 100609 td 0xc5d63cc0
kdb_enter(c0780dbf,1,c0781318,ed2619fc,1,...) at kdb_enter+0x33
panic(c0781318,0,77,c4e3b400,ed261bf0,...) at panic+0xed
ureadc(77,ed261cb0,159,c0788008,0,...) at ureadc+0x87
ttread(c4e3b400,ed261cb0,0,c537f800,ed261cb0,...) at ttread+0x304
ptsread(c537f800,ed261cb0,0,168,0,...) at ptsread+0x38
giant_read(c537f800,ed261cb0,0,1,0,...) at giant_read+0x48
devfs_read_f(c50d21a0,ed261cb0,c53c2100,1,c5d63cc0,...) at devfs_read_f+0x6b
aio_daemon(1,ed261d38,c077d7d0,315,c846e000,...) at aio_daemon+0x34c
fork_exit(c05da285,1,ed261d38) at fork_exit+0xa6
fork_trampoline() at fork_trampoline+0x8
--- trap 0, eip = 0, esp = 0xed261d70, ebp = 0 ---

The panic is here:

        if (uio->uio_iovcnt == 0 || uio->uio_resid == 0)
                panic("ureadc");

12548     1 12548     0  RLs     CPU 0               [aiod5]
12327     1  1395  1003  SE+     aioprn   0xc571d748 syscall
12214     1  1395  1003  SE+     aioprn   0xccf9b9f4 syscall
 8510     1  8510     0  RLs     CPU 3               [aiod4]
 8509     1  8509     0  RLs                         [aiod3]
 8508     1  8508     0  RLs     CPU 2               [aiod2]
 8507     1  8507     0  RLs     CPU 1               [aiod1]

I think aio has more input validation bugs.

Kris

--vtzGhvizbBRQ85DL
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFGyJl0Wry0BWjoQKURAgPeAJ9XpbvAFQcdWEhIbYJJ9wMq/JM2vQCeOpT0
LSXTobjzXgXO+h+1F1BZMGA=
=ByrI
-----END PGP SIGNATURE-----

--vtzGhvizbBRQ85DL--