Date: Sun, 20 Aug 2006 19:22:08 -0400 From: Kris Kennaway <kris@obsecurity.org> To: Kris Kennaway <kris@obsecurity.org> Cc: current@FreeBSD.org, mohans@FreeBSD.org Subject: Re: null pointer deref from mount/umount + rm -rf loop Message-ID: <20060820232208.GA84554@xor.obsecurity.org> In-Reply-To: <20060818140047.GA53670@xor.obsecurity.org> References: <20060818140047.GA53670@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--envbJBWh7q8WU6mo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Aug 18, 2006 at 10:00:47AM -0400, Kris Kennaway wrote: > I ran mount -o ro -t nfs ...; sleep 2; umount -f nfs together with rm > -rf in a loop, and after some time the machine panicked with: I got another 2 instances of the panic (mohan: your patch did not help, so it's probably a different issue to the other umount bug you looked at) Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x80 fault code = supervisor read, page not present instruction pointer = 0x20:0xc053a461 stack pointer = 0x28:0xec89ea64 frame pointer = 0x28:0xec89ea80 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 9060 (rm) [thread pid 9060 tid 100182 ] Stopped at _mtx_lock_flags+0x1b: movl 0x10(%ecx),%eax db> wh Tracing pid 9060 tid 100182 td 0xc594a360 _mtx_lock_flags(70,0,c075f612,1a3,0,...) at _mtx_lock_flags+0x1b vfs_ref(0,c07a2f80,ec89eaf4,ec89ead0,c0728940,...) at vfs_ref+0x32 vop_stdgetwritemount(ec89eaf4,c077d0ce,c4912300,ec89eb28,cd6e4690,...) at vop_stdgetwritemount+0x1d VOP_GETWRITEMOUNT_APV(c07ab460,ec89eaf4,c07c5d10,2,c07578f7,...) at VOP_GETWRITEMOUNT_APV+0x8a vn_start_write(cd6e4690,ec89eb28,1,6,cd6e46e8,...) at vn_start_write+0x34 vn_close(cd6e4690,5,c5188280,c594a360,0,...) at vn_close+0x3d vn_closefile(c4ca6510,c594a360,c0752864,871,cd6e4690,...) at vn_closefile+0x8b fdrop_locked(c4ca6510,c594a360,ec89ec18,c053a5f1,ce3b3540,0,0,c594a360,c594a4f0,c594d69c,ec89ec2c,c0559e05,c07c5d10,c585262c,3e9,c0752864,ec89ec50,c053a81f,c585262c,1,c07551ce,16a,0) at fdrop_locked+0xb9 closef(c4ca6510,c594a360,c0752864,3e9,c594a360,...) at closef+0x1f7 kern_close(c594a360,4,4,158,1,...) at kern_close+0x188 syscall(3b,821003b,bfbf003b,8250130,804b4d8,...) at syscall+0x152 Xint0x80_syscall() at Xint0x80_syscall+0x1f --- syscall (6, FreeBSD ELF32, close), eip = 0x2815ba4f, esp = 0xbfbfe69c, ebp = 0xbfbfe6b8 --- db> show allpcpu Current CPU: 0 cpuid = 0 curthread = 0xc594a360: pid 9060 "rm" curpcb = 0xec89ed90 fpcurthread = none idlethread = 0xc490fa20: pid 13 "idle: cpu0" APIC ID = 0 currentldt = 0x50 cpuid = 1 curthread = 0xc4dedd80: pid 9062 "umount" curpcb = 0xec730d90 fpcurthread = none idlethread = 0xc490f870: pid 12 "idle: cpu1" APIC ID = 1 currentldt = 0x50 cpuid = 2 curthread = 0xc4ff8a20: pid 9056 "find" curpcb = 0xec77ed90 fpcurthread = none idlethread = 0xc490f6c0: pid 11 "idle: cpu2" APIC ID = 2 currentldt = 0x50 cpuid = 3 curthread = 0xc490fbd0: pid 14 "swi4: clock sio" curpcb = 0xe8950d90 fpcurthread = none idlethread = 0xc490f510: pid 10 "idle: cpu3" APIC ID = 3 currentldt = 0x50 db> wh 9062 Tracing pid 9062 tid 100120 td 0xc4dedd80 cpustop_handler(ec730960,c0710fe2,3,1,c07c8158,...) at cpustop_handler+0x2c ipi_nmi_handler(3,1,c07c8158,c07c7920,c508c8d0,...) at ipi_nmi_handler+0x2a trap(8,28,28,f5,df30a000,...) at trap+0x38a calltrap() at calltrap+0x5 --- trap 0x13, eip = 0xc0707834, esp = 0xec7309a8, ebp = 0xec7309c4 --- smp_tlb_shootdown(df30b000,df30b000,c0778ebb,2f8,df30a000,...) at smp_tlb_shootdown+0x71 pmap_invalidate_range(c07ff340,df30a000,df30b000) at pmap_invalidate_range+0x114 pmap_qremove(df30a000,1,c075e1ed,606,dda37874,...) at pmap_qremove+0x44 vfs_vmio_release(cc18d3c0,0,c075e1ed,51a,c05366c1,...) at vfs_vmio_release+0x13f brelse(dda37874,202122,cf0609f8,c4dedd80,20609f8,...) at brelse+0x942 flushbuflist(cf060a30,0,0,3e7,c4dedd80,...) at flushbuflist+0x14a bufobj_invalbuf(cf060a30,1,c4dedd80,0,0,...) at bufobj_invalbuf+0x79 vgonel(cf0609f8,0,c075fe76,909,d084d8ec,...) at vgonel+0xca vflush(d084d87c,1,2,c4dedd80,0,...) at vflush+0x2a6 nfs_unmount(d084d87c,8080000,c4dedd80,c4dedd80,0,...) at nfs_unmount+0x56 dounmount(d084d87c,8080000,c4dedd80,43e,539ff4c,...) at dounmount+0x250 unmount(c4dedd80,ec730d04,8,ec730d38,2,...) at unmount+0x217 syscall(3b,3b,3b,804a610,8201c38,...) at syscall+0x152 Xint0x80_syscall() at Xint0x80_syscall+0x1f --- syscall (22, FreeBSD ELF32, unmount), eip = 0x280c369b, esp = 0xbfbfe08c, ebp = 0xbfbfe148 --- db> wh 9056 Tracing pid 9056 tid 100137 td 0xc4ff8a20 cpustop_handler(ec77ea34,c0710fe2,3041,c4c3bad8,40,...) at cpustop_handler+0x2c ipi_nmi_handler(3041,c4c3bad8,40,c07c5740,225,...) at ipi_nmi_handler+0x2a trap(c0720008,c05b0028,c06a0028,c4ff8a20,15a4c8,...) at trap+0x38a calltrap() at calltrap+0x5 --- trap 0x13, eip = 0xc053a572, esp = 0xec77ea7c, ebp = 0xec77ea9c --- _mtx_lock_spin(c07e6cc8,c4ff8a20,0,c0773c9b,56e,...) at _mtx_lock_spin+0x4a _mtx_lock_spin_flags(c07e6cc8,0,c0773c9b,56e,ec77eb04,...) at _mtx_lock_spin_flags+0x90 siointr(c4a24800,c07c5d10,2,c4ff8a20,0,...) at siointr+0x2a intr_execute_handlers(c4907cc4,ec77eb20,ec77eb80,c06fa6a3,38,...) at intr_execute_handlers+0xcc lapic_handle_intr(38) at lapic_handle_intr+0x2d Xapic_isr1() at Xapic_isr1+0x33 --- interrupt, eip = 0xc053a3d9, esp = 0xec77eb60, ebp = 0xec77eb80 --- _mtx_lock_sleep(c07c5d28,c4ff8a20,0,c0751dac,137,...) at _mtx_lock_sleep+0x12e _mtx_lock_flags(c07c5d28,0,c0751dac,137,6,...) at _mtx_lock_flags+0x8e giant_write(c508d300,ec77ec64,0,c508d300,c07a08a0,...) at giant_write+0x2e devfs_write_f(c4f8a3f0,ec77ec64,c5186b80,0,c4ff8a20,...) at devfs_write_f+0x82 dofilewrite(c4f8a3f0,ec77ec64,ffffffff,ffffffff,0,...) at dofilewrite+0x7c kern_writev(c4ff8a20,2,ec77ec64,bfbfe1c0,6,...) at kern_writev+0x6b write(c4ff8a20,ec77ed04,c,ec77ed38,3,...) at write+0x4d syscall(825003b,bfbf003b,bfbf003b,bfbfe1c0,6,...) at syscall+0x152 Xint0x80_syscall() at Xint0x80_syscall+0x1f --- syscall (4, FreeBSD ELF32, write), eip = 0x28157a6f, esp = 0xbfbfe03c, ebp = 0xbfbfe058 --- db> db> show lockedvnods Locked vnodes 0xcb8c1690: tag ufs, type VDIR usecount 1, writecount 0, refcount 3 mountedhere 0xd084d87c flags () v_object 0xce353870 ref 0 pages 1 lock type ufs: EXCL (count 1) by thread 0xc4dedd80 (pid 9062)#0 0xc0536188 at lockmgr+0x541 #1 0xc069059e at ffs_lock+0x59 #2 0xc072bba4 at VOP_LOCK_APV+0x76 #3 0xc05c305a at vn_lock+0x67 #4 0xc05ae4fb at dounmount+0x51 #5 0xc05aecac at unmount+0x217 #6 0xc0711507 at syscall+0x152 #7 0xc06fa33f at Xint0x80_syscall+0x1f ino 353827, on dev da0s1e 0xcf060930: tag nfs, type VDIR usecount 0, writecount 0, refcount 47 mountedhere 0 flags (VI_DOOMED) v_object 0xcc18d3c0 ref 0 pages 87 lock type nfs: EXCL (count 1) by thread 0xc4dedd80 (pid 9062)#0 0xc0536188 at lockmgr+0x541 #1 0xc05aa8e4 at vop_stdlock+0x32 #2 0xc072bba4 at VOP_LOCK_APV+0x76 #3 0xc05c305a at vn_lock+0x67 #4 0xc05b7b64 at vflush+0x23c #5 0xc064b3c6 at nfs_unmount+0x56 #6 0xc05ae6fa at dounmount+0x250 #7 0xc05aecac at unmount+0x217 #8 0xc0711507 at syscall+0x152 #9 0xc06fa33f at Xint0x80_syscall+0x1f [hung again here] This time I was able to save a core though. Kris --envbJBWh7q8WU6mo Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFE6O6gWry0BWjoQKURAozcAKDqQUfI1juv6zWE5URXYxcm+PKVegCfSRkx Sbp7hWvPqvEa6FDrBYYY9GM= =5Fbn -----END PGP SIGNATURE----- --envbJBWh7q8WU6mo--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060820232208.GA84554>