Date: Sun, 16 Jan 2005 18:30:31 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Kris Kennaway <kris@obsecurity.org> Cc: current@freebsd.org Subject: Re: fstat triggered INVARIANTS panic in memrw() Message-ID: <20050117023031.GA12825@xor.obsecurity.org> In-Reply-To: <20050117021815.GA8953@xor.obsecurity.org> References: <20050115083847.GA47466@xor.obsecurity.org> <20050116003432.GA448@xor.obsecurity.org> <20050116050433.GA65733@xor.obsecurity.org> <20050116211349.GG26214@noel.cs.rice.edu> <20050117014746.GA96797@xor.obsecurity.org> <20050117021815.GA8953@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On Sun, Jan 16, 2005 at 06:18:15PM -0800, Kris Kennaway wrote:
> On Sun, Jan 16, 2005 at 05:47:46PM -0800, Kris Kennaway wrote:
> > On Sun, Jan 16, 2005 at 03:13:49PM -0600, Alan Cox wrote:
> >
> > > The "deadc0de" passed to generic_copyout() comes from the following
> > > lines in devfs_read_f(c51773b8,eed96c84,ca75c800,flags=0):
> > >
> > > if ((flags & FOF_OFFSET) == 0)
> > > uio->uio_offset = fp->f_offset;
> > >
> > > Can you print the contents of the file structure?
> >
> > (kgdb) frame 28
> > #28 0xc04d8d91 in devfs_read_f (fp=0xc25f5dd0, uio=0xe7275c84, cred=0xc3540380, flags=0, td=0xc3c34170)
> > at ../../../fs/devfs/devfs_vnops.c:931
> > 931 error = dsw->d_read(dev, uio, ioflag);
> > (kgdb) print *fp
> > $1 = {f_list = {le_next = 0xc25f5bf4, le_prev = 0xc25f52a8}, f_type = 1, f_data = 0xc22f8200, f_flag = 1,
> > f_mtxp = 0xc2251fd0, f_ops = 0xc074c140, f_cred = 0xc2b2a900, f_count = 2, f_vnode = 0xc3c6fbdc,
> > f_offset = 3735929054, f_gcflag = 0, f_msgcount = 0, f_seqcount = 1, f_nextoff = 3263609792}
>
> 3735929054 = 0xdeadc0de. This same struct file appears all the way
> back to the syscall frame. I wonder if fstat is racing with a tty
> device removal or something (it's certainly racing with something,
> e.g.:
Devices may not be to blame; I was able to trigger this by running
fstat in a loop and then running 'make' in /usr/ports/misc/screen
(with the idea of testing the tty hypothesis :)
An interesting datapoint is that none of the non-i386 package machines
have hit this problem, but the i386 machines can't stay up for more
than a few minutes under load (which translates to only a few fstat
invocations).
Kris
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
iD8DBQFB6yNHWry0BWjoQKURAkAUAJ9i0k20MWc3+u8Cqt+bPkMXanQ04ACg2Y96
fYTN7UI3l6P9oXoGllh2C4I=
=SMSE
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050117023031.GA12825>