Date: Sun, 16 Jan 2005 18:30:31 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Kris Kennaway <kris@obsecurity.org> Cc: current@freebsd.org Subject: Re: fstat triggered INVARIANTS panic in memrw() Message-ID: <20050117023031.GA12825@xor.obsecurity.org> In-Reply-To: <20050117021815.GA8953@xor.obsecurity.org> References: <20050115083847.GA47466@xor.obsecurity.org> <20050116003432.GA448@xor.obsecurity.org> <20050116050433.GA65733@xor.obsecurity.org> <20050116211349.GG26214@noel.cs.rice.edu> <20050117014746.GA96797@xor.obsecurity.org> <20050117021815.GA8953@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--ew6BAiZeqk4r7MaW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Jan 16, 2005 at 06:18:15PM -0800, Kris Kennaway wrote:
> On Sun, Jan 16, 2005 at 05:47:46PM -0800, Kris Kennaway wrote:
> > On Sun, Jan 16, 2005 at 03:13:49PM -0600, Alan Cox wrote:
> >=20
> > > The "deadc0de" passed to generic_copyout() comes from the following
> > > lines in devfs_read_f(c51773b8,eed96c84,ca75c800,flags=3D0):
> > >=20
> > > if ((flags & FOF_OFFSET) =3D=3D 0)
> > > uio->uio_offset =3D fp->f_offset;
> > >=20
> > > Can you print the contents of the file structure?
> >=20
> > (kgdb) frame 28
> > #28 0xc04d8d91 in devfs_read_f (fp=3D0xc25f5dd0, uio=3D0xe7275c84, cred=
=3D0xc3540380, flags=3D0, td=3D0xc3c34170)
> > at ../../../fs/devfs/devfs_vnops.c:931
> > 931 error =3D dsw->d_read(dev, uio, ioflag);
> > (kgdb) print *fp
> > $1 =3D {f_list =3D {le_next =3D 0xc25f5bf4, le_prev =3D 0xc25f52a8}, f_=
type =3D 1, f_data =3D 0xc22f8200, f_flag =3D 1,
> > f_mtxp =3D 0xc2251fd0, f_ops =3D 0xc074c140, f_cred =3D 0xc2b2a900, f=
_count =3D 2, f_vnode =3D 0xc3c6fbdc,
> > f_offset =3D 3735929054, f_gcflag =3D 0, f_msgcount =3D 0, f_seqcount=
=3D 1, f_nextoff =3D 3263609792}
>=20
> 3735929054 =3D 0xdeadc0de. This same struct file appears all the way
> back to the syscall frame. I wonder if fstat is racing with a tty
> device removal or something (it's certainly racing with something,
> e.g.:
Devices may not be to blame; I was able to trigger this by running
fstat in a loop and then running 'make' in /usr/ports/misc/screen
(with the idea of testing the tty hypothesis :)
An interesting datapoint is that none of the non-i386 package machines
have hit this problem, but the i386 machines can't stay up for more
than a few minutes under load (which translates to only a few fstat
invocations).
Kris
--ew6BAiZeqk4r7MaW
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
iD8DBQFB6yNHWry0BWjoQKURAkAUAJ9i0k20MWc3+u8Cqt+bPkMXanQ04ACg2Y96
fYTN7UI3l6P9oXoGllh2C4I=
=SMSE
-----END PGP SIGNATURE-----
--ew6BAiZeqk4r7MaW--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050117023031.GA12825>