Bug #910

Kernel panic while doing sysctl -a

Added by matthias almost 7 years ago. Updated over 6 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-

Description

Hi,

one of my machines running HEAD experienced a kernel panic. The command I
executed before the panic was "sysctl -a | less" to get a list of sysctls.
It seems that there is an overflow within the strlen function ...

kernel, crash dump, dmesg and pciconf -lv is available here:

http://www.mathematik.uni-marburg.de/~schmidtm/dfly_crash/

DragonFly node013.lab.ds 1.11.0-DEVELOPMENT DragonFly 1.11.0-DEVELOPMENT #0: Mon Jan 7 11:55:09 CET 2008 :/usr/obj/usr/src/sys/NODE013 i386

Cheers

Matthias

Fatal trap 12: page fault while in kernel mode
fault virtual address = 0xd0686f55
fault code = supervisor read, page not present
instruction pointer = 0x8:0xc02ddb9a
stack pointer = 0x10:0xcec0fb18
frame pointer = 0x10:0xcec0fb18
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 50725 (sysctl)
current thread = pri 6

panic: from debugger

Fatal trap 3: breakpoint instruction fault while in kernel mode
instruction pointer = 0x8:0xc03136a4
stack pointer = 0x10:0xcec0f92c
frame pointer = 0x10:0xcec0f934
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, IOPL = 0
current process = 50725 (sysctl)
current thread = pri 6

panic: from debugger
Uptime: 3h57m22s

(kgdb) bt
#0 dumpsys () at thread.h:83
#1 0xc01c4e1b in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:375
#2 0xc01c4f3c in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:800
#3 0xc0149be5 in db_panic (addr=Could not find the frame base for "db_panic".
) at /usr/src/sys/ddb/db_command.c:447
#4 0xc014a250 in db_command_loop () at /usr/src/sys/ddb/db_command.c:343
#5 0xc014c7bc in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_trap.c:71
#6 0xc03137f7 in kdb_trap (type=12, code=0, regs=0xcec0fad0) at /usr/src/sys/platform/pc32/i386/db_interface.c:148
#7 0xc032384b in trap_fatal (frame=0xcec0fad0, eva=Variable "eva" is not available.
) at /usr/src/sys/platform/pc32/i386/trap.c:1091
#8 0xc03239b0 in trap_pfault (frame=0xcec0fad0, usermode=0, eva=3496505173)
at /usr/src/sys/platform/pc32/i386/trap.c:997
#9 0xc03241a0 in trap (frame=0xcec0fad0) at /usr/src/sys/platform/pc32/i386/trap.c:680
#10 0xc0314506 in calltrap () at /usr/src/sys/platform/pc32/i386/exception.s:783
#11 0xc02ddb9a in strlen (str=0xd0686f55 <Address 0xd0686f55 out of bounds>) at /usr/src/sys/libkern/strlen.c:41
#12 0xc02c2153 in sysctl_vm_zone (oidp=0xc03b42a0, arg1=0x0, arg2=0, req=0xcec0fc08) at /usr/src/sys/vm/vm_zone.c:447
#13 0xc01cf935 in sysctl_root (oidp=Variable "oidp" is not available.
) at /usr/src/sys/kern/kern_sysctl.c:1193
#14 0xc01cfa27 in userland_sysctl (name=0xcec0fc90, namelen=2, old=0x0, oldlenp=0xbfbfe8f0, inkernel=0, new=0x0,
newlen=0, retval=0xcec0fc8c) at /usr/src/sys/kern/kern_sysctl.c:1268
#15 0xc01cfc28 in sys___sysctl (uap=0xcec0fcf0) at /usr/src/sys/kern/kern_sysctl.c:1211
#16 0xc0323ccb in syscall2 (frame=0xcec0fd40) at /usr/src/sys/platform/pc32/i386/trap.c:1339
#17 0xc03145a5 in Xint0x80_syscall () at /usr/src/sys/platform/pc32/i386/exception.s:872
#18 0x08055d38 in ?? ()
#19 0xbfbfe86c in ?? ()
#20 0x0000002f in ?? ()
#21 0x00000000 in ?? ()
#22 0x00000000 in ?? ()
#23 0x00000000 in ?? ()
#24 0x00000000 in ?? ()
#25 0x13c4b000 in ?? ()
#26 0x00000001 in ?? ()
#27 0xc03c2bf8 in intr_info_ary ()
#28 0xcec0f8d4 in ?? ()
#29 0xcec0f8c4 in ?? ()
#30 0xc8076300 in ?? ()
#31 0xc01cac5a in lwkt_preempt (ntd=0x2, critpri=Cannot access memory at address 0xbfbfe8a4
) at /usr/src/sys/kern/lwkt_thread.c:893
(kgdb) f 11
#11 0xc02ddb9a in strlen (str=0xd0686f55 <Address 0xd0686f55 out of bounds>) at /usr/src/sys/libkern/strlen.c:41
41 {
(kgdb) p str
$5 = 0xd0686f55 <Address 0xd0686f55 out of bounds>
(kgdb) f 14
#14 0xc01cfa27 in userland_sysctl (name=0xcec0fc90, namelen=2, old=0x0, oldlenp=0xbfbfe8f0, inkernel=0, new=0x0,
newlen=0, retval=0xcec0fc8c) at /usr/src/sys/kern/kern_sysctl.c:1268
1268 error = sysctl_root(0, name, namelen, &req2);

History

#1 Updated by dillon almost 7 years ago

:Hi,
:
:one of my machines running HEAD experienced a kernel panic. The command I
:executed before the panic was "sysctl -a | less" to get a list of sysctls.
:It seems that there is an overflow within the strlen function ...
:
:kernel, crash dump, dmesg and pciconf -lv is available here:
:
:http://www.mathematik.uni-marburg.de/~schmidtm/dfly_crash/
:
:...
:#11 0xc02ddb9a in strlen (str=0xd0686f55 <Address 0xd0686f55 out of bounds>) at /usr/src/sys/libkern/strlen.c:41
:#12 0xc02c2153 in sysctl_vm_zone (oidp=0xc03b42a0, arg1=0x0, arg2=0, req=0xcec0fc08) at /usr/src/sys/vm/vm_zone.c:447

The vm_zone->zname is pointing to illegal storage. Very weird, a whole
bunch of zones have bad zname's. They look like they've come from a
dynamic module, and there are a whole bunch of them. Is there a module
you are loading and unloading a lot? It must be zinit'ing a new zone
and not cleaning it up at unload time.

We don't have a zone unloader. Looks like we'll have to write a
procedure to clean out a zone and remove it from the list in addition
to finding the module that is trying to use the zone.

zlist -> [28 zones with bad zname pointers] -> [system zones with good
zname pointers].

-Matt

#2 Updated by matthias almost 7 years ago

I did some modification to some rc.d scripts and unloaded pf and ipl
some times to check if the scripts are correct.

Matthias

#3 Updated by sepherosa almost 7 years ago

As far as I know, pf module can't be safely unloaded.

#4 Updated by matthias almost 7 years ago

He sephe,

It this just state-of-the-art or can we fix this?

Matthias

#5 Updated by sepherosa almost 7 years ago

I think we don't have function to destroy zone initialized by zinit()
(used by pf), so currently pf module can't be unloaded.

Best Regards,
sephe

#6 Updated by dillon almost 7 years ago

:I think we don't have function to destroy zone initialized by zinit()
:(used by pf), so currently pf module can't be unloaded.
:
:Best Regards,
:sephe

ZONE_DESTROY() in pfvar.h is a NOP.

Anyone want to have a go at writing a zdestroy() function for
vm/vm_zone.c to complement the zinit() function?

-Matt
Matthew Dillon
<>

#7 Updated by matthias over 6 years ago

Close this issue. A stress test with module loading/unloading and sysctl shows
that nth@'s recent zdestroy() patch fixes that issue.

Also available in: Atom PDF