Bug #910
closed
Kernel panic while doing sysctl -a
0%
Description
Hi,
one of my machines running HEAD experienced a kernel panic. The command I
executed before the panic was "sysctl -a | less" to get a list of sysctls.
It seems that there is an overflow within the strlen function ...
kernel, crash dump, dmesg and pciconf -lv is available here:
http://www.mathematik.uni-marburg.de/~schmidtm/dfly_crash/
DragonFly node013.lab.ds 1.11.0-DEVELOPMENT DragonFly 1.11.0-DEVELOPMENT #0: Mon Jan 7 11:55:09 CET 2008 root@node013.lab.ds:/usr/obj/usr/src/sys/NODE013 i386
Cheers
MatthiasFatal trap 12: page fault while in kernel mode
fault virtual address = 0xd0686f55
fault code = supervisor read, page not present
instruction pointer = 0x8:0xc02ddb9a
stack pointer = 0x10:0xcec0fb18
frame pointer = 0x10:0xcec0fb18
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 50725 (sysctl)
current thread = pri 6
panic: from debugger
Fatal trap 3: breakpoint instruction fault while in kernel mode
instruction pointer = 0x8:0xc03136a4
stack pointer = 0x10:0xcec0f92c
frame pointer = 0x10:0xcec0f934
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, IOPL = 0
current process = 50725 (sysctl)
current thread = pri 6
panic: from debugger
Uptime: 3h57m22s
(kgdb) bt
#0 dumpsys () at thread.h:83
#1 0xc01c4e1b in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:375
#2 0xc01c4f3c in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:800
#3 0xc0149be5 in db_panic (addr=Could not find the frame base for "db_panic".
) at /usr/src/sys/ddb/db_command.c:447
#4 0xc014a250 in db_command_loop () at /usr/src/sys/ddb/db_command.c:343
#5 0xc014c7bc in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_trap.c:71
#6 0xc03137f7 in kdb_trap (type=12, code=0, regs=0xcec0fad0) at /usr/src/sys/platform/pc32/i386/db_interface.c:148
#7 0xc032384b in trap_fatal (frame=0xcec0fad0, eva=Variable "eva" is not available.
) at /usr/src/sys/platform/pc32/i386/trap.c:1091
#8 0xc03239b0 in trap_pfault (frame=0xcec0fad0, usermode=0, eva=3496505173)
at /usr/src/sys/platform/pc32/i386/trap.c:997
#9 0xc03241a0 in trap (frame=0xcec0fad0) at /usr/src/sys/platform/pc32/i386/trap.c:680
#10 0xc0314506 in calltrap () at /usr/src/sys/platform/pc32/i386/exception.s:783
#11 0xc02ddb9a in strlen (str=0xd0686f55 <Address 0xd0686f55 out of bounds>) at /usr/src/sys/libkern/strlen.c:41
#12 0xc02c2153 in sysctl_vm_zone (oidp=0xc03b42a0, arg1=0x0, arg2=0, req=0xcec0fc08) at /usr/src/sys/vm/vm_zone.c:447
#13 0xc01cf935 in sysctl_root (oidp=Variable "oidp" is not available.
) at /usr/src/sys/kern/kern_sysctl.c:1193
#14 0xc01cfa27 in userland_sysctl (name=0xcec0fc90, namelen=2, old=0x0, oldlenp=0xbfbfe8f0, inkernel=0, new=0x0,
newlen=0, retval=0xcec0fc8c) at /usr/src/sys/kern/kern_sysctl.c:1268
#15 0xc01cfc28 in sys___sysctl (uap=0xcec0fcf0) at /usr/src/sys/kern/kern_sysctl.c:1211
#16 0xc0323ccb in syscall2 (frame=0xcec0fd40) at /usr/src/sys/platform/pc32/i386/trap.c:1339
#17 0xc03145a5 in Xint0x80_syscall () at /usr/src/sys/platform/pc32/i386/exception.s:872
#18 0x08055d38 in ?? ()
#19 0xbfbfe86c in ?? ()
#20 0x0000002f in ?? ()
#21 0x00000000 in ?? ()
#22 0x00000000 in ?? ()
#23 0x00000000 in ?? ()
#24 0x00000000 in ?? ()
#25 0x13c4b000 in ?? ()
#26 0x00000001 in ?? ()
#27 0xc03c2bf8 in intr_info_ary ()
#28 0xcec0f8d4 in ?? ()
#29 0xcec0f8c4 in ?? ()
#30 0xc8076300 in ?? ()
#31 0xc01cac5a in lwkt_preempt (ntd=0x2, critpri=Cannot access memory at address 0xbfbfe8a4
) at /usr/src/sys/kern/lwkt_thread.c:893
(kgdb) f 11
#11 0xc02ddb9a in strlen (str=0xd0686f55 <Address 0xd0686f55 out of bounds>) at /usr/src/sys/libkern/strlen.c:41
41 {
(kgdb) p str
$5 = 0xd0686f55 <Address 0xd0686f55 out of bounds>
(kgdb) f 14
#14 0xc01cfa27 in userland_sysctl (name=0xcec0fc90, namelen=2, old=0x0, oldlenp=0xbfbfe8f0, inkernel=0, new=0x0,
newlen=0, retval=0xcec0fc8c) at /usr/src/sys/kern/kern_sysctl.c:1268
1268 error = sysctl_root(0, name, namelen, &req2);
Updated by dillon over 16 years ago
:Hi,
:
:one of my machines running HEAD experienced a kernel panic. The command I
:executed before the panic was "sysctl -a | less" to get a list of sysctls.
:It seems that there is an overflow within the strlen function ...
:
:kernel, crash dump, dmesg and pciconf -lv is available here:
:
:http://www.mathematik.uni-marburg.de/~schmidtm/dfly_crash/
:
:...
:#11 0xc02ddb9a in strlen (str=0xd0686f55 <Address 0xd0686f55 out of bounds>) at /usr/src/sys/libkern/strlen.c:41
:#12 0xc02c2153 in sysctl_vm_zone (oidp=0xc03b42a0, arg1=0x0, arg2=0, req=0xcec0fc08) at /usr/src/sys/vm/vm_zone.c:447
The vm_zone->zname is pointing to illegal storage. Very weird, a whole
bunch of zones have bad zname's. They look like they've come from a
dynamic module, and there are a whole bunch of them. Is there a module
you are loading and unloading a lot? It must be zinit'ing a new zone
and not cleaning it up at unload time.We don't have a zone unloader. Looks like we'll have to write a
procedure to clean out a zone and remove it from the list in addition
to finding the module that is trying to use the zone.zlist -> [28 zones with bad zname pointers] -> [system zones with good
zname pointers].-Matt
Updated by matthias over 16 years ago
I did some modification to some rc.d scripts and unloaded pf and ipl
some times to check if the scripts are correct.
Matthias
Updated by sepherosa over 16 years ago
As far as I know, pf module can't be safely unloaded.
Updated by matthias over 16 years ago
He sephe,
It this just state-of-the-art or can we fix this?
Matthias
Updated by sepherosa over 16 years ago
I think we don't have function to destroy zone initialized by zinit()
(used by pf), so currently pf module can't be unloaded.
Best Regards,
sephe
Updated by dillon over 16 years ago
:I think we don't have function to destroy zone initialized by zinit()
:(used by pf), so currently pf module can't be unloaded.
:
:Best Regards,
:sephe
ZONE_DESTROY() in pfvar.h is a NOP.Anyone want to have a go at writing a zdestroy() function for
vm/vm_zone.c to complement the zinit() function?-Matt
Matthew Dillon
<dillon@backplane.com>
Updated by matthias about 16 years ago
Close this issue. A stress test with module loading/unloading and sysctl shows
that nth@'s recent zdestroy() patch fixes that issue.