kern/85816: maxproc=1 in login.conf causes kernel panic when logging into account via ssh

[Gleb Smirnoff]

The following reply was made to PR kern/85816; it has been noted by GNATS.

From: Gleb Smirnoff <glebius at FreeBSD.org>
To: bug-followup at FreeBSD.org
Cc:  
Subject: kern/85816: maxproc=1 in login.conf causes kernel panic when logging into account via ssh
Date: Wed, 14 Sep 2005 10:09:54 +0400

   Attach backtrace to PR's Audit-Trail.
 
 ----- Forwarded message from "Jack L." <xxjack12xx at gmail.com> -----
 
 Fatal trap 12: page fault while in kernel mode
 cpuid = 0; apic id = 00
 fault virtual address = 0x0
 fault code = supervisor read, page not present
 instruction pointer = 0x20:0xc04f96a1
 stack pointer = 0x28:0xe1b7dad4
 frame pointer = 0x28:0xe1b7db48
 code segment = base 0x0, limit 0xfffff, type 0x1b
 = DPL 0, pres 1, def32 1, gran 1
 processor eflags = interrupt enabled, resume, IOPL = 0
 current process = 705 (sshd)
 trap number = 12
 panic: page fault
 cpuid = 0
 Uptime: 51s
 Dumping 449 MB (2 chunks)
 chunk 0: 1MB (159 pages) ... ok
 chunk 1: 449MB (114944 pages) 434 418 402 386 370 354 338 322 306 290 274 
 258 242 226 210 194 178 162 146 130 114 98 82 66 50 34 18 2
 
 #0 doadump () at pcpu.h:165
 165 __asm __volatile("movl %%fs:0,%0" : "=r" (td));
 (kgdb) bt full
 #0 doadump () at pcpu.h:165
 No locals.
 #1 0xc052163d in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:399
 first_buf_printf = 1
 #2 0xc05219ea in panic (fmt=0xc06d19ec "%s") at 
 /usr/src/sys/kern/kern_shutdown.c:555
 td = (struct thread *) 0xc1c597d0
 bootopt = 260
 newpanic = 0
 ap = 0xc1c597d0 "<J??`<\225?"
 buf = "page fault", '\0' <repeats 245 times>
 #3 0xc06ab9a2 in trap_fatal (frame=0xe1b7da94, eva=0)
 at /usr/src/sys/i386/i386/trap.c:841
 code = 40
 type = 12
 ss = 40
 esp = 0
 softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27, ssd_dpl = 0,
 ssd_p = 1, ssd_xx = 10, ssd_xx1 = 1, ssd_def32 = 1, ssd_gran = 1}
 #4 0xc06ab69b in trap_pfault (frame=0xe1b7da94, usermode=0, eva=0)
 at /usr/src/sys/i386/i386/trap.c:752
 va = 0
 vm = (struct vmspace *) 0x0
 map = 0xc1d745dc
 rv = 1
 ftype = 1 '\001'
 td = (struct thread *) 0xc1c597d0
 p = (struct proc *) 0xc1d54a3c
 #5 0xc06ab287 in trap (frame=
 {tf_fs = -1068302328, tf_es = -1066205144, tf_ds = -1043070936, tf_edi = 1, 
 tf_esi = -1043067440, tf_ebp = -508044472, tf_isp = -508044608, tf_ebx = 
 -1043698088, tf_edx = -1044015152, tf_ecx = -1047944912, tf_eax = 0, 
 tf_trapno = 12, tf_err = 0, tf_eip = -1068525919, tf_cs = 32, tf_eflags = 
 66050, tf_esp = -1068274241, tf_ss = -1044015152})
 ---Type <return> to continue, or q <return> to quit---
 at /usr/src/sys/i386/i386/trap.c:442
 td = (struct thread *) 0xc1c597d0
 p = (struct proc *) 0xc1d54a3c
 sticks = 3228802408
 i = 0
 ucode = 0
 type = 12
 code = 0
 eva = 0
 #6 0xc069673a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
 No locals.
 #7 0xc0530008 in ratecheck (lasttime=0xc1d40dd0, mininterval=0xc1ca6e58)
 at /usr/src/sys/kern/kern_time.c:723
 tv = {tv_sec = -1068367935, tv_usec = -1042986436}
 delta = {tv_sec = -1043922944, tv_usec = -508044460}
 rv = 1
 #8 0xc05743c3 in unp_discard (fp=0xc1ca6e58) at 
 /usr/src/sys/kern/uipc_usrreq.c:1887
 No locals.
 #9 0xc0572b2b in unp_freerights (rp=0xc1b4ad28, fdcount=1)
 at /usr/src/sys/kern/uipc_usrreq.c:1272
 i = 0
 fp = (struct file *) 0x0
 #10 0xc0572df7 in unp_externalize (control=0xc1b4ad00, controlp=0xe1b7dc54)
 at /usr/src/sys/kern/uipc_usrreq.c:1321
 td = (struct thread *) 0xc1c597d0
 cm = (struct cmsghdr *) 0xc1b4ad18
 i = -1068065433
 fdp = (int *) 0xe1b7dbc8
 rp = (struct file **) 0xc1b4ad24
 fp = (struct file *) 0xc1c70000
 data = (void *) 0xc1c70000
 clen = 16
 ---Type <return> to continue, or q <return> to quit---
 datalen = 4
 error = 40
 newfds = 1
 f = -1043866020
 newlen = 0
 #11 0xc0566efe in soreceive (so=0xc1c7dde8, psa=0xe1b7dc50, uio=0xe1b7dc5c, 
 mp0=0x0,
 controlp=0xe1b7dc54, flagsp=0xe1b7dcbc) at 
 /usr/src/sys/kern/uipc_socket.c:1151
 cm = (struct mbuf *) 0xc1b4ad00
 cmn = (struct mbuf *) 0x0
 cme = (struct mbuf **) 0x0
 m = (struct mbuf *) 0xc1b4c000
 mp = (struct mbuf **) 0x0
 flags = 0
 len = 4
 error = 0
 offset = -508044112
 pr = (struct protosw *) 0xc0713660
 nextrecord = (struct mbuf *) 0x0
 moff = 0
 type = 0
 orig_resid = 1
 #12 0xc056d547 in recvit (td=0xc1c597d0, s=4, mp=0xe1b7dca4, namelenp=0x0)
 at /usr/src/sys/kern/uipc_syscalls.c:985
 auio = {uio_iov = 0xc1a22120, uio_iovcnt = 1, uio_offset = 0, uio_resid = 1,
 uio_segflg = UIO_USERSPACE, uio_rw = UIO_READ, uio_td = 0xc1c597d0}
 iov = (struct iovec *) 0x0
 i = 0
 len = 1
 error = 4
 m = (struct mbuf *) 0x0
 control = (struct mbuf *) 0x0
 ctlbuf = 0xe1b7dc6c "\001"
 ---Type <return> to continue, or q <return> to quit---
 fp = (struct file *) 0xc1bc8048
 so = (struct socket *) 0xc1c7dde8
 fromsa = (struct sockaddr *) 0x0
 ktruio = (struct uio *) 0x0
 #13 0xc056da2b in recvmsg (td=0x0, uap=0xe1b7dd04)
 at /usr/src/sys/kern/uipc_syscalls.c:1235
 msg = {msg_name = 0x0, msg_namelen = 0, msg_iov = 0xc1a22120, msg_iovlen = 
 1,
 msg_control = 0xbfbfdc70, msg_controllen = 16, msg_flags = 0}
 uiov = (struct iovec *) 0xbfbfdc60
 iov = (struct iovec *) 0xc1a22120
 error = 0
 #14 0xc06abd83 in syscall (frame=
 {tf_fs = 59, tf_es = -1078001605, tf_ds = -507903941, tf_edi = -1077945188, 
 tf_esi = -1077945136, tf_ebp = -1077945176, tf_isp = -508043932, tf_ebx = 
 134839184, tf_edx = 0, tf_ecx = 0, tf_eax = 27, tf_trapno = 12, tf_err = 2, 
 tf_eip = 674001611, tf_cs = 51, tf_eflags = 646, tf_esp = -1077945268, tf_ss 
 = 59}) at /usr/src/sys/i386/i386/trap.c:986
 params = 0xbfbfdc50 <Address 0xbfbfdc50 out of bounds>
 callp = (struct sysent *) 0xc0709824
 td = (struct thread *) 0xc1c597d0
 p = (struct proc *) 0xc1d54a3c
 orig_tf_eflags = 646
 sticks = 0
 error = 0
 narg = 3
 args = {4, -1077945216, 0, 134877184, 12, 0, 0, -1042986436}
 code = 27
 #15 0xc069678f in Xint0x80_syscall () at 
 /usr/src/sys/i386/i386/exception.s:200
 No locals.
 #16 0x0000003b in ?? ()
 No symbol table info available.
 #17 0xbfbf003b in ?? ()
 No symbol table info available.
 ---Type <return> to continue, or q <return> to quit---
 #18 0xe1ba003b in ?? ()
 No symbol table info available.
 #19 0xbfbfdc9c in ?? ()
 No symbol table info available.
 #20 0xbfbfdcd0 in ?? ()
 No symbol table info available.
 #21 0xbfbfdca8 in ?? ()
 No symbol table info available.
 #22 0xe1b7dd64 in ?? ()
 No symbol table info available.
 #23 0x08097b90 in ?? ()
 No symbol table info available.
 #24 0x00000000 in ?? ()
 No symbol table info available.
 #25 0x00000000 in ?? ()
 No symbol table info available.
 #26 0x0000001b in ?? ()
 No symbol table info available.
 #27 0x0000000c in ?? ()
 No symbol table info available.
 #28 0x00000002 in ?? ()
 No symbol table info available.
 #29 0x282c72cb in ?? ()
 No symbol table info available.
 #30 0x00000033 in ?? ()
 No symbol table info available.
 #31 0x00000286 in ?? ()
 No symbol table info available.
 #32 0xbfbfdc4c in ?? ()
 No symbol table info available.
 #33 0x0000003b in ?? ()
 No symbol table info available.
 ---Type <return> to continue, or q <return> to quit---
 #34 0xd0d0d0d0 in ?? ()
 No symbol table info available.
 #35 0xd0d0d0d0 in ?? ()
 No symbol table info available.
 #36 0xd0d0d0d0 in ?? ()
 No symbol table info available.
 #37 0xd0d0d0d0 in ?? ()
 No symbol table info available.
 #38 0x1172c000 in ?? ()
 No symbol table info available.
 #39 0xc0739b60 in ksg_maxid ()
 No symbol table info available.
 #40 0xc1950c80 in ?? ()
 No symbol table info available.
 #41 0xe1b7d72c in ?? ()
 No symbol table info available.
 #42 0xe1b7d710 in ?? ()
 No symbol table info available.
 #43 0xc1c597d0 in ?? ()
 No symbol table info available.
 #44 0xc0536dbf in sched_switch (td=0x8097b90, newtd=0xbfbfdcd0, flags=Cannot 
 access memory at address 0xbfbfdcb8
 )
 at /usr/src/sys/kern/sched_ule.c:1383
 ksq = (struct kseq *) 0xbfbfdc9c
 ke = (struct td_sched *) Cannot access memory at address 0xbfbfdc98
 (kgdb)
 
 ----- End forwarded message -----
 
 -- 
 Totus tuus, Glebius.
 GLEBIUS-RIPN GLEB-RIPE