kern/98116: Crash with sparse files and execve()

Kirk Russell kirk at ba23.org
Mon May 29 19:30:49 PDT 2006 

>Number:         98116
>Category:       kern
>Synopsis:       Crash with sparse files and execve()
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue May 30 02:30:15 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Kirk Russell
>Release:        6.1-RELEASE i386
>Organization:
http://www.ba23.org/
>Environment:
FreeBSD amd.on.kr 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Mon May 29 19:39:51 EDT 2006     root at amd.on.kr:/usr/src/sys/i386/compile/GENERIC  i386

>Description:
I can reproduce this issue on an alpha AS2100, so it should be a 
generic kernel issue.

It would appear that when I try to exec(), a sparse file,
the kernel will crash.

GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".

Unread portion of the kernel message buffer:
panic: vnode_pager_getpages: unexpected missing page: firstaddr: -1, foff: 0x000000000, vnp_size: 0x000005000
Uptime: 4m45s
Dumping 127 MB (2 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 127MB (32492 pages) 111 95 79 63 47 31 15

#0  doadump () at pcpu.h:165
165     __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) bt
#0  doadump () at pcpu.h:165
#1  0xc064dee1 in boot (howto=260) at ../../../kern/kern_shutdown.c:402
#2  0xc064e178 in panic (
    fmt=0xc08bbde2 "vnode_pager_getpages: unexpected missing page: firstaddr: %jd, foff: 0x%jx%08jx, vnp_size: 0x%jx%08jx")
    at ../../../kern/kern_shutdown.c:558
#3  0xc07cad09 in vnode_pager_generic_getpages (vp=0xc1ce1990, m=0xcaa84af0, 
    bytecount=16384, reqpage=0) at ../../../vm/vnode_pager.c:812
#4  0xc07a3b91 in ffs_getpages (ap=0xcaa84aa8)
    at ../../../ufs/ffs/ffs_vnops.c:787
#5  0xc0853755 in VOP_GETPAGES_APV (vop=0x0, a=0x0) at vnode_if.c:2110
#6  0xc07ca743 in vnode_pager_getpages (object=0xc1ce3738, m=0x0, count=0, 
    reqpage=0) at vnode_if.h:1084
#7  0xc06347f0 in exec_map_first_page (imgp=0xcaa84be8) at vm_pager.h:130
#8  0xc0633b68 in do_execve (td=0xc1bd8d80, args=0xcaa84cb4, mac_p=0x0)
    at ../../../kern/kern_exec.c:394
#9  0xc06338d4 in kern_execve (td=0xc1bd8d80, args=0xcaa84cb4, mac_p=0x0)
    at ../../../kern/kern_exec.c:258
#10 0xc06337de in execve (td=0xc1bd8d80, uap=0x0)
    at ../../../kern/kern_exec.c:186
#11 0xc08420ab in syscall (frame=
      {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 671408800, tf_esi = -1077940828, tf_ebp = -1077940920, tf_isp = -894939804, tf_ebx = 1, tf_edx = -1, tf_ecx = 
2, tf_eax = 59, tf_trapno = 12, tf_err = 2, tf_eip = 671914907, tf_cs = 51,---Type <return> to continue, or q <return> to quit---
 tf_eflags = 662, tf_esp = -1077940996, tf_ss = 59})
    at ../../../i386/i386/trap.c:981
#12 0xc0830cef in Xint0x80_syscall () at ../../../i386/i386/exception.s:200
#13 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) frame 6
#6  0xc07ca743 in vnode_pager_getpages (object=0xc1ce3738, m=0x0, count=0, 
    reqpage=0) at vnode_if.h:1084
1084        a.a_offset = offset;
(kgdb) print offset
No symbol "offset" in current context.
(kgdb) print a.a_offset
No symbol "a" in current context.
(kgdb) print a
No symbol "a" in current context.
(kgdb) bt
#0  doadump () at pcpu.h:165
#1  0xc064dee1 in boot (howto=260) at ../../../kern/kern_shutdown.c:402
#2  0xc064e178 in panic (
    fmt=0xc08bbde2 "vnode_pager_getpages: unexpected missing page: firstaddr: %jd, foff: 0x%jx%08jx, vnp_size: 0x%jx%08jx")
    at ../../../kern/kern_shutdown.c:558
#3  0xc07cad09 in vnode_pager_generic_getpages (vp=0xc1ce1990, m=0xcaa84af0, 
    bytecount=16384, reqpage=0) at ../../../vm/vnode_pager.c:812
#4  0xc07a3b91 in ffs_getpages (ap=0xcaa84aa8)
    at ../../../ufs/ffs/ffs_vnops.c:787
#5  0xc0853755 in VOP_GETPAGES_APV (vop=0x0, a=0x0) at vnode_if.c:2110
#6  0xc07ca743 in vnode_pager_getpages (object=0xc1ce3738, m=0x0, count=0, 
    reqpage=0) at vnode_if.h:1084
#7  0xc06347f0 in exec_map_first_page (imgp=0xcaa84be8) at vm_pager.h:130
#8  0xc0633b68 in do_execve (td=0xc1bd8d80, args=0xcaa84cb4, mac_p=0x0)
    at ../../../kern/kern_exec.c:394
#9  0xc06338d4 in kern_execve (td=0xc1bd8d80, args=0xcaa84cb4, mac_p=0x0)
    at ../../../kern/kern_exec.c:258
#10 0xc06337de in execve (td=0xc1bd8d80, uap=0x0)
    at ../../../kern/kern_exec.c:186
#11 0xc08420ab in syscall (frame=
      {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 671408800, tf_esi = -1077940828, tf_ebp = -1077940920, tf_isp = -894939804, tf_ebx = 1, tf_edx = -1, tf_ecx = 
2, tf_eax = 59, tf_trapno = 12, tf_err = 2, tf_eip = 671914907, tf_cs = 51,---Type <return> to continue, or q <return> to quit---
 tf_eflags = 662, tf_esp = -1077940996, tf_ss = 59})
    at ../../../i386/i386/trap.c:981
#12 0xc0830cef in Xint0x80_syscall () at ../../../i386/i386/exception.s:200
#13 0x00000033 in ?? ()


Copyright (c) 1992-2006 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
    The Regents of the University of California. All rights reserved.
FreeBSD 6.1-RELEASE #0: Mon May 29 19:39:51 EDT 2006
    root at amd.on.kr:/usr/src/sys/i386/compile/GENERIC
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: AMD Athlon(tm) Processor (1210.79-MHz 686-class CPU)
  Origin = "AuthenticAMD"  Id = 0x642  Stepping = 2
  Features=0x183f9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR>
  AMD Features=0xc0440800<SYSCALL,<b18>,MMX+,3DNow+,3DNow>
real memory  = 134135808 (127 MB)
avail memory = 121704448 (116 MB)
kbd1 at kbdmux0
acpi0: <ASUS A7V-133> on motherboard
acpi0: Power Button (fixed)
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0xe408-0xe40b on acpi0
cpu0: <ACPI CPU> on acpi0
acpi_throttle0: <ACPI CPU Throttling> on cpu0
acpi_button0: <Power Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
agp0: <VIA 82C8363 (Apollo KT133x/KM133) host to PCI bridge> mem 0xe6000000-0xe7ffffff at device 0.0 on pci0
pcib1: <PCI-PCI bridge> at device 1.0 on pci0
pci1: <PCI bus> on pcib1
isab0: <PCI-ISA bridge> at device 4.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <VIA 82C686B UDMA100 controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xd800-0xd80f at device 4.1 on pci0
ata0: <ATA channel 0> on atapci0
ata1: <ATA channel 1> on atapci0
uhci0: <VIA 83C572 USB controller> port 0xd000-0xd01f irq 5 at device 4.3 on pci0
uhci0: [GIANT-LOCKED]
usb0: <VIA 83C572 USB controller> on uhci0
usb0: USB revision 1.0
uhub0: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
pci0: <bridge> at device 4.4 (no driver attached)
ahc0: <Adaptec 2940 SCSI adapter> port 0xa400-0xa4ff mem 0xe5000000-0xe5000fff irq 5 at device 9.0 on pci0
ahc0: [GIANT-LOCKED]
aic7870: Single Channel A, SCSI Id=7, 16/253 SCBs
fxp0: <Intel 82559 Pro/100 Ethernet> port 0xa000-0xa03f mem 0xe4800000-0xe4800fff,0xe4000000-0xe40fffff irq 10 at device 10.0 on pci0
miibus0: <MII bus> on fxp0
inphy0: <i82555 10/100 media interface> on miibus0
inphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
fxp0: Ethernet address: 00:04:ac:d3:7e:2f
ahc1: <Adaptec 2940 Ultra SCSI adapter> port 0x9800-0x98ff mem 0xe3800000-0xe3800fff irq 11 at device 11.0 on pci0
ahc1: [GIANT-LOCKED]
aic7880: Ultra Wide Channel A, SCSI Id=7, 16/253 SCBs
pci0: <display, VGA> at device 12.0 (no driver attached)
ahc2: <Adaptec 2944 Ultra SCSI adapter> port 0x9000-0x90ff mem 0xe1000000-0xe1000fff irq 5 at device 13.0 on pci0
ahc2: [GIANT-LOCKED]
aic7880: Ultra Wide Channel A, SCSI Id=7, 16/253 SCBs
atapci1: <Promise PDC20265 UDMA100 controller> port 0x8800-0x8807,0x8400-0x8403,0x8000-0x8007,0x7800-0x7803,0x7400-0x743f mem 0xe0800000-0xe081ffff irq 11 at devi
ce 17.0 on pci0
ata2: <ATA channel 0> on atapci1
ata3: <ATA channel 1> on atapci1
fdc0: <floppy drive controller> port 0x3f2-0x3f5,0x3f7 irq 6 drq 2 on acpi0
fdc0: [FAST]
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
ppc0: <ECP parallel printer port> port 0x378-0x37f,0x778-0x77b irq 7 drq 3 on acpi0
ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/8 bytes threshold
ppbus0: <Parallel port bus> on ppc0
plip0: <PLIP network interface> on ppbus0
lpt0: <Printer> on ppbus0
lpt0: Interrupt-driven port
ppi0: <Parallel I/O> on ppbus0
sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
sio0: type 16550A
sio1: <16550A-compatible COM port> port 0x2f8-0x2ff irq 3 on acpi0
sio1: type 16550A
atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: [GIANT-LOCKED]
psm0: model Generic PS/2 mouse, device ID 0
pmtimer0 on isa0
orm0: <ISA Option ROMs> at iomem 0xc0000-0xcbfff,0xcc000-0xcc7ff,0xd0000-0xd47ff,0xd8000-0xd87ff on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
Timecounter "TSC" frequency 1210791126 Hz quality 800
Timecounters tick every 1.000 msec
Waiting 5 seconds for SCSI devices to settle
ad0: 8063MB <Maxtor 90845D4 GAS54112> at ata0-master UDMA33
acd0: CDROM <FX4820T/D03A> at ata1-slave UDMA33
da0 at ahc1 bus 0 target 0 lun 0
da0: <COMPAQPC WDE9100W 1.01> Fixed Direct Access SCSI-2 device 
da0: 40.000MB/s transfers (20.000MHz, offset 8, 16bit), Tagged Queueing Enabled
da0: 8678MB (17773500 512 byte sectors: 255H 63S/T 1106C)
Trying to mount root from ufs:/dev/da0s1a

>How-To-Repeat:
$ cat bstg0002.c
#include <unistd.h>
#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <string.h>
#include <sys/stat.h>

int main()
{
        extern char **environ;
        int fd;
        char *tk[3] = { "/tmp/afile", NULL, NULL };

        unlink(tk[0]);

        /* create a (sparse) file of zeroes */
        if ((fd = open(tk[0], O_CREAT|O_RDWR, 0777)) == -1) {
                errx(1, "%s: %s", "open", strerror(errno));
        } else if (ftruncate(fd, 20480) == -1) {
                errx(1, "%s: %s", "ftruncate", strerror(errno));
        } else if (close(fd) == -1) {
                errx(1, "%s: %s", "close", strerror(errno));
        }

        /* we expect the exec() to fail because file is all zeroes */
        execve(tk[0], tk, environ);
        warn("%s", strerror(errno));

        return 0;
}

$ cc -Wall bstg0002.c
$ ./a.out

Dump header from device /dev/da0s1b
  Architecture: i386
  Architecture Version: 2
  Dump Length: 133742592B (127 MB)
  Blocksize: 512
  Dumptime: Mon May 29 20:13:53 2006
  Hostname: amd.on.kr
  Magic: FreeBSD Kernel Dump
  Version String: FreeBSD 6.1-RELEASE #0: Mon May 29 19:39:51 EDT 2006
    root at amd.on.kr:/usr/src/sys/i386/compile/GENERIC
  Panic String: vnode_pager_getpages: unexpected missing page: firstaddr: -1, foff: 0x000000000, vnp_size: 0x000005000
  Dump Parity: 587650072
  Bounds: 5
  Dump Status: good

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list