kern/96981: reproducible instant reboot by unprivileged user
Lodewijk Vöge
lvoege at gmail.com
Fri Apr 27 00:20:10 UTC 2007
The following reply was made to PR kern/96981; it has been noted by GNATS.
From: =?ISO-8859-1?Q?Lodewijk_V=F6ge?= <lvoege at gmail.com>
To: Gavin Atkinson <gavin.atkinson at ury.york.ac.uk>
Cc: bug-followup at FreeBSD.org
Subject: Re: kern/96981: reproducible instant reboot by unprivileged user
Date: Thu, 26 Apr 2007 20:11:40 -0400
On 26-apr-2007, at 8:58, Gavin Atkinson wrote:
> If so, is there any chance you could wire up a serial console to =20
> the machine
done, the serial console is set up and works. dumpdev is set to AUTO, =20=
debug.debugger_on_panic to 1, but it won't dump or break to ddb. the =20
only behavioral difference I see with the serial console is that it =20
hangs instead of rebooting, and it says "kernel trap 9 with =20
interrupts disabled" on the serial console.
if I copy&paste a kdb_trap(type, 0, &frame); right after that printf=20
() in trap() in /usr/src/sys/amd64/amd64/trap.c it does break to ddb. =20=
I have three mono threads, two of which have a trace with only =20
doreti_iret(). the third has:
sched_switch() at sched_switch+0x11f
mi_switch() at mi_switch+0x153
sleepq_timedwait_sig() at sleepq_timedwait_sig+0x2b
msleep() at msleep+0x39a
kse_release() at kse_release+0xe0
syscall() at syscall+0x629
Xfast_syscall() at Xfast_syscall+0xa8
--- syscall (383, FreeBSD ELF64, kse_release), rip =3D 0x800fb285c, rsp =20=
=3D 0x7fffffbfef38, rbp =3D 0x81 ---
if I then make it panic and kgdb the core file against kernel.debug =20
and 'bt', this appears:
#0 doadump () at pcpu.h:172
#1 0xffffffff802832f3 in boot (howto=3D260)
at ../../../kern/kern_shutdown.c:409
#2 0xffffffff80283927 in panic (fmt=3D0xffffff002533ebe0 "=B06\215+")
at ../../../kern/kern_shutdown.c:565
#3 0xffffffff801aa1a2 in db_panic (addr=3D0, have_addr=3D0, count=3D0, =20=
modif=3D0x0)
at ../../../ddb/db_command.c:438
#4 0xffffffff801aa6e5 in db_command_loop () at ../../../ddb/=20
db_command.c:350
#5 0xffffffff801ac5fd in db_trap (type=3D-1462293744, code=3D0)
at ../../../ddb/db_main.c:222
#6 0xffffffff802a1bab in kdb_trap (type=3D9, code=3D0, =20
tf=3D0xffffffffa8d72c10)
at ../../../kern/subr_kdb.c:473
#7 0xffffffff8041305c in trap (frame=3D
{tf_rdi =3D 34366898272, tf_rsi =3D 34376163152, tf_rdx =3D =20
140737488348840, tf_rcx =3D 0, tf_r8 =3D 0, tf_r9 =3D 0, tf_rax =3D 0, =
tf_rbx =20
=3D 140737488348824, tf_rbp =3D 140737488348824, tf_r10 =3D 0, tf_r11 =3D =
0, =20
tf_r12 =3D 0, tf_r13 =3D 0, tf_r14 =3D 0, tf_r15 =3D 0, tf_trapno =3D 9, =
=20
tf_addr =3D 0, tf_flags =3D 0, tf_err =3D 0, tf_rip =3D -2143296837, =
tf_cs =3D =20
8, tf_rflags =3D 65670, tf_rsp =3D -1462293288, tf_ss =3D 16})
at ../../../amd64/amd64/trap.c:219
#8 0xffffffff803fd2cb in calltrap () at ../../../amd64/amd64/=20
exception.S:168
#9 0xffffffff803fe2bb in doreti_exit ()
at ../../../amd64/amd64/exception.S:496
#10 0x0000000801101e20 in ?? ()
#11 0x000000000000002b in ?? ()
#12 0x0000000000000202 in ?? ()
#13 0x00007fffffffe698 in ?? ()
#14 0x0000000000000000 in ?? ()
#15 0x00000000006eaff8 in ?? ()
#16 0x0000000000000023 in ?? ()
#17 0x0000000000000000 in ?? ()
#18 0x0000000000000000 in ?? ()
#19 0x0000000000000000 in ?? ()
#20 0x0000000000000000 in ?? ()
#21 0x0000000000000000 in ?? ()
#22 0x0000000000000000 in ?? ()
#23 0x0000000000000000 in ?? ()
#24 0x0000000000000000 in ?? ()
#25 0x0000000025c0a000 in ?? ()
#26 0xffffff002533ebe0 in ?? ()
#27 0x0000000000000001 in ?? ()
#28 0xffffff002b8d36b0 in ?? ()
#29 0xffffff00264d1000 in ?? ()
#30 0xffffffffa8d726d0 in ?? ()
#31 0xffffffffa8d726a8 in ?? ()
#32 0xffffff002533ebe0 in ?? ()
#33 0xffffffff80298f6f in sched_switch (td=3D0x7fffffffe698, newtd=3D0x0, =
=20
flags=3D0)
at ../../../kern/sched_4bsd.c:973
Previous frame inner to this frame (corrupt stack?)
(kgdb)
let me know if I can provide more help.
Lodewijk=
More information about the freebsd-bugs
mailing list