Fatal trap 12 in exec_copyout_strings()
John Baldwin
jhb at FreeBSD.org
Wed Jun 22 14:31:37 GMT 2005
On Tuesday 21 June 2005 04:00 pm, Andrew Gallatin wrote:
> John Baldwin writes:
> > On Sunday 29 May 2005 01:50 pm, Kris Kennaway wrote:
> > > On Tue, May 10, 2005 at 03:36:36PM -0700, Kris Kennaway wrote:
> > > > Got this on a dual amd64 with 8GB RAM running 6.0 from last week:
> > > >
> > > > Fatal trap 12: page fault while in kernel mode
> > > > cpuid = 1; apic id = 01
> > > > fault virtual address = 0xffffffffa9cdc000
> > > > fault code = supervisor read, page not present
> > > > instruction pointer = 0x8:0xffffffff8037759f
> > > > stack pointer = 0x10:0xffffffffba1637d0
> > > > frame pointer = 0x10:0xffffffffba163820
> > > > code segment = base 0x0, limit 0xfffff, type 0x1b
> > > > = DPL 0, pres 1, long 1, def32 0, gran 1
> > > > processor eflags = interrupt enabled, resume, IOPL = 0
> > > > current process = 52247 (sh)
> > > > [thread pid 52247 tid 100149 ]
> > > > Stopped at exec_copyout_strings+0x12f:
> > > > db> wh
> > > > Tracing pid 52247 tid 100149 td 0xffffff016e5724c0
> > > > exec_copyout_strings() at exec_copyout_strings+0x12f
> > > > do_execve() at do_execve+0x39a
> > > > kern_execve() at kern_execve+0xab
> > > > execve() at execve+0x49
> > > > syscall() at syscall+0x382
> > > > Xfast_syscall() at Xfast_syscall+0xa8
> > > > --- syscall (59, FreeBSD ELF64, execve), rip = 0x80090622c, rsp =
> > > > 0x7fffffffe058, rbp = 0xffffffff --- db>
> > >
> > > I've got this panic twice more since.
> >
> > Do you have a kernel.debug? Can you do 'list
> > *exec_copyout_strings+0x12f'? I think I've seen reports of the
> > linux32_exec_copyout_strings() having a similar fault as well on amd64.
>
> I just got this on my freshly installed UP, 512MB athlon64. For me,
> its 100% reproducable when running a cross-compiler built on
> FreeBSD-4.
>
> (kgdb) p *imgp->args
> $33 = {
> buf = 0xffffffff90ba3000 <Address 0xffffffff90ba3000 out of bounds>,
> begin_argv = 0xffffffff90ba3000 <Address 0xffffffff90ba3000 out of
> bounds>, begin_envv = 0xffffffff90ba313d <Address 0xffffffff90ba313d out of
> bounds>, endp = 0xffffffff90ba389f <Address 0xffffffff90ba389f out of
> bounds>, fname = 0xffffffff90be3000
> "/home/gallatin/lanaitools/intel_FreeBSD/lib/gcc-lib/lanai/2.95.2..1.6/cc1"
>, stringspace = 259937,
> argc = 23,
> envc = 46
> }
>
> I'm puzzled. fname seems to be buf+ARGV_MAX, so its not
> like something randomly scribbled on this memory.
>
> In the debugger, the memory just below buf+ARGV_MAX seems to be
> unmapped. But we've done copyins in freebsd32_exec_copyin_args(),
> otherwise endp would not have been advanced. So we've written to this
> memory.
>
> It is almost like somebody freed buf through buf + 262144.
I think I figured it out. sobomax@ changed how much memory exec_copyin_args()
and exec_free_args() allocated and freed without updating
freebsd32_exec_copyin_args() and linux_exec_copyin_args(), so more memory was
freed than was allocated which would free memory out from other execs. Patch
is below. Let me know if it fixes the problem.
Index: amd64/linux32/linux32_machdep.c
===================================================================
RCS file: /usr/cvs/src/sys/amd64/linux32/linux32_machdep.c,v
retrieving revision 1.9
diff -u -r1.9 linux32_machdep.c
--- amd64/linux32/linux32_machdep.c 5 Apr 2005 15:28:06 -0000 1.9
+++ amd64/linux32/linux32_machdep.c 22 Jun 2005 14:26:03 -0000
@@ -113,7 +113,8 @@
* Allocate temporary demand zeroed space for argument and
* environment strings
*/
- args->buf = (char *) kmem_alloc_wait(exec_map, PATH_MAX + ARG_MAX);
+ args->buf = (char *) kmem_alloc_wait(exec_map,
+ PATH_MAX + ARG_MAX + MAXSHELLCMDLEN);
if (args->buf == NULL)
return (ENOMEM);
args->begin_argv = args->buf;
Index: compat/freebsd32/freebsd32_misc.c
===================================================================
RCS file: /usr/cvs/src/sys/compat/freebsd32/freebsd32_misc.c,v
retrieving revision 1.35
diff -u -r1.35 freebsd32_misc.c
--- compat/freebsd32/freebsd32_misc.c 11 Jun 2005 14:58:20 -0000 1.35
+++ compat/freebsd32/freebsd32_misc.c 22 Jun 2005 14:26:11 -0000
@@ -237,7 +237,8 @@
* Allocate temporary demand zeroed space for argument and
* environment strings
*/
- args->buf = (char *) kmem_alloc_wait(exec_map, PATH_MAX + ARG_MAX);
+ args->buf = (char *) kmem_alloc_wait(exec_map,
+ PATH_MAX + ARG_MAX + MAXSHELLCMDLEN);
if (args->buf == NULL)
return (ENOMEM);
args->begin_argv = args->buf;
--
John Baldwin <jhb at FreeBSD.org> <>< http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve" = http://www.FreeBSD.org
More information about the freebsd-current
mailing list