panic in g_io_schedule_down

Daniil Cherednik dcherednik at roshianokatachi.com
Mon Jun 24 14:27:09 UTC 2013 

Hello. I have got panic, see attached file
We are using FreeBSD 8.3-amd64 but this part of code wasn`t modified in 
HEAD
part of disassembled code:

ffffffff803d88b8:       4c 8b 43 18             mov    0x18(%rbx),%r8
ffffffff803d88bc:       89 c6                   mov    %eax,%esi
ffffffff803d88be:       4c 89 c2                mov    %r8,%rdx
ffffffff803d88c1:       4c 89 c0                mov    %r8,%rax
ffffffff803d88c4:       48 c1 fa 3f             sar    $0x3f,%rdx
ffffffff803d88c8:       48 f7 fe                idiv   %rsi
ffffffff803d88cb:       48 85 d2                test   %rdx,%rdx
ffffffff803d88ce:       0f 85 29 01 00 00       jne    ffffffff803d89fd 
<g_io_schedule_down+0x21d>
ffffffff803d88d4:       48 8b 93 90 00 00 00    mov    0x90(%rbx),%rdx
ffffffff803d88db:       48 89 d0                mov    %rdx,%rax
ffffffff803d88de:       48 c1 fa 3f             sar    $0x3f,%rdx
ffffffff803d88e2:       48 f7 fe                idiv   %rsi
ffffffff803d88e5:       48 85 d2                test   %rdx,%rdx
ffffffff803d88e8:       0f 85 0f 01 00 00       jne    ffffffff803d89fd 
<g_io_schedule_down+0x21d>
ffffffff803d88ee:       4d 85 c0                test   %r8,%r8
ffffffff803d88f1:       78 05                   js     ffffffff803d88f8 
<g_io_schedule_down+0x118>
ffffffff803d88f3:       4d 39 c1                cmp    %r8,%r9
ffffffff803d88f6:       7d 60                   jge    ffffffff803d8958 
<g_io_schedule_down+0x178>
ffffffff803d88f8:       be 05 00 00 00          mov    $0x5,%esi
ffffffff803d88fd:       66                      data16
ffffffff803d88fe:       66                      data16
ffffffff803d88ff:       90                      nop
ffffffff803d8900:       48 89 df                mov    %rbx,%rdi
ffffffff803d8903:       e8 68 f7 ff ff          callq  ffffffff803d8070 
<g_io_deliver>
ffffffff803d8908:       e9 e3 fe ff ff          jmpq   ffffffff803d87f0 
<g_io_schedule_down+0x10>
ffffffff803d890d:       66                      data16
ffffffff803d890e:       66                      data16
ffffffff803d890f:       90                      nop
ffffffff803d8910:       44 8b 5a 34             mov    0x34(%rdx),%r11d
ffffffff803d8914:       45 85 db                test   %r11d,%r11d

g_io_check function was inlined and quite good optimized. But it look 
like we have possibility to get access to wrong address in 
g_io_check(struct bio *bp) function here:

         if (cp->acr == 0)
                return (EPERM);
         break;
case BIO_WRITE:
case BIO_DELETE:
case BIO_FLUSH:
        if (cp->acw == 0)
                return (EPERM);
        break;
default:
return (EPERM);

for example in g_io_deliver we have additional checking:

cp = bp->bio_from;
if (cp == NULL) {
         bp->bio_error = error;
         bp->bio_done(bp);
         return;
}

also in this function we have KASSERTed bp and pp. So the question is 
in which case bio_from can be equal to null? Do we have to do some 
additional checks in g_io_check?









-------------- next part --------------
A non-text attachment was scrubbed...
Name: panic-g_io_schedule_down.gif
Type: application/octet-stream
Size: 24509 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20130624/310dca4f/attachment.obj>

More information about the freebsd-hackers mailing list