FreeBSD 7.1: QUOTA: kernel panics in jailed()

Kostik Belousov kostikbel at gmail.com
Sun Dec 6 18:18:18 UTC 2009 

On Sun, Dec 06, 2009 at 01:21:24AM +0200, Mikolaj Golub wrote:
> Hi,
> 
> Today we have observed the panic on our FreeBSD7.1 box build with QUOTA
> support.
> 
> According to backtrace ffs_truncate() called chkdq() with NOCRED but later
> jailed() was called and the system crashed dereferencing cred->cr_prison.
> 
> GNU gdb 6.1.1 [FreeBSD]
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i386-marcel-freebsd"...
> 
> Unread portion of the kernel message buffer:
> 
> 
> Fatal trap 12: page fault while in kernel mode
> cpuid = 7; apic id = 07
> fault virtual address   = 0x64
> fault code              = supervisor read, page not present
> instruction pointer     = 0x20:0xc07a1d26
> stack pointer           = 0x28:0xedb2d8b8
> frame pointer           = 0x28:0xedb2d8b8
> code segment            = base 0x0, limit 0xfffff, type 0x1b
>                         = DPL 0, pres 1, def32 1, gran 1
> processor eflags        = interrupt enabled, resume, IOPL = 0
> current process         = 9742 (icoms_agent_cox476)
> trap number             = 12
> panic: page fault
> cpuid = 7
> Uptime: 19h54m4s
> Physical memory: 3315 MB
> Dumping 326 MB: 311 295 279 263 247 231 215 199 183 167 151 135 119 103 87 71 55 39 23 7
> 
> Reading symbols from /boot/kernel/if_lagg.ko...Reading symbols from /boot/kernel/if_lagg.ko.symbols...done.
> done.
> Loaded symbols for /boot/kernel/if_lagg.ko
> Reading symbols from /boot/kernel/acpi.ko...Reading symbols from /boot/kernel/acpi.ko.symbols...done.
> done.
> Loaded symbols for /boot/kernel/acpi.ko
> #0  doadump () at pcpu.h:196
> 196     pcpu.h: No such file or directory.
>         in pcpu.h
> (kgdb) bt
> #0  doadump () at pcpu.h:196
> #1  0xc07c2b27 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418
> #2  0xc07c2df9 in panic (fmt=Variable "fmt" is not available.
> ) at /usr/src/sys/kern/kern_shutdown.c:574
> #3  0xc0ada1ec in trap_fatal (frame=0xedb2d878, eva=100) at /usr/src/sys/i386/i386/trap.c:939
> #4  0xc0ada470 in trap_pfault (frame=0xedb2d878, usermode=0, eva=100) at /usr/src/sys/i386/i386/trap.c:852
> #5  0xc0adae2c in trap (frame=0xedb2d878) at /usr/src/sys/i386/i386/trap.c:530
> #6  0xc0ac0c9b in calltrap () at /usr/src/sys/i386/i386/exception.s:159
> #7  0xc07a1d26 in jailed (cred=0x0) at /usr/src/sys/kern/kern_jail.c:465
> #8  0xc07a1da5 in prison_priv_check (cred=0x0, priv=320) at /usr/src/sys/kern/kern_jail.c:581
> #9  0xc07b62ce in priv_check_cred (cred=0x0, priv=320, flags=0) at /usr/src/sys/kern/kern_priv.c:86
> #10 0xc09e742d in chkdq (ip=0xcb55c980, change=28, cred=0x0, flags=Variable "flags" is not available.
> )
>     at /usr/src/sys/ufs/ufs/ufs_quota.c:188
> #11 0xc09c24f7 in ffs_truncate (vp=0xcac04cf0, length=0, flags=2048, cred=0xc9871d00, td=0xc95d28c0)
>     at /usr/src/sys/ufs/ffs/ffs_inode.c:276
> #12 0xc09ed372 in ufs_setattr (ap=0xedb2db64) at /usr/src/sys/ufs/ufs/ufs_vnops.c:600
> #13 0xc0af0582 in VOP_SETATTR_APV (vop=0xc0c2ff80, a=0xedb2db64) at vnode_if.c:583
> #14 0xc084c446 in kern_open (td=0xc95d28c0, path=0x4890e68c <Address 0x4890e68c out of bounds>, 
>     pathseg=UIO_USERSPACE, flags=Variable "flags" is not available.
> ) at vnode_if.h:315
> #15 0xc084c5b0 in open (td=0xc95d28c0, uap=0xedb2dcfc) at /usr/src/sys/kern/vfs_syscalls.c:999
> #16 0xc0ada7c5 in syscall (frame=0xedb2dd38) at /usr/src/sys/i386/i386/trap.c:1090
> #17 0xc0ac0d00 in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:255
> #18 0x00000033 in ?? ()
> Previous frame inner to this frame (corrupt stack?)
> (kgdb) fr 11
> #11 0xc09c24f7 in ffs_truncate (vp=0xcac04cf0, length=0, flags=2048, cred=0xc9871d00, td=0xc95d28c0)
>     at /usr/src/sys/ufs/ffs/ffs_inode.c:276
> 276                             (void) chkdq(ip, -datablocks, NOCRED, 0);
> (kgdb) list
> 271                             if (ip->i_flag & IN_SPACECOUNTED)
> 272                                     fs->fs_pendingblocks -= datablocks;
> 273                             UFS_UNLOCK(ump);
> 274                     } else {
> 275     #ifdef QUOTA
> 276                             (void) chkdq(ip, -datablocks, NOCRED, 0);
> 277     #endif
The kernel paniced because chkdq was supplied NULL credentials and
_positive_ blocks use count change. Line 276 calls chkdq with
-datablocks as the change. This could happen if you have problems
either with hardware (e.g. memory or CPU cache), or your fs
is damaged.

Another possibility is random corruption of the kernel memory, but
I recommend to start with fsck and then continue with memory testers
if fsck have shown no problems.

> 278                             softdep_setup_freeblocks(ip, length, needextclean ?
> 279                                 IO_EXT | IO_NORMAL : IO_NORMAL);
> 280                             ASSERT_VOP_LOCKED(vp, "ffs_truncate1");
> (kgdb) fr 7
> #7  0xc07a1d26 in jailed (cred=0x0) at /usr/src/sys/kern/kern_jail.c:465
> 465     {
> (kgdb) list
> 460     /*
> 461      * Return 1 if the passed credential is in a jail, otherwise 0.
> 462      */
> 463     int
> 464     jailed(struct ucred *cred)
> 465     {
> 466
> 467             return (cred->cr_prison != NULL);
> 468     }
> 469
> 
> -- 
> Mikolaj Golub
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20091206/59796a13/attachment.pgp

More information about the freebsd-stable mailing list