stack abuse by linux_ioctl_cdrom [Was: double-fault in linux ioctl for atapicam cd device]

Mon May 18 14:09:10 UTC 2009

on 18/05/2009 16:41 Andriy Gapon said the following:
> This is recent i386 stable/7. The problem is 100% reproducible with the same stack
> trace. The problem happens when I start a Linux program that performs a check on a
> cd-rom device (atapi cd-rom that is presented as cd0 by atapicam driver).
> I examined the crash dump in kgdb but couldn't find anything peculiar in the
> variables, so I guess that this must be stack overflow or something like that.
> 
> In fact, difference between values in %esp in frame 4 and frame 22 is 7500 which
> is quite close to KSTACK_PAGES * PAGE_SIZE for i386.
> If I did my calculations correctly then it seems that linux_ioctl_cdrom uses
> slightly more than 4K of stack, then cam_periph_error uses 828 bytes,
> scsi_command_string uses 696, cam_error_print uses 540.

In fact almost all of stack usage in linux_ioctl_cdrom comes from struct
dvd_struct (2060 bytes) and l_dvd_struct (2056 bytes) variables declared on stack
(for LINUX_DVD_READ_STRUCT case). Not sure what's the best way to fix - move to heap?

> The backtrace is below. I am keeping the dump.
> 
> (kgdb) bt
> #0  doadump () at pcpu.h:196
> #1  0xc0556523 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418
> #2  0xc055676f in panic (fmt=Variable "fmt" is not available.
> ) at /usr/src/sys/kern/kern_shutdown.c:574
> #3  0xc0712b69 in dblfault_handler () at /usr/src/sys/i386/i386/trap.c:972
> #4  0xc058380a in kvprintf (fmt=0xc075d204 " ", func=0xc05828e0 <snprintf_func>,
> arg=0xdabf0120, radix=10, ap=0xdabf015c "B") at /usr/src/sys/kern/subr_prf.c:823
> #5  0xc0583c0b in vsnprintf (str=0xdabf03eb "", size=49, format=0xc075d202 "%x ",
> ap=0xdabf0158 "B") at /usr/src/sys/kern/subr_prf.c:483
> #6  0xc0583cf9 in snprintf (str=0xdabf03eb "", size=49, format=0xc075d202 "%x ")
> at /usr/src/sys/kern/subr_prf.c:467
> #7  0xc0449dc0 in scsi_cdb_string (cdb_ptr=0xc3187c9c "B", cdb_string=0xdabf03eb
> "", len=49) at /usr/src/sys/cam/scsi/scsi_all.c:2943
> #8  0xc0449ffd in scsi_command_string (csio=0xc3187c00, sb=0xdabf0440) at
> /usr/src/sys/cam/scsi/scsi_all.c:3031
> #9  0xc043db61 in cam_error_string (ccb=0xc3187c00, str=0xdabf04bc
> "(cd0:ata0:0:0:0): ", str_len=512, flags=Variable "flags" is not available.
> ) at /usr/src/sys/cam/cam.c:262
> #10 0xc043dcb4 in cam_error_print (ccb=0xc3187c00, flags=CAM_ESF_ALL,
> proto_flags=CAM_EPF_ALL) at /usr/src/sys/cam/cam.c:341
> #11 0xc043e500 in cam_periph_error (ccb=0xc3187c00, camflags=CAM_RETRY_SELTO,
> sense_flags=1, save_ccb=0xc32b3034) at /usr/src/sys/cam/cam_periph.c:1548
> #12 0xc044bcb0 in cderror (ccb=0xc3187c00, cam_flags=2, sense_flags=1) at
> /usr/src/sys/cam/scsi/scsi_cd.c:3133
> #13 0xc043ee1a in cam_periph_runccb (ccb=0xc3187c00, error_routine=0xc044bc10
> <cderror>, camflags=CAM_RETRY_SELTO, sense_flags=1, ds=0xc329fb40) at
> /usr/src/sys/cam/cam_periph.c:902
> #14 0xc044c2cb in cdrunccb (ccb=0xc3187c00, error_routine=0xc044bc10 <cderror>,
> cam_flags=2, sense_flags=1) at /usr/src/sys/cam/scsi/scsi_cd.c:1318
> #15 0xc044f684 in cdioctl (dp=0xc3286000, cmd=3222037279, addr=0xdabf1c1c, flag=5,
> td=0xc354c230) at /usr/src/sys/cam/scsi/scsi_cd.c:3227
> #16 0xc04f9fa4 in g_disk_ioctl (pp=0xc32c7000, cmd=3222037279, data=0xdabf1c1c,
> fflag=5, td=0xc354c230) at /usr/src/sys/geom/geom_disk.c:231
> #17 0xc04f92dd in g_dev_ioctl (dev=0xc33faa00, cmd=3222037279, data=0xdabf1c1c
> "\001\001", fflag=5, td=0xc354c230) at /usr/src/sys/geom/geom_dev.c:332
> #18 0xc04e5b87 in devfs_ioctl_f (fp=0xc32d1474, com=3222037279, data=0xdabf1c1c,
> cred=0xc4077800, td=0xc354c230) at /usr/src/sys/fs/devfs/devfs_vnops.c:602
> #19 0xc3449ea4 in linux_ioctl_cdrom (td=0xc354c230, args=0xdabf1cfc) at file.h:269
> #20 0xc344978a in linux_ioctl (td=0xc354c230, args=0xdabf1cfc) at
> /usr/src/sys/modules/linux/../../compat/linux/linux_ioctl.c:2621
> #21 0xc0713495 in syscall (frame=0xdabf1d38) at /usr/src/sys/i386/i386/trap.c:1090
> #22 0xc07006d0 in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:255
> #23 0x00000033 in ?? ()
> 

-- 
Andriy Gapon