Re: fstat triggered INVARIANTS panic in memrw()

From: Kris Kennaway <kris_at_obsecurity.org> Date: Sun, 16 Jan 2005 17:47:46 -0800 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:26 UTC

On Sun, Jan 16, 2005 at 03:13:49PM -0600, Alan Cox wrote:

> The "deadc0de" passed to generic_copyout() comes from the following
> lines in devfs_read_f(c51773b8,eed96c84,ca75c800,flags=0):
> 
>         if ((flags & FOF_OFFSET) == 0)
>                 uio->uio_offset = fp->f_offset;
> 
> Can you print the contents of the file structure?

Hmm, I tried with gdb53 but it gave me a weird trace:

(kgdb) bt
#0  doadump () at pcpu.h:159
#1  0xc0528567 in boot (howto=260) at ../../../kern/kern_shutdown.c:398
#2  0xc0528037 in panic (fmt=0xc071abe1 "../../../kern/kern_shutdown.c") at ../../../kern/kern_shutdown.c:554
#3  0xc068921a in vm_fault (map=0xc103b000, vaddr=3735928832, fault_type=1 '\001', fault_flags=0)
    at ../../../vm/vm_fault.c:875
#4  0xc06deef2 in trap_pfault (frame=0xe7275b8c, usermode=0, eva=3735929054) at ../../../i386/i386/trap.c:713
#5  0xc06df3e3 in trap (frame=
      {tf_fs = -1066205160, tf_es = 16, tf_ds = -1056767984, tf_edi = 134545408, tf_esi = -559038242, tf_ebp = -416850940, tf_isp = -416851016, tf_ebx = 2058814332, tf_edx = 1966776, tf_ecx = 514703583, tf_eax = -2101607556, tf_trapno = 12, tf_err = 0, tf_eip = -1066543558, tf_cs = 8, tf_eflags = 66050, tf_esp = 2058814332, tf_ss = -416850812}) at ../../../i386/i386/trap.c:414
#6  0xc06dd63a in generic_copyout () at ../../../i386/i386/support.s:760
#7  0xc06d8aba in memrw (dev=0xc22f8200, uio=0x8050000, flags=0) at ../../../i386/i386/mem.c:128
#8  0xc04d8d91 in devfs_read_f (fp=0x8050000, uio=0xdeadc0de, cred=0xc3540380, flags=0, td=0xc3c34170)
    at ../../../fs/devfs/devfs_vnops.c:931
#9  0xc0552632 in dofileread (td=0x8050000, fp=0x7ab7037c, fd=0, buf=0x0, nbyte=2058814332, offset=0, flags=0)
    at file.h:234
#10 0xc05527f5 in read (td=0xc3c34170, uap=0xdeadc0de) at ../../../kern/sys_generic.c:107
#11 0xc06df7d7 in syscall (frame=
      {tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = 2058814332, tf_esi = 0, tf_ebp = -1077943512, tf_isp = -416850572, tf_ebx = 671608356, tf_edx = 134549504, tf_ecx = 0, tf_eax = 3, tf_trapno = 12, tf_err = 2, tf_eip = 671899359, tf_cs = 31, tf_eflags = 514, tf_esp = -1077943556, tf_ss = 47}) at ../../../i386/i386/trap.c:951
(kgdb) frame 8
#8  0xc04d8d91 in devfs_read_f (fp=0x8050000, uio=0xdeadc0de, cred=0xc3540380, flags=0, td=0xc3c34170)
    at ../../../fs/devfs/devfs_vnops.c:931
931             error = dsw->d_read(dev, uio, ioflag);
(kgdb) print fp
$1 = (struct file *) 0x8050000
(kgdb) print *fp
---Can't read userspace from dump, or kernel process---

kgdb gave a different kind of weird trace, but at least I could access
something that claimed to be a struct file*:

(kgdb) bt
#0  doadump () at pcpu.h:159
#1  0xc0528567 in boot (howto=260) at ../../../kern/kern_shutdown.c:398
#2  0xc0528037 in panic (fmt=0xc071abe1 "../../../kern/kern_shutdown.c") at ../../../kern/kern_shutdown.c:554
#3  0xc068921a in vm_fault (map=0xc103b000, vaddr=3735928832, fault_type=1 '\001', fault_flags=0)
    at ../../../vm/vm_fault.c:875
#4  0xc06deef2 in trap_pfault (frame=0xe7275b8c, usermode=0, eva=3735929054) at ../../../i386/i386/trap.c:713
#5  0xc06df3e3 in trap (frame=
      {tf_fs = -1066205160, tf_es = 16, tf_ds = -1056767984, tf_edi = 134545408, tf_esi = -559038242, tf_ebp = -416850940, tf_isp = -416851016, tf_ebx = 2058814332, tf_edx = 1966776, tf_ecx = 514703583, tf_eax = -2101607556, tf_trapno = 12, tf_err = 0, tf_eip = -1066543558, tf_cs = 8, tf_eflags = 66050, tf_esp = 2058814332, tf_ss = -416850812}) at ../../../i386/i386/trap.c:414
#6  0xc06d0eaa in calltrap () at ../../../i386/i386/exception.s:139
#7  0xc0730018 in ?? ()
#8  0x00000010 in ?? ()
#9  0xc1030010 in ?? ()
#10 0x08050000 in ?? ()
#11 0xdeadc0de in ?? ()
#12 0xe7275c04 in ?? ()
#13 0xe7275bb8 in ?? ()
#14 0x7ab7037c in ?? ()
#15 0x001e02b8 in ?? ()
#16 0x1eadc0df in ?? ()
#17 0x82bc037c in ?? ()
#18 0x0000000c in ?? ()
#19 0x00000000 in ?? ()
#20 0xc06dd63a in generic_copyout () at ../../../i386/i386/support.s:760
#21 0x00000008 in ?? ()
#22 0x00010202 in ?? ()
#23 0x7ab7037c in ?? ()
#24 0xe7275c84 in ?? ()
#25 0xe7275c7c in ?? ()
#26 0xc052e709 in uiomove (cp=0xdeadc0de, n=2058814332, uio=0x8050000) at ../../../kern/kern_subr.c:171
#27 0xc06d8aba in memrw (dev=0xc22f8200, uio=0xe7275c84, flags=0) at ../../../i386/i386/mem.c:128
#28 0xc04d8d91 in devfs_read_f (fp=0xc25f5dd0, uio=0xe7275c84, cred=0xc3540380, flags=0, td=0xc3c34170)
    at ../../../fs/devfs/devfs_vnops.c:931
#29 0xc0552632 in dofileread (td=0xc3c34170, fp=0xc25f5dd0, fd=0, buf=0x0, nbyte=2058814332, offset=Unhandled dwarf expression opcode 0x93
)
    at file.h:234
#30 0xc05527f5 in read (td=0xc3c34170, uap=0xe7275d14) at ../../../kern/sys_generic.c:107
#31 0xc06df7d7 in syscall (frame=
---Type <return> to continue, or q <return> to quit---q
{tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = 2058814332, tf_esi = 0, tf_ebp = -Quit
) at ../../../i386/i386/trap.c:951
#32 0xc06d0eff in Xint0x80_syscall () at ../../../i386/i386/exception.s:200
#33 0x0000002f in ?? ()
#34 0x0000002f in ?? ()
#35 0x0000002f in ?? ()
#36 0x7ab7037c in ?? ()
#37 0x00000000 in ?? ()
#38 0xbfbfe328 in ?? ()
#39 0xe7275d74 in ?? ()
#40 0x2807ee24 in ?? ()
#41 0x08051000 in ?? ()
#42 0x00000000 in ?? ()
#43 0x00000003 in ?? ()
#44 0x0000000c in ?? ()
#45 0x00000002 in ?? ()
#46 0x280c5edf in ?? ()
#47 0x0000001f in ?? ()
#48 0x00000202 in ?? ()
#49 0xbfbfe2fc in ?? ()
#50 0x0000002f in ?? ()
#51 0x0809e8c8 in ?? ()
#52 0x0000001f in ?? ()
#53 0x0809e8b2 in ?? ()
#54 0x0809e89f in ?? ()
#55 0x2b550000 in ?? ()
#56 0xc3c32bd0 in ?? ()
#57 0xc3c34170 in ?? ()
#58 0xe7275c84 in ?? ()
#59 0xe7275c60 in ?? ()
#60 0xc2264170 in ?? ()
#61 0xc053c495 in sched_switch (td=0x0, newtd=0x2807ee24, flags=Cannot access memory at address 0xbfbfe338
) at ../../../kern/sched_4bsd.c:963
Previous frame inner to this frame (corrupt stack?)
(kgdb) frame 28
#28 0xc04d8d91 in devfs_read_f (fp=0xc25f5dd0, uio=0xe7275c84, cred=0xc3540380, flags=0, td=0xc3c34170)
    at ../../../fs/devfs/devfs_vnops.c:931
931             error = dsw->d_read(dev, uio, ioflag);
(kgdb) print *fp
$1 = {f_list = {le_next = 0xc25f5bf4, le_prev = 0xc25f52a8}, f_type = 1, f_data = 0xc22f8200, f_flag = 1,
  f_mtxp = 0xc2251fd0, f_ops = 0xc074c140, f_cred = 0xc2b2a900, f_count = 2, f_vnode = 0xc3c6fbdc,
  f_offset = 3735929054, f_gcflag = 0, f_msgcount = 0, f_seqcount = 1, f_nextoff = 3263609792}

Kris