Re: null pointer deref from mount/umount + rm -rf loop

From: Kris Kennaway <kris_at_obsecurity.org>
Date: Sun, 20 Aug 2006 19:22:08 -0400
On Fri, Aug 18, 2006 at 10:00:47AM -0400, Kris Kennaway wrote:
> I ran mount -o ro -t nfs ...; sleep 2; umount -f nfs together with rm
> -rf in a loop, and after some time the machine panicked with:

I got another 2 instances of the panic (mohan: your patch did not
help, so it's probably a different issue to the other umount bug you
looked at)

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x80
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc053a461
stack pointer           = 0x28:0xec89ea64
frame pointer           = 0x28:0xec89ea80
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 9060 (rm)
[thread pid 9060 tid 100182 ]
Stopped at      _mtx_lock_flags+0x1b:   movl    0x10(%ecx),%eax
db> wh
Tracing pid 9060 tid 100182 td 0xc594a360
_mtx_lock_flags(70,0,c075f612,1a3,0,...) at _mtx_lock_flags+0x1b
vfs_ref(0,c07a2f80,ec89eaf4,ec89ead0,c0728940,...) at vfs_ref+0x32
vop_stdgetwritemount(ec89eaf4,c077d0ce,c4912300,ec89eb28,cd6e4690,...) at vop_stdgetwritemount+0x1d
VOP_GETWRITEMOUNT_APV(c07ab460,ec89eaf4,c07c5d10,2,c07578f7,...) at VOP_GETWRITEMOUNT_APV+0x8a
vn_start_write(cd6e4690,ec89eb28,1,6,cd6e46e8,...) at vn_start_write+0x34
vn_close(cd6e4690,5,c5188280,c594a360,0,...) at vn_close+0x3d
vn_closefile(c4ca6510,c594a360,c0752864,871,cd6e4690,...) at vn_closefile+0x8b
fdrop_locked(c4ca6510,c594a360,ec89ec18,c053a5f1,ce3b3540,0,0,c594a360,c594a4f0,c594d69c,ec89ec2c,c0559e05,c07c5d10,c585262c,3e9,c0752864,ec89ec50,c053a81f,c585262c,1,c07551ce,16a,0) at fdrop_locked+0xb9
closef(c4ca6510,c594a360,c0752864,3e9,c594a360,...) at closef+0x1f7
kern_close(c594a360,4,4,158,1,...) at kern_close+0x188
syscall(3b,821003b,bfbf003b,8250130,804b4d8,...) at syscall+0x152
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (6, FreeBSD ELF32, close), eip = 0x2815ba4f, esp = 0xbfbfe69c, ebp = 0xbfbfe6b8 ---
db> show allpcpu
Current CPU: 0

cpuid        = 0
curthread    = 0xc594a360: pid 9060 "rm"
curpcb       = 0xec89ed90
fpcurthread  = none
idlethread   = 0xc490fa20: pid 13 "idle: cpu0"
APIC ID      = 0
currentldt   = 0x50

cpuid        = 1
curthread    = 0xc4dedd80: pid 9062 "umount"
curpcb       = 0xec730d90
fpcurthread  = none
idlethread   = 0xc490f870: pid 12 "idle: cpu1"
APIC ID      = 1
currentldt   = 0x50

cpuid        = 2
curthread    = 0xc4ff8a20: pid 9056 "find"
curpcb       = 0xec77ed90
fpcurthread  = none
idlethread   = 0xc490f6c0: pid 11 "idle: cpu2"
APIC ID      = 2
currentldt   = 0x50

cpuid        = 3
curthread    = 0xc490fbd0: pid 14 "swi4: clock sio"
curpcb       = 0xe8950d90
fpcurthread  = none
idlethread   = 0xc490f510: pid 10 "idle: cpu3"
APIC ID      = 3
currentldt   = 0x50

db> wh 9062
Tracing pid 9062 tid 100120 td 0xc4dedd80
cpustop_handler(ec730960,c0710fe2,3,1,c07c8158,...) at cpustop_handler+0x2c
ipi_nmi_handler(3,1,c07c8158,c07c7920,c508c8d0,...) at ipi_nmi_handler+0x2a
trap(8,28,28,f5,df30a000,...) at trap+0x38a
calltrap() at calltrap+0x5
--- trap 0x13, eip = 0xc0707834, esp = 0xec7309a8, ebp = 0xec7309c4 ---
smp_tlb_shootdown(df30b000,df30b000,c0778ebb,2f8,df30a000,...) at smp_tlb_shootdown+0x71
pmap_invalidate_range(c07ff340,df30a000,df30b000) at pmap_invalidate_range+0x114
pmap_qremove(df30a000,1,c075e1ed,606,dda37874,...) at pmap_qremove+0x44
vfs_vmio_release(cc18d3c0,0,c075e1ed,51a,c05366c1,...) at vfs_vmio_release+0x13f
brelse(dda37874,202122,cf0609f8,c4dedd80,20609f8,...) at brelse+0x942
flushbuflist(cf060a30,0,0,3e7,c4dedd80,...) at flushbuflist+0x14a
bufobj_invalbuf(cf060a30,1,c4dedd80,0,0,...) at bufobj_invalbuf+0x79
vgonel(cf0609f8,0,c075fe76,909,d084d8ec,...) at vgonel+0xca
vflush(d084d87c,1,2,c4dedd80,0,...) at vflush+0x2a6
nfs_unmount(d084d87c,8080000,c4dedd80,c4dedd80,0,...) at nfs_unmount+0x56
dounmount(d084d87c,8080000,c4dedd80,43e,539ff4c,...) at dounmount+0x250
unmount(c4dedd80,ec730d04,8,ec730d38,2,...) at unmount+0x217
syscall(3b,3b,3b,804a610,8201c38,...) at syscall+0x152
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (22, FreeBSD ELF32, unmount), eip = 0x280c369b, esp = 0xbfbfe08c, ebp = 0xbfbfe148 ---
db> wh 9056
Tracing pid 9056 tid 100137 td 0xc4ff8a20
cpustop_handler(ec77ea34,c0710fe2,3041,c4c3bad8,40,...) at cpustop_handler+0x2c
ipi_nmi_handler(3041,c4c3bad8,40,c07c5740,225,...) at ipi_nmi_handler+0x2a
trap(c0720008,c05b0028,c06a0028,c4ff8a20,15a4c8,...) at trap+0x38a
calltrap() at calltrap+0x5
--- trap 0x13, eip = 0xc053a572, esp = 0xec77ea7c, ebp = 0xec77ea9c ---
_mtx_lock_spin(c07e6cc8,c4ff8a20,0,c0773c9b,56e,...) at _mtx_lock_spin+0x4a
_mtx_lock_spin_flags(c07e6cc8,0,c0773c9b,56e,ec77eb04,...) at _mtx_lock_spin_flags+0x90
siointr(c4a24800,c07c5d10,2,c4ff8a20,0,...) at siointr+0x2a
intr_execute_handlers(c4907cc4,ec77eb20,ec77eb80,c06fa6a3,38,...) at intr_execute_handlers+0xcc
lapic_handle_intr(38) at lapic_handle_intr+0x2d
Xapic_isr1() at Xapic_isr1+0x33
--- interrupt, eip = 0xc053a3d9, esp = 0xec77eb60, ebp = 0xec77eb80 ---
_mtx_lock_sleep(c07c5d28,c4ff8a20,0,c0751dac,137,...) at _mtx_lock_sleep+0x12e
_mtx_lock_flags(c07c5d28,0,c0751dac,137,6,...) at _mtx_lock_flags+0x8e
giant_write(c508d300,ec77ec64,0,c508d300,c07a08a0,...) at giant_write+0x2e
devfs_write_f(c4f8a3f0,ec77ec64,c5186b80,0,c4ff8a20,...) at devfs_write_f+0x82
dofilewrite(c4f8a3f0,ec77ec64,ffffffff,ffffffff,0,...) at dofilewrite+0x7c
kern_writev(c4ff8a20,2,ec77ec64,bfbfe1c0,6,...) at kern_writev+0x6b
write(c4ff8a20,ec77ed04,c,ec77ed38,3,...) at write+0x4d
syscall(825003b,bfbf003b,bfbf003b,bfbfe1c0,6,...) at syscall+0x152
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (4, FreeBSD ELF32, write), eip = 0x28157a6f, esp = 0xbfbfe03c, ebp = 0xbfbfe058 ---
db>
db> show lockedvnods
Locked vnodes

0xcb8c1690: tag ufs, type VDIR
    usecount 1, writecount 0, refcount 3 mountedhere 0xd084d87c
    flags ()
    v_object 0xce353870 ref 0 pages 1
     lock type ufs: EXCL (count 1) by thread 0xc4dedd80 (pid 9062)#0 0xc0536188 at lockmgr+0x541
#1 0xc069059e at ffs_lock+0x59
#2 0xc072bba4 at VOP_LOCK_APV+0x76
#3 0xc05c305a at vn_lock+0x67
#4 0xc05ae4fb at dounmount+0x51
#5 0xc05aecac at unmount+0x217
#6 0xc0711507 at syscall+0x152
#7 0xc06fa33f at Xint0x80_syscall+0x1f

        ino 353827, on dev da0s1e

0xcf060930: tag nfs, type VDIR
    usecount 0, writecount 0, refcount 47 mountedhere 0
    flags (VI_DOOMED)
    v_object 0xcc18d3c0 ref 0 pages 87
     lock type nfs: EXCL (count 1) by thread 0xc4dedd80 (pid 9062)#0 0xc0536188 at lockmgr+0x541
#1 0xc05aa8e4 at vop_stdlock+0x32
#2 0xc072bba4 at VOP_LOCK_APV+0x76
#3 0xc05c305a at vn_lock+0x67
#4 0xc05b7b64 at vflush+0x23c
#5 0xc064b3c6 at nfs_unmount+0x56
#6 0xc05ae6fa at dounmount+0x250
#7 0xc05aecac at unmount+0x217
#8 0xc0711507 at syscall+0x152
#9 0xc06fa33f at Xint0x80_syscall+0x1f

[hung again here]

This time I was able to save a core though.

Kris
Received on Sun Aug 20 2006 - 21:22:12 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:59 UTC