Re: malloc fallout and linprocfs

From: Dag-Erling Smørgrav <des_at_des.no>
Date: Thu, 19 Jan 2006 18:05:48 +0100
Kris Kennaway <kris_at_obsecurity.org> writes:
> On Tue, Jan 17, 2006 at 12:50:06PM -0800, Jason Evans wrote:
> > On Jan 17, 2006, at 12:41 PM, Steve Kargl wrote:
> > > KDB: stack backtrace:
> > > witness_warn() at witness_warn+0x262
> > > uma_zalloc_arg() at uma_zalloc_arg+0x217
> > > malloc() at malloc+0xa3
> > > vn_fullpath() at vn_fullpath+0x56
> > > linprocfs_doprocmaps() at linprocfs_doprocmaps+0x31e
> > > pfs_read() at pfs_read+0x260
> > > VOP_READ_APV() at VOP_READ_APV+0x74
> > > vn_read() at vn_read+0x14f
> > > dofileread() at dofileread+0x94
> > > kern_readv() at kern_readv+0x60
> > > read() at read+0x4a
> > > ia32_syscall() at ia32_syscall+0x178
> > > Xint0x80_syscall() at Xint0x80_syscall+0x5d
> > > malloc(M_WAITOK) of "1024", forcing M_NOWAIT with the following non-sleepable locks held:
> > > exclusive sleep mutex vm object (standard object) r = 0 (0xffffff02b7846640) locked _at_ /usr/src/sys/compat/linprocfs/linprocfs.c:874
> > I don't think that libc's malloc is a factor here; the stacktrace
> > above is all in the kernel, isn't it?
> Yeah, must be some other bug.

linprocfs_doprocmaps() calls vn_fullpath() while holding a mutex, but
vn_fullpath() calls malloc(M_WAITOK); bad idea.  Luckily for Steve,
WITNESS spotted it and turned it into a less severe error (not
checking the return value of malloc(M_NOWAIT)).  Without WITNESS, the
following is a good panic(9) implementation:

$ cat /compat/linux/proc/self/maps

I'm not entirely sure how to fix it, though.  It might be OK to just
remove the VM_OBJECT_LOCK() / VM_OBJECT_UNLOCK() calls.

DES
-- 
Dag-Erling Smørgrav - des_at_des.no
Received on Thu Jan 19 2006 - 16:05:54 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:51 UTC