NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
kern/41081: unp_setpeerlocks null dereference
>Number: 41081
>Category: kern
>Synopsis: unp_setpeerlocks null dereference
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Mar 27 06:25:00 +0000 2009
>Originator: YAMAMOTO Takashi <yamt%mwd.biglobe.ne.jp@localhost>
>Release: NetBSD 5.99.8
>Organization:
>Environment:
System: NetBSD kaeru 5.99.8
Architecture: i386
Machine: i386
>Description:
the following happened on a system during boot.
Checking for core dump...
savecore - - - no core dump (no dumpdev)
Starting rpcbind.
Mounting all filesystems...
Clearing temporary files.
Creating a.out runtime link editor directory cache.
Checking quotas: done.
Starting mountd.
Mar 27 01:35:38 nfskuro mountd[1panic: kernel diuagvnmo_fsatuilct
a(0ssxed7rt5i60ond d4"s, o0lo,c k1)ed -2>( s0ox,e
o2f)a"ta lf apilagede: ffauillte i"n/s siurop/enrvbsisdo/srr cm/osdyes
tkerarpn /tuyippce_ u6s crordeeq .0c "e,i pl icn0e 2555ef9 /
f cast a8l berfelaakgspo i1n0t28 6tr acpr 2 i4n siulepevrelv is0o
kmeordneel r
t rsuappe trvypies o1r ctrodaep p0a geie pf cau01l5t6, 89co4 dec=s 0
Stopped in pid 184.1 (nfsd) at netbsd:mutex_obj_hold+0xa: cmpl
$0x5aa3c
85d,0x4(%ebx)
db{0}> t
mutex_obj_hold(0,c054f5a8,f8,c054f3ef,c41558c4,c4155978,c4245100,c4268c88,c4268d
c8,c4245100) at netbsd:mutex_obj_hold+0xa
unp_setpeerlocks(c41558c4,c4268dc8,7,c0278e10,0,80,0,d741ce70,c4268dc8,c4245100)
at netbsd:unp_setpeerlocks+0x95
unp_connect2(c4268c88,c4268dc8,4,c4184740,3,bb90b000,d68f5ab0,c4184740,c4268dc8,
c41fe600) at netbsd:unp_connect2+0xf3
unp_connect(c4268c88,c415bc00,d744d560,c03c0cd3,504347e1,d741e3bc,d7553c4c,c4268
c88,c4268c88,c415bc00) at netbsd:unp_connect+0x2bc
uipc_usrreq(c4268c88,4,0,c415bc00,0,d744d560,0,25,c4268c88,25) at netbsd:uipc_us
rreq+0x1d7
soconnect(c4268c88,c415bc00,d744d560,c0404017,d7560dd4,bb90e000,c4268c88,d7553d0
0,0,c056b3f8) at netbsd:soconnect+0x6a
do_sys_connect(d744d560,4,c415bc00,3,0,6ec,0,d744d560,c415bc00,d744d560) at netb
sd:do_sys_connect+0xa3
sys_connect(d744d560,d7553d00,d7553d28,bb90e000,d7560dd4,d7560dd4,2,4,bfbfec7e,1
7) at netbsd:sys_connect+0x48
syscall(d7553d48,bfbf00b3,ab,bfbf001f,bbbc001f,6ec,bfa00000,bfbfeab8,bbbe7170,4)
at netbsd:syscall+0xc8
db{0}> x/i mutex_obj_hold,16
netbsd:mutex_obj_hold: pushl %ebp
netbsd:mutex_obj_hold+0x1: movl %esp,%ebp
netbsd:mutex_obj_hold+0x3: pushl %ebx
netbsd:mutex_obj_hold+0x4: subl $0x14,%esp
netbsd:mutex_obj_hold+0x7: movl 0x8(%ebp),%ebx
netbsd:mutex_obj_hold+0xa: cmpl $0x5aa3c85d,0x4(%ebx)
netbsd:mutex_obj_hold+0x11: jnz netbsd:mutex_obj_hold+0x2a
netbsd:mutex_obj_hold+0x13: movl 0x8(%ebx),%eax
netbsd:mutex_obj_hold+0x16: testl %eax,%eax
netbsd:mutex_obj_hold+0x18: jz netbsd:mutex_obj_hold+0x53
netbsd:mutex_obj_hold+0x1a: leal 0x8(%ebx),%eax
netbsd:mutex_obj_hold+0x1d: movl %eax,0x8(%ebp)
netbsd:mutex_obj_hold+0x20: addl $0x14,%esp
netbsd:mutex_obj_hold+0x23: popl %ebx
netbsd:mutex_obj_hold+0x24: popl %ebp
netbsd:mutex_obj_hold+0x25: jmp netbsd:_atomic_inc_32
netbsd:mutex_obj_hold+0x2a: movl $0xc0528ec4,%eax
netbsd:mutex_obj_hold+0x2f: movl %eax,0xc(%esp)
netbsd:mutex_obj_hold+0x33: movl $0x3e9,%eax
netbsd:mutex_obj_hold+0x38: movl %eax,0x8(%esp)
netbsd:mutex_obj_hold+0x3c: movl $0xc0528ee4,%eax
netbsd:mutex_obj_hold+0x41: movl %eax,0x4(%esp)
db{0}> mach cpu 1
using CPU 1
db{0}> t
x86_mwait(0,0,0,c0268a22,d4419cc0,d440dc00,d658fd20,c0256166,d4419cc0,0) at netb
sd:x86_mwait+0xc
x86_cpu_idle_mwait(d4419cc0,0,0,0,0,0,d654b088,0,d658fda0,0) at netbsd:x86_cpu_i
dle_mwait+0x4e
idle_loop(0,c0255ff0,d4419cc0,c01002d0,0,c01002cd,0,c01002cd,0,0) at netbsd:idle
_loop+0x176
Bad frame pointer: 0xd4419cc0
db{0}> mach cpu
addr dev id flags ipis curlwp fpcurlwp
0xc0568700 cpu0 0 3009 0 0xd744d560 0xd744d060
0xd654b040 cpu1 2 f002 0 0xd4419cc0 0x0
0xd65a00c0 cpu2 1 f002 0 0xd44117a0 0x0
0xd65d30c0 cpu3 3 f002 0 0xd744da60 0x0
db{0}> mach cpu 2
using CPU 2
db{0}> t
__qdivrem(9c3000,0,64,0,0,64,d6321d0c,c0467797,9c3000,0) at netbsd:__qdivrem+0xe
8
__udivdi3(9c3000,0,64,0,0,0,19800,0,0,c026e055) at netbsd:__udivdi3+0x2c
cache_reclaim(0,0,400,d440dc80,c0467f00,0,0,c01002e1,d44117a0,0) at netbsd:cache
_reclaim+0x77
cache_thread(d44117a0,0,c01002cd,0,c01002cd,0,0,0,0,0) at netbsd:cache_thread+0x
25
db{0}> mach cpu 3
using CPU 3
db{0}> t
bus_space_read_1(800,0,c0578120,65,18200,c05088e0,d7438940,c0153984,800,0) at ne
tbsd:bus_space_read_1+0x16
comcnputc(800,0,65,c03bf12c,c05de5fc,5,d7438970,c03c5192,65,d7438a6c) at netbsd:
comcnputc+0x28
cnputc(65,d7438a6c,c030e22a,c025f442,c05a3576,140af00,1,fffffffe,ffffffff,0) at
n
etbsd:cnputc+0x34
putchar(c0515c0b,c05a3576,96,10,30,0,c054cc33,78,d74389e4,0) at netbsd:putchar+0
xc2
kprintf(c054cc10,5,0,0,d7438a3c,c0578120,d,c05abc80,c458,d7438a2c) at netbsd:kpr
intf+0x1ef
printf(c054cc10,1,0,c0156894,8,246,bb94e000,8,0,1) at netbsd:printf+0x35
trap() at netbsd:trap+0x404
--- trap (number 1) ---
breakpoint(c051760f,d7438b68,d65d30c0,c0271b49,bb94b000,c4157438,50,c03c0cd3,504
354f9,ffffffff) at netbsd:breakpoint+0x4
panic(c05639d8,c050c366,c054efec,c054f5a8,22f,50,d7438bac,c04367a1,c050c366,c054
f5a8) at netbsd:panic+0x1c9
__kernassert(c050c366,c054f5a8,22f,c054efec,d68ea000,d741e774,c4157488,d440d340,
0,0) at netbsd:__kernassert+0x39
uipc_usrreq(c423c504,9,c4157400,0,0,d744da60,1,0,c423c55c,d715e004) at netbsd:ui
pc_usrreq+0x8b1
sosend(c423c504,0,d7438c7c,c4157400,0,0,d744da60,0,0,0) at netbsd:sosend+0x435
soo_write(d68fa580,d68fa580,d7438c7c,d440af00,1,0,0,c0425a10,d7438cc0,d7438d00)
a
t netbsd:soo_write+0x3e
dofilewrite(8,d68fa580,bb94b000,50,d68fa580,1,d7438d28,d744da60,d744da60,0) at n
etbsd:dofilewrite+0x75
sys_write(d744da60,d7438d00,d7438d28,bb948000,d68ea000,d68ea000,2,8,bb94b000,50)
at netbsd:sys_write+0x6f
syscall(d7438d48,bfbf00b3,ab,bfbf001f,bbbb001f,bb94b000,50,bfbfe748,bbbb61d8,bb9
4b050) at netbsd:syscall+0xc8
db{0}> mach cpu 0
using CPU 0
db{0}> t
mutex_obj_hold(0,c054f5a8,f8,c054f3ef,c41558c4,c4155978,c4245100,c4268c88,c4268d
c8,c4245100) at netbsd:mutex_obj_hold+0xa
unp_setpeerlocks(c41558c4,c4268dc8,7,c0278e10,0,80,0,d741ce70,c4268dc8,c4245100)
at netbsd:unp_setpeerlocks+0x95
unp_connect2(c4268c88,c4268dc8,4,c4184740,3,bb90b000,d68f5ab0,c4184740,c4268dc8,
c41fe600) at netbsd:unp_connect2+0xf3
unp_connect(c4268c88,c415bc00,d744d560,c03c0cd3,504347e1,d741e3bc,d7553c4c,c4268
c88,c4268c88,c415bc00) at netbsd:unp_connect+0x2bc
uipc_usrreq(c4268c88,4,0,c415bc00,0,d744d560,0,25,c4268c88,25) at netbsd:uipc_us
rreq+0x1d7
soconnect(c4268c88,c415bc00,d744d560,c0404017,d7560dd4,bb90e000,c4268c88,d7553d0
0,0,c056b3f8) at netbsd:soconnect+0x6a
do_sys_connect(d744d560,4,c415bc00,3,0,6ec,0,d744d560,c415bc00,d744d560) at netb
sd:do_sys_connect+0xa3
sys_connect(d744d560,d7553d00,d7553d28,bb90e000,d7560dd4,d7560dd4,2,4,bfbfec7e,1
7) at netbsd:sys_connect+0x48
syscall(d7553d48,bfbf00b3,ab,bfbf001f,bbbc001f,6ec,bfa00000,bfbfeab8,bbbe7170,4)
at netbsd:syscall+0xc8
db{0}> sh r
ds 0x10
es 0x10
fs 0x30
gs 0x10
edi 0xc4268dc8
esi 0xc4268c88
ebp 0xd7553b2c
ebx 0
edx 0xc054f3ef copyright+0x437ef
ecx 0
eax 0xc4245100
eip 0xc025efaa mutex_obj_hold+0xa
cs 0x8
eflags 0x10286
esp 0xd7553b14
ss 0x10
netbsd:mutex_obj_hold+0xa: cmpl $0x5aa3c85d,0x4(%ebx)
db{0}> x/i unp_setpeerlocks,16
netbsd:unp_setpeerlocks: pushl %ebp
netbsd:unp_setpeerlocks+0x1: movl %esp,%ebp
netbsd:unp_setpeerlocks+0x3: subl $0x28,%esp
netbsd:unp_setpeerlocks+0x6: movl %edx,0x4(%esp)
netbsd:unp_setpeerlocks+0xa: movl %esi,0xfffffff8(%ebp)
netbsd:unp_setpeerlocks+0xd: movl %eax,%esi
netbsd:unp_setpeerlocks+0xf: movl %edi,0xfffffffc(%ebp)
netbsd:unp_setpeerlocks+0x12: movl %edx,%edi
netbsd:unp_setpeerlocks+0x14: movl %ebx,0xfffffff4(%ebp)
netbsd:unp_setpeerlocks+0x17: movl %eax,0(%esp)
netbsd:unp_setpeerlocks+0x1a: call netbsd:solocked2
netbsd:unp_setpeerlocks+0x1f: testb %al,%al
netbsd:unp_setpeerlocks+0x21: jz netbsd:unp_setpeerlocks+0xb7
netbsd:unp_setpeerlocks+0x27: movl 0x24(%esi),%eax
netbsd:unp_setpeerlocks+0x2a: testl %eax,%eax
netbsd:unp_setpeerlocks+0x2c: jz netbsd:unp_setpeerlocks+0x40
netbsd:unp_setpeerlocks+0x2e: movl 0xfffffff4(%ebp),%ebx
netbsd:unp_setpeerlocks+0x31: movl 0xfffffff8(%ebp),%esi
netbsd:unp_setpeerlocks+0x34: movl 0xfffffffc(%ebp),%edi
netbsd:unp_setpeerlocks+0x37: movl %ebp,%esp
netbsd:unp_setpeerlocks+0x39: popl %ebp
netbsd:unp_setpeerlocks+0x3a: ret
db{0}>
netbsd:unp_setpeerlocks+0x3b: nop
netbsd:unp_setpeerlocks+0x3c: leal 0(%esi),%esi
netbsd:unp_setpeerlocks+0x40: movl 0x24(%edi),%eax
netbsd:unp_setpeerlocks+0x43: testl %eax,%eax
netbsd:unp_setpeerlocks+0x45: jnz netbsd:unp_setpeerlocks+0x2e
netbsd:unp_setpeerlocks+0x47: movl 0(%esi),%ebx
netbsd:unp_setpeerlocks+0x49: cmpl netbsd:uipc_lock,%ebx
netbsd:unp_setpeerlocks+0x4f: jnz netbsd:unp_setpeerlocks+0x13b
netbsd:unp_setpeerlocks+0x55: movl %ebx,0(%esp)
netbsd:unp_setpeerlocks+0x58: call netbsd:mutex_obj_free
netbsd:unp_setpeerlocks+0x5d: movl %ebx,0(%esp)
netbsd:unp_setpeerlocks+0x60: call netbsd:mutex_obj_free
netbsd:unp_setpeerlocks+0x65: movl 0x1c(%esi),%eax
netbsd:unp_setpeerlocks+0x68: movl %eax,0xfffffff0(%ebp)
netbsd:unp_setpeerlocks+0x6b: movl 0x20(%eax),%ecx
netbsd:unp_setpeerlocks+0x6e: testl %ecx,%ecx
netbsd:unp_setpeerlocks+0x70: jz netbsd:unp_setpeerlocks+0x10f
netbsd:unp_setpeerlocks+0x76: movl 0x1c(%edi),%eax
netbsd:unp_setpeerlocks+0x79: movl 0x20(%eax),%eax
netbsd:unp_setpeerlocks+0x7c: testl %eax,%eax
netbsd:unp_setpeerlocks+0x7e: jnz netbsd:unp_setpeerlocks+0xe3
netbsd:unp_setpeerlocks+0x80: movl 0xfffffff0(%ebp),%eax
db{0}>
netbsd:unp_setpeerlocks+0x83: movl 0x20(%eax),%ebx
netbsd:unp_setpeerlocks+0x86: movl $0,0x20(%eax)
netbsd:unp_setpeerlocks+0x8d: movl %ebx,0(%esp)
netbsd:unp_setpeerlocks+0x90: call netbsd:mutex_obj_hold
netbsd:unp_setpeerlocks+0x95: call netbsd:_membar_exit
netbsd:unp_setpeerlocks+0x9a: movl %ebx,0x4(%esp)
netbsd:unp_setpeerlocks+0x9e: movl %esi,0(%esp)
netbsd:unp_setpeerlocks+0xa1: call netbsd:solockreset
netbsd:unp_setpeerlocks+0xa6: movl %ebx,0x4(%esp)
netbsd:unp_setpeerlocks+0xaa: movl %edi,0(%esp)
netbsd:unp_setpeerlocks+0xad: call netbsd:solockreset
netbsd:unp_setpeerlocks+0xb2: jmp netbsd:unp_setpeerlocks+0x2e
netbsd:unp_setpeerlocks+0xb7: movl $0xc054efec,%ecx
netbsd:unp_setpeerlocks+0xbc: movl $0xda,%edx
netbsd:unp_setpeerlocks+0xc1: movl $0xc054f5a8,%eax
netbsd:unp_setpeerlocks+0xc6: movl %ecx,0xc(%esp)
netbsd:unp_setpeerlocks+0xca: movl %edx,0x8(%esp)
netbsd:unp_setpeerlocks+0xce: movl %eax,0x4(%esp)
netbsd:unp_setpeerlocks+0xd2: movl $0xc050c366,0(%esp)
netbsd:unp_setpeerlocks+0xd9: call netbsd:__kernassert
netbsd:unp_setpeerlocks+0xde: jmp netbsd:unp_setpeerlocks+0x27
netbsd:unp_setpeerlocks+0xe3: movl $0xc054f614,%eax
>How-To-Repeat:
>Fix:
>Unformatted:
Home |
Main Index |
Thread Index |
Old Index