From nobody@FreeBSD.org  Sun May 10 07:48:11 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E3CD51065670
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 10 May 2009 07:48:11 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id D21958FC0C
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 10 May 2009 07:48:11 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n4A7mBBi031018
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 10 May 2009 07:48:11 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n4A7mB4g031017;
	Sun, 10 May 2009 07:48:11 GMT
	(envelope-from nobody)
Message-Id: <200905100748.n4A7mB4g031017@www.freebsd.org>
Date: Sun, 10 May 2009 07:48:11 GMT
From: Thomas Backman <serenity@exscape.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: "opensnoop" DTrace script panics every time (trace trap 10)
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         134408
>Category:       kern
>Synopsis:       [dtrace] [panic] "opensnoop" DTrace script panics every time (trace trap 10)
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    avg
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 10 07:50:01 UTC 2009
>Closed-Date:    Sat Apr 02 08:22:19 UTC 2011
>Last-Modified:  Sat Apr 02 08:22:19 UTC 2011
>Originator:     Thomas Backman
>Release:        7.2-RELEASE
>Organization:
exscape
>Environment:
FreeBSD chaos.exscape.org 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Sat May  9 13:10:23 CEST 2009     root@chaos.exscape.org:/usr/obj/usr/src/sys/DTRACE  amd64
>Description:
When running a simple DTrace script to keep track of file opens, the kernel panics, apparently while trying to copy in the file/directory path into kernel memory (copyinstr()). Switching out copyinstr() with a simple "file opened" printf causes no panic.
>How-To-Repeat:
1) Compile a DTrace capable kernel (I followed the DTrace wiki article)
2) Run: dtrace -n 'syscall::open:entry { self->path = arg0; } syscall::open:return /self->path/ { printf("%s\n", copyinstr(self->path)); }'
3) The system crashes after a few seconds (in my case).

(Broken) backtrace:
Unread portion of the kernel message buffer:

Fatal trap 10: trace trap while in kernel mode
cpuid = 0; apic id = 00
instruction pointer	= 0x8:0xffffffff812c7e40
stack pointer	        = 0x10:0xfffffffebe806420
frame pointer	        = 0x10:0xfffffffebe806510
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags	= trace trap, interrupt enabled, nested task, IOPL = 2
current process		= 1306 (find)
trap number		= 10
panic: trace trap
cpuid = 0
Uptime: 56m18s
Physical memory: 2031 MB
Dumping 655 MB: 640 624 608 592 576 560 544 528 512 496 480 464 448 432 416 400 384 368 352 336 320 304 288 272 256 240 224 208 192 176 160 144 128 112 96 80 64 48 32 16

Reading symbols from /boot/kernel/zfs.ko...Reading symbols from /bootdir/boot/kernel/zfs.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/zfs.ko
Reading symbols from /boot/kernel/opensolaris.ko...Reading symbols from /bootdir/boot/kernel/opensolaris.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/opensolaris.ko
Reading symbols from /boot/kernel/smbfs.ko...Reading symbols from /bootdir/boot/kernel/smbfs.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/smbfs.ko
Reading symbols from /boot/kernel/libiconv.ko...Reading symbols from /bootdir/boot/kernel/libiconv.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/libiconv.ko
Reading symbols from /boot/kernel/libmchain.ko...Reading symbols from /bootdir/boot/kernel/libmchain.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/libmchain.ko
Reading symbols from /boot/kernel/dtraceall.ko...Reading symbols from /bootdir/boot/kernel/dtraceall.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/dtraceall.ko
Reading symbols from /boot/kernel/profile.ko...Reading symbols from /bootdir/boot/kernel/profile.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/profile.ko
Reading symbols from /boot/kernel/cyclic.ko...Reading symbols from /bootdir/boot/kernel/cyclic.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/cyclic.ko
Reading symbols from /boot/kernel/dtrace.ko...Reading symbols from /bootdir/boot/kernel/dtrace.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/dtrace.ko
Reading symbols from /boot/kernel/systrace.ko...Reading symbols from /bootdir/boot/kernel/systrace.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/systrace.ko
Reading symbols from /boot/kernel/sdt.ko...Reading symbols from /bootdir/boot/kernel/sdt.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/sdt.ko
Reading symbols from /boot/kernel/fbt.ko...Reading symbols from /bootdir/boot/kernel/fbt.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/fbt.ko
Reading symbols from /boot/kernel/dtmalloc.ko...Reading symbols from /bootdir/boot/kernel/dtmalloc.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/dtmalloc.ko
#0  doadump () at pcpu.h:195
195		__asm __volatile("movq %%gs:0,%0" : "=r" (td));
(kgdb) bt
#0  doadump () at pcpu.h:195
#1  0xffffffff80517f28 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418
#2  0xffffffff8051836c in panic (fmt=0xffffffff808ad39c "%s") at /usr/src/sys/kern/kern_shutdown.c:574
#3  0xffffffff807e3e1c in trap_fatal (frame=0xffffff000ff6f000, eva=Variable "eva" is not available.
) at /usr/src/sys/amd64/amd64/trap.c:757
#4  0xffffffff807e4b0a in trap (frame=0xfffffffebe806370) at /usr/src/sys/amd64/amd64/trap.c:558
#5  0xffffffff807c8a93 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:209
#6  0xffffffff812c7e40 in vpanic_common () from /boot/kernel/dtrace.ko
#7  0xffffffff812b2127 in dtrace_panic () from /boot/kernel/dtrace.ko
#8  0xffffffff812b215d in dtrace_assfail () from /boot/kernel/dtrace.ko
#9  0x00000008007272f3 in ?? ()
#10 0xfffffffebe806560 in ?? ()
#11 0xffffffff812b2200 in dtrace_copycheck () from /boot/kernel/dtrace.ko
Previous frame inner to this frame (corrupt stack?)

>Fix:


>Release-Note:
>Audit-Trail:

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/134408: commit references a PR
Date: Wed, 24 Jun 2009 16:04:08 +0000 (UTC)

 Author: avg
 Date: Wed Jun 24 16:03:57 2009
 New Revision: 194850
 URL: http://svn.freebsd.org/changeset/base/194850
 
 Log:
   dtrace/amd64: fix virtual address checks
   
   On amd64 KERNBASE/kernbase does not mean start of kernel memory.
   This should fix a KASSERT panic in dtrace_copycheck when copyin*()
   is used in D program.
   Also make checks for user memory a bit stricter.
   
   Reported by:	Thomas Backman <serenity@exscape.org>
   Submitted by:	wxs (kaddr part)
   Tested by:	Thomas Backman (prototype), wxs
   Reviewed by:	alc (concept), jhb, current@
   Aprroved by:	jb (concept)
   MFC after:	2 weeks
   PR:		kern/134408
 
 Modified:
   head/sys/cddl/dev/dtrace/amd64/dtrace_isa.c
   head/sys/cddl/dev/dtrace/amd64/dtrace_subr.c
 
 Modified: head/sys/cddl/dev/dtrace/amd64/dtrace_isa.c
 ==============================================================================
 --- head/sys/cddl/dev/dtrace/amd64/dtrace_isa.c	Wed Jun 24 15:48:20 2009	(r194849)
 +++ head/sys/cddl/dev/dtrace/amd64/dtrace_isa.c	Wed Jun 24 16:03:57 2009	(r194850)
 @@ -42,8 +42,6 @@
  #include <vm/vm_param.h>
  #include <vm/pmap.h>
  
 -extern uintptr_t kernbase;
 -uintptr_t kernelbase = (uintptr_t) &kernbase;
  
  uint8_t dtrace_fuword8_nocheck(void *);
  uint16_t dtrace_fuword16_nocheck(void *);
 @@ -524,9 +522,9 @@ dtrace_getreg(struct regs *rp, uint_t re
  static int
  dtrace_copycheck(uintptr_t uaddr, uintptr_t kaddr, size_t size)
  {
 -	ASSERT(kaddr >= kernelbase && kaddr + size >= kaddr);
 +	ASSERT(INKERNEL(kaddr) && kaddr + size >= kaddr);
  
 -	if (uaddr + size >= kernelbase || uaddr + size < uaddr) {
 +	if (uaddr + size > VM_MAXUSER_ADDRESS || uaddr + size < uaddr) {
  		DTRACE_CPUFLAG_SET(CPU_DTRACE_BADADDR);
  		cpu_core[curcpu].cpuc_dtrace_illval = uaddr;
  		return (0);
 @@ -570,7 +568,7 @@ dtrace_copyoutstr(uintptr_t kaddr, uintp
  uint8_t
  dtrace_fuword8(void *uaddr)
  {
 -	if ((uintptr_t)uaddr >= kernelbase) {
 +	if ((uintptr_t)uaddr > VM_MAXUSER_ADDRESS) {
  		DTRACE_CPUFLAG_SET(CPU_DTRACE_BADADDR);
  		cpu_core[curcpu].cpuc_dtrace_illval = (uintptr_t)uaddr;
  		return (0);
 @@ -581,7 +579,7 @@ dtrace_fuword8(void *uaddr)
  uint16_t
  dtrace_fuword16(void *uaddr)
  {
 -	if ((uintptr_t)uaddr >= kernelbase) {
 +	if ((uintptr_t)uaddr > VM_MAXUSER_ADDRESS) {
  		DTRACE_CPUFLAG_SET(CPU_DTRACE_BADADDR);
  		cpu_core[curcpu].cpuc_dtrace_illval = (uintptr_t)uaddr;
  		return (0);
 @@ -592,7 +590,7 @@ dtrace_fuword16(void *uaddr)
  uint32_t
  dtrace_fuword32(void *uaddr)
  {
 -	if ((uintptr_t)uaddr >= kernelbase) {
 +	if ((uintptr_t)uaddr > VM_MAXUSER_ADDRESS) {
  		DTRACE_CPUFLAG_SET(CPU_DTRACE_BADADDR);
  		cpu_core[curcpu].cpuc_dtrace_illval = (uintptr_t)uaddr;
  		return (0);
 @@ -603,7 +601,7 @@ dtrace_fuword32(void *uaddr)
  uint64_t
  dtrace_fuword64(void *uaddr)
  {
 -	if ((uintptr_t)uaddr >= kernelbase) {
 +	if ((uintptr_t)uaddr > VM_MAXUSER_ADDRESS) {
  		DTRACE_CPUFLAG_SET(CPU_DTRACE_BADADDR);
  		cpu_core[curcpu].cpuc_dtrace_illval = (uintptr_t)uaddr;
  		return (0);
 
 Modified: head/sys/cddl/dev/dtrace/amd64/dtrace_subr.c
 ==============================================================================
 --- head/sys/cddl/dev/dtrace/amd64/dtrace_subr.c	Wed Jun 24 15:48:20 2009	(r194849)
 +++ head/sys/cddl/dev/dtrace/amd64/dtrace_subr.c	Wed Jun 24 16:03:57 2009	(r194850)
 @@ -40,7 +40,6 @@
  #include <machine/frame.h>
  #include <vm/pmap.h>
  
 -extern uintptr_t 	kernelbase;
  extern uintptr_t 	dtrace_in_probe_addr;
  extern int		dtrace_in_probe;
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: eadler 
State-Changed-When: Tue Mar 1 10:15:53 EST 2011 
State-Changed-Why:  
committed in head (r194850) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=134408 
Responsible-Changed-From-To: freebsd-bugs->avg 
Responsible-Changed-By: eadler 
Responsible-Changed-When: Tue Mar 1 10:23:12 EST 2011 
Responsible-Changed-Why:  
same as above 

http://www.freebsd.org/cgi/query-pr.cgi?pr=134408 
State-Changed-From-To: patched->closed 
State-Changed-By: avg 
State-Changed-When: Sat Apr 2 08:21:56 UTC 2011 
State-Changed-Why:  
I think that this has been resolved actually. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=134408 
>Unformatted:
