From nobody@FreeBSD.org  Tue Sep  6 23:38:27 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5524F16A41F
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  6 Sep 2005 23:38:27 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0939643D46
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  6 Sep 2005 23:38:27 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j86NcQiK021437
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 6 Sep 2005 23:38:26 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id j86NcQKs021436;
	Tue, 6 Sep 2005 23:38:26 GMT
	(envelope-from nobody)
Message-Id: <200509062338.j86NcQKs021436@www.freebsd.org>
Date: Tue, 6 Sep 2005 23:38:26 GMT
From: Jack Low <xxjack12xx@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: maxproc=1 in login.conf causes kernel panic when logging into account via ssh
X-Send-Pr-Version: www-2.3

>Number:         85816
>Category:       kern
>Synopsis:       maxproc=1 in login.conf causes kernel panic when logging into account via ssh
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 06 23:40:07 GMT 2005
>Closed-Date:    Sat Aug 28 08:50:35 UTC 2010
>Last-Modified:  Sat Aug 28 08:50:35 UTC 2010
>Originator:     Jack Low
>Release:        6.0-BETA4
>Organization:
>Environment:
musirc# uname -a
FreeBSD musirc.com 6.0-BETA4 FreeBSD 6.0-BETA4 #0: Mon Sep  5 22:34:13 PDT 2005     jack@musirc.com:/usr/obj/usr/src/sys/MUSIRC  i386

>Description:
maxproc=1 in login.conf causes kernel panic when logging into account via ssh
>How-To-Repeat:
Create a username, put them in a class with maxproc=1 in login.conf. Login to the account via ssh, kernel will panic.
>Fix:

>Release-Note:
>Audit-Trail:

From: Gleb Smirnoff <glebius@FreeBSD.org>
To: Jack Low <xxjack12xx@gmail.com>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/85816: maxproc=1 in login.conf causes kernel panic when logging into account via ssh
Date: Wed, 7 Sep 2005 13:05:46 +0400

 On Tue, Sep 06, 2005 at 11:38:26PM +0000, Jack Low wrote:
 J> >How-To-Repeat:
 J> Create a username, put them in a class with maxproc=1 in login.conf. Login to the account via ssh, kernel will panic.
 
 Can you provide a backtrace?
 
 -- 
 Totus tuus, Glebius.
 GLEBIUS-RIPN GLEB-RIPE

From: "Jack L." <xxjack12xx@gmail.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re:kern/85816:maxproc=1 in login.conf causes kernel panic when logging into account via ssh
Date: Wed, 7 Sep 2005 17:47:30 -0700

 ------=_Part_19248_13741740.1126140450309
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: inline
 
 Also need to add openfiles=3D5 or some really low number along with maxproc=
 =3D1=20
 to /etc/login.conf. I think openfiles is the issue, not maxproc.
 
 ------=_Part_19248_13741740.1126140450309
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: inline
 
 Also need to add openfiles=3D5 or some really low number along with
 maxproc=3D1 to /etc/login.conf. I think openfiles is the issue, not
 maxproc.<br>
 
 ------=_Part_19248_13741740.1126140450309--

From: Gleb Smirnoff <glebius@FreeBSD.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/85816: maxproc=1 in login.conf causes kernel panic when logging into account via ssh
Date: Thu, 8 Sep 2005 11:09:40 +0400

 ----- Forwarded message from "Jack L." <xxjack12xx@gmail.com> -----
 
 I couldn't get a backtrace, my 500MB swap wasn't enough, but I did find that 
 openfiles=5 or some very low number is needed with the maxproc to make the 
 kernel panic.
 
 ----- End forwarded message -----
 
 -- 
 Totus tuus, Glebius.
 GLEBIUS-RIPN GLEB-RIPE

From: Gleb Smirnoff <glebius@FreeBSD.org>
To: "Jack L." <xxjack12xx@gmail.com>
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/85816:maxproc=1 in login.conf causes kernel panic when logging into account via ssh
Date: Fri, 9 Sep 2005 11:02:37 +0400

   Jack,
 
   I can't reproduce your problem. I just fail to login via ssh,
 what is expected.
 
 You can limit amount of physical memory with hw.physmem in /boot/loader.conf.
 This will allow you to take a crashdump to a partition smaller than real amount
 of physical memory.
 
 -- 
 Totus tuus, Glebius.
 GLEBIUS-RIPN GLEB-RIPE

From: Gleb Smirnoff <glebius@FreeBSD.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: kern/85816: maxproc=1 in login.conf causes kernel panic when logging into account via ssh
Date: Wed, 14 Sep 2005 10:09:54 +0400

   Attach backtrace to PR's Audit-Trail.
 
 ----- Forwarded message from "Jack L." <xxjack12xx@gmail.com> -----
 
 Fatal trap 12: page fault while in kernel mode
 cpuid = 0; apic id = 00
 fault virtual address = 0x0
 fault code = supervisor read, page not present
 instruction pointer = 0x20:0xc04f96a1
 stack pointer = 0x28:0xe1b7dad4
 frame pointer = 0x28:0xe1b7db48
 code segment = base 0x0, limit 0xfffff, type 0x1b
 = DPL 0, pres 1, def32 1, gran 1
 processor eflags = interrupt enabled, resume, IOPL = 0
 current process = 705 (sshd)
 trap number = 12
 panic: page fault
 cpuid = 0
 Uptime: 51s
 Dumping 449 MB (2 chunks)
 chunk 0: 1MB (159 pages) ... ok
 chunk 1: 449MB (114944 pages) 434 418 402 386 370 354 338 322 306 290 274 
 258 242 226 210 194 178 162 146 130 114 98 82 66 50 34 18 2
 
 #0 doadump () at pcpu.h:165
 165 __asm __volatile("movl %%fs:0,%0" : "=r" (td));
 (kgdb) bt full
 #0 doadump () at pcpu.h:165
 No locals.
 #1 0xc052163d in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:399
 first_buf_printf = 1
 #2 0xc05219ea in panic (fmt=0xc06d19ec "%s") at 
 /usr/src/sys/kern/kern_shutdown.c:555
 td = (struct thread *) 0xc1c597d0
 bootopt = 260
 newpanic = 0
 ap = 0xc1c597d0 "<J??`<\225?"
 buf = "page fault", '\0' <repeats 245 times>
 #3 0xc06ab9a2 in trap_fatal (frame=0xe1b7da94, eva=0)
 at /usr/src/sys/i386/i386/trap.c:841
 code = 40
 type = 12
 ss = 40
 esp = 0
 softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27, ssd_dpl = 0,
 ssd_p = 1, ssd_xx = 10, ssd_xx1 = 1, ssd_def32 = 1, ssd_gran = 1}
 #4 0xc06ab69b in trap_pfault (frame=0xe1b7da94, usermode=0, eva=0)
 at /usr/src/sys/i386/i386/trap.c:752
 va = 0
 vm = (struct vmspace *) 0x0
 map = 0xc1d745dc
 rv = 1
 ftype = 1 '\001'
 td = (struct thread *) 0xc1c597d0
 p = (struct proc *) 0xc1d54a3c
 #5 0xc06ab287 in trap (frame=
 {tf_fs = -1068302328, tf_es = -1066205144, tf_ds = -1043070936, tf_edi = 1, 
 tf_esi = -1043067440, tf_ebp = -508044472, tf_isp = -508044608, tf_ebx = 
 -1043698088, tf_edx = -1044015152, tf_ecx = -1047944912, tf_eax = 0, 
 tf_trapno = 12, tf_err = 0, tf_eip = -1068525919, tf_cs = 32, tf_eflags = 
 66050, tf_esp = -1068274241, tf_ss = -1044015152})
 ---Type <return> to continue, or q <return> to quit---
 at /usr/src/sys/i386/i386/trap.c:442
 td = (struct thread *) 0xc1c597d0
 p = (struct proc *) 0xc1d54a3c
 sticks = 3228802408
 i = 0
 ucode = 0
 type = 12
 code = 0
 eva = 0
 #6 0xc069673a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
 No locals.
 #7 0xc0530008 in ratecheck (lasttime=0xc1d40dd0, mininterval=0xc1ca6e58)
 at /usr/src/sys/kern/kern_time.c:723
 tv = {tv_sec = -1068367935, tv_usec = -1042986436}
 delta = {tv_sec = -1043922944, tv_usec = -508044460}
 rv = 1
 #8 0xc05743c3 in unp_discard (fp=0xc1ca6e58) at 
 /usr/src/sys/kern/uipc_usrreq.c:1887
 No locals.
 #9 0xc0572b2b in unp_freerights (rp=0xc1b4ad28, fdcount=1)
 at /usr/src/sys/kern/uipc_usrreq.c:1272
 i = 0
 fp = (struct file *) 0x0
 #10 0xc0572df7 in unp_externalize (control=0xc1b4ad00, controlp=0xe1b7dc54)
 at /usr/src/sys/kern/uipc_usrreq.c:1321
 td = (struct thread *) 0xc1c597d0
 cm = (struct cmsghdr *) 0xc1b4ad18
 i = -1068065433
 fdp = (int *) 0xe1b7dbc8
 rp = (struct file **) 0xc1b4ad24
 fp = (struct file *) 0xc1c70000
 data = (void *) 0xc1c70000
 clen = 16
 ---Type <return> to continue, or q <return> to quit---
 datalen = 4
 error = 40
 newfds = 1
 f = -1043866020
 newlen = 0
 #11 0xc0566efe in soreceive (so=0xc1c7dde8, psa=0xe1b7dc50, uio=0xe1b7dc5c, 
 mp0=0x0,
 controlp=0xe1b7dc54, flagsp=0xe1b7dcbc) at 
 /usr/src/sys/kern/uipc_socket.c:1151
 cm = (struct mbuf *) 0xc1b4ad00
 cmn = (struct mbuf *) 0x0
 cme = (struct mbuf **) 0x0
 m = (struct mbuf *) 0xc1b4c000
 mp = (struct mbuf **) 0x0
 flags = 0
 len = 4
 error = 0
 offset = -508044112
 pr = (struct protosw *) 0xc0713660
 nextrecord = (struct mbuf *) 0x0
 moff = 0
 type = 0
 orig_resid = 1
 #12 0xc056d547 in recvit (td=0xc1c597d0, s=4, mp=0xe1b7dca4, namelenp=0x0)
 at /usr/src/sys/kern/uipc_syscalls.c:985
 auio = {uio_iov = 0xc1a22120, uio_iovcnt = 1, uio_offset = 0, uio_resid = 1,
 uio_segflg = UIO_USERSPACE, uio_rw = UIO_READ, uio_td = 0xc1c597d0}
 iov = (struct iovec *) 0x0
 i = 0
 len = 1
 error = 4
 m = (struct mbuf *) 0x0
 control = (struct mbuf *) 0x0
 ctlbuf = 0xe1b7dc6c "\001"
 ---Type <return> to continue, or q <return> to quit---
 fp = (struct file *) 0xc1bc8048
 so = (struct socket *) 0xc1c7dde8
 fromsa = (struct sockaddr *) 0x0
 ktruio = (struct uio *) 0x0
 #13 0xc056da2b in recvmsg (td=0x0, uap=0xe1b7dd04)
 at /usr/src/sys/kern/uipc_syscalls.c:1235
 msg = {msg_name = 0x0, msg_namelen = 0, msg_iov = 0xc1a22120, msg_iovlen = 
 1,
 msg_control = 0xbfbfdc70, msg_controllen = 16, msg_flags = 0}
 uiov = (struct iovec *) 0xbfbfdc60
 iov = (struct iovec *) 0xc1a22120
 error = 0
 #14 0xc06abd83 in syscall (frame=
 {tf_fs = 59, tf_es = -1078001605, tf_ds = -507903941, tf_edi = -1077945188, 
 tf_esi = -1077945136, tf_ebp = -1077945176, tf_isp = -508043932, tf_ebx = 
 134839184, tf_edx = 0, tf_ecx = 0, tf_eax = 27, tf_trapno = 12, tf_err = 2, 
 tf_eip = 674001611, tf_cs = 51, tf_eflags = 646, tf_esp = -1077945268, tf_ss 
 = 59}) at /usr/src/sys/i386/i386/trap.c:986
 params = 0xbfbfdc50 <Address 0xbfbfdc50 out of bounds>
 callp = (struct sysent *) 0xc0709824
 td = (struct thread *) 0xc1c597d0
 p = (struct proc *) 0xc1d54a3c
 orig_tf_eflags = 646
 sticks = 0
 error = 0
 narg = 3
 args = {4, -1077945216, 0, 134877184, 12, 0, 0, -1042986436}
 code = 27
 #15 0xc069678f in Xint0x80_syscall () at 
 /usr/src/sys/i386/i386/exception.s:200
 No locals.
 #16 0x0000003b in ?? ()
 No symbol table info available.
 #17 0xbfbf003b in ?? ()
 No symbol table info available.
 ---Type <return> to continue, or q <return> to quit---
 #18 0xe1ba003b in ?? ()
 No symbol table info available.
 #19 0xbfbfdc9c in ?? ()
 No symbol table info available.
 #20 0xbfbfdcd0 in ?? ()
 No symbol table info available.
 #21 0xbfbfdca8 in ?? ()
 No symbol table info available.
 #22 0xe1b7dd64 in ?? ()
 No symbol table info available.
 #23 0x08097b90 in ?? ()
 No symbol table info available.
 #24 0x00000000 in ?? ()
 No symbol table info available.
 #25 0x00000000 in ?? ()
 No symbol table info available.
 #26 0x0000001b in ?? ()
 No symbol table info available.
 #27 0x0000000c in ?? ()
 No symbol table info available.
 #28 0x00000002 in ?? ()
 No symbol table info available.
 #29 0x282c72cb in ?? ()
 No symbol table info available.
 #30 0x00000033 in ?? ()
 No symbol table info available.
 #31 0x00000286 in ?? ()
 No symbol table info available.
 #32 0xbfbfdc4c in ?? ()
 No symbol table info available.
 #33 0x0000003b in ?? ()
 No symbol table info available.
 ---Type <return> to continue, or q <return> to quit---
 #34 0xd0d0d0d0 in ?? ()
 No symbol table info available.
 #35 0xd0d0d0d0 in ?? ()
 No symbol table info available.
 #36 0xd0d0d0d0 in ?? ()
 No symbol table info available.
 #37 0xd0d0d0d0 in ?? ()
 No symbol table info available.
 #38 0x1172c000 in ?? ()
 No symbol table info available.
 #39 0xc0739b60 in ksg_maxid ()
 No symbol table info available.
 #40 0xc1950c80 in ?? ()
 No symbol table info available.
 #41 0xe1b7d72c in ?? ()
 No symbol table info available.
 #42 0xe1b7d710 in ?? ()
 No symbol table info available.
 #43 0xc1c597d0 in ?? ()
 No symbol table info available.
 #44 0xc0536dbf in sched_switch (td=0x8097b90, newtd=0xbfbfdcd0, flags=Cannot 
 access memory at address 0xbfbfdcb8
 )
 at /usr/src/sys/kern/sched_ule.c:1383
 ksq = (struct kseq *) 0xbfbfdc9c
 ke = (struct td_sched *) Cannot access memory at address 0xbfbfdc98
 (kgdb)
 
 ----- End forwarded message -----
 
 -- 
 Totus tuus, Glebius.
 GLEBIUS-RIPN GLEB-RIPE

From: Robert Watson <rwatson@FreeBSD.org>
To: Gleb Smirnoff <glebius@FreeBSD.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/85816: maxproc=1 in login.conf causes kernel panic when
 logging into account via ssh
Date: Sat, 12 Nov 2005 11:14:49 +0000 (GMT)

 On Wed, 14 Sep 2005, Gleb Smirnoff wrote:
 
 > #8 0xc05743c3 in unp_discard (fp=0xc1ca6e58) at
 > /usr/src/sys/kern/uipc_usrreq.c:1887
 > No locals.
 > #9 0xc0572b2b in unp_freerights (rp=0xc1b4ad28, fdcount=1)
 > at /usr/src/sys/kern/uipc_usrreq.c:1272
 > i = 0
 > fp = (struct file *) 0x0
 > #10 0xc0572df7 in unp_externalize (control=0xc1b4ad00, controlp=0xe1b7dc54)
 > at /usr/src/sys/kern/uipc_usrreq.c:1321
 > td = (struct thread *) 0xc1c597d0
 > cm = (struct cmsghdr *) 0xc1b4ad18
 > i = -1068065433
 > fdp = (int *) 0xe1b7dbc8
 > rp = (struct file **) 0xc1b4ad24
 > fp = (struct file *) 0xc1c70000
 > data = (void *) 0xc1c70000
 > clen = 16
 
 This coulid well be related to the UNIX domain socket garbage collector 
 bugs I fixed in HEAD a day or two ago.  Could you try to reproduce this 
 with uipc_usrreq.c:1.159?  Likely, sshd's privsep (or some related notion) 
 is resulting in closing of a UNIX domains socket while a descriptor is in 
 flight, which turns out to be broken in several revisions of 5.x and 6.x 
 (and with additional bugs in 4.x).  I believe I've fixed most known bugs 
 in this code with the above mentioned revision, so it may now work better.
 
 Robert N M Watson
State-Changed-From-To: open->feedback 
State-Changed-By: jh 
State-Changed-When: Thu Aug 19 15:11:37 UTC 2010 
State-Changed-Why:  
Note that submitter has been asked for feedback. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=85816 
State-Changed-From-To: feedback->closed 
State-Changed-By: vwe 
State-Changed-When: Sat Aug 28 08:49:45 UTC 2010 
State-Changed-Why:  
feedback timeout 
please note: 6.0-BETA is out of support for ... umf ... years!? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=85816 
>Unformatted:
