Frank Hofmann wrote:
> On Mon, 16 Jun 2008, Juergen Keil wrote:
>
> > For that reason I did suggest to Kyle to try to reproduce this hsfs mount
> > panic with kmem heap checking enabled.
> >
> > Add the following line to /etc/system, reboot, retry to reproduce the hsfs
> > mount panic:
> >
> > set kmem_flags=0xf
>
> Good idea.
Ok, I can actually reproduce that panic using last week's opensolaris bits.
All I have to do is try and "mount -F hsfs" a non-existent slice; e.g. using
a CD containing OpenSolaris 2008.05, mount -F hsfs /dev/dsk/c1t1d0s4 /mnt
("mount -F hsfs /dev/dsk/c1t1d0p0 /mnt" should work, though):
panic[cpu1]/thread=ffffff0348445720:
BAD TRAP: type=e (#pf Page fault) rp=ffffff00108bb990 addr=40 occurred in module
"genunix" due to a NULL pointer dereference
mount:
#pf Page fault
Bad kernel fault at addr=0x40
pid=19108, pc=0xfffffffffba92633, sp=0xffffff00108bba80, eflags=0x10207
cr0: 80050033<pg,wp,ne,et,mp,pe> cr4: 6f8<xmme,fxsr,pge,mce,pae,pse,de>
cr2: 40
cr3: 22f819000
cr8: c
rdi: fffffffffbca88a0 rsi: 1 rdx: 8
rcx: 0 r8: fffffffffbca8a70 r9: 0
rax: 0 rbx: 0 rbp: ffffff00108bbaa0
r10: ffffff02d24a6500 r11: ffffff00108bb680 r12: 1b00000103
r13: ffffff00108bbc08 r14: 1b00000103 r15: 10
fsb: 0 gsb: ffffff02d2e75540 ds: 4b
es: 4b fs: 0 gs: 1c3
trp: e err: 0 rip: fffffffffba92633
cs: 30 rfl: 10207 rsp: ffffff00108bba80
ss: 38
ffffff00108bb870 unix:die+c8 ()
ffffff00108bb980 unix:trap+13c3 ()
ffffff00108bb990 unix:_cmntrap+e9 ()
ffffff00108bbaa0 genunix:vfs_devismounted+23 ()
ffffff00108bbbc0 hsfs:hs_getmdev+176 ()
ffffff00108bbc60 hsfs:hsfs_mount+195 ()
ffffff00108bbc90 genunix:fsop_mount+21 ()
ffffff00108bbe00 genunix:domount+9ff ()
ffffff00108bbe80 genunix:mount+d2 ()
ffffff00108bbec0 genunix:syscall_ap+8f ()
ffffff00108bbf10 unix:brand_sys_syscall32+197 ()
syncing file systems...
done
dumping to /dev/dsk/c9t0d0s1, offset 860356608, content: kernel
> $C
ffffff00108bbaa0 vfs_devismounted+0x23(1b00000103)
ffffff00108bbbc0 hs_getmdev+0x176(ffffff02dcf8a508, 804729e, 101,
ffffff00108bbc08, ffffff00108bbc3c, ffffff0315246708)
ffffff00108bbc60 hsfs_mount+0x195(ffffff02dcf8a508, ffffff02ffea2c00,
ffffff00108bbe30, ffffff0315246708)
ffffff00108bbc90 fsop_mount+0x21(ffffff02dcf8a508, ffffff02ffea2c00,
ffffff00108bbe30, ffffff0315246708)
ffffff00108bbe00 domount+0x9ff(0, ffffff00108bbe30, ffffff02ffea2c00,
ffffff0315246708, ffffff00108bbe28)
ffffff00108bbe80 mount+0xd2(ffffff0347a60fd8, ffffff00108bbeb8)
ffffff00108bbec0 syscall_ap+0x8f()
ffffff00108bbf10 sys_syscall32+0x101()
============================================================
The panic with "kmem_flags=0xf" is more interesting:
> ::status
debugging crash dump vmcore.5 (64-bit) from tiger2
operating system: 5.11 snv_93_jk (i86pc)
panic message: kernel heap corruption detected
dump content: kernel pages only
kernel memory allocator:
invalid free: buffer not in cache
buffer=ffffff0010455e30 bufctl=0 cache: kmem_alloc_256
panic[cpu1]/thread=ffffff03a05ad060:
kernel heap corruption detected
ffffff0010455a20 genunix:kmem_error+497 ()
ffffff0010455a40 genunix:kmem_free+d6 ()
ffffff0010455bb0 hsfs:hs_mountfs+8b9 ()
ffffff0010455c60 hsfs:hsfs_mount+1e9 ()
ffffff0010455c90 genunix:fsop_mount+21 ()
ffffff0010455e00 genunix:domount+9ff ()
ffffff0010455e80 genunix:mount+d2 ()
ffffff0010455ec0 genunix:syscall_ap+8f ()
ffffff0010455f10 unix:brand_sys_syscall32+197 ()
syncing file systems...
done
dumping to /dev/dsk/c9t0d0s1, offset 860356608, content: kernel
> $C
ffffff0010455980 vpanic()
ffffff0010455a20 kmem_error+0x497(1, ffffff02ce62b020, ffffff0010455e30)
ffffff0010455a40 kmem_free+0xd6(ffffff0010455e30, e8)
ffffff0010455bb0 hs_mountfs+0x8b9(ffffff03a5096dc8, 1b00000104,
ffffff03a2b9f140, 6100, 0, ffffff034ed39978, 0)
ffffff0010455c60 hsfs_mount+0x1e9(ffffff03a5096dc8, ffffff02f09e8900,
ffffff0010455e30, ffffff034ed39978)
ffffff0010455c90 fsop_mount+0x21(ffffff03a5096dc8, ffffff02f09e8900,
ffffff0010455e30, ffffff034ed39978)
ffffff0010455e00 domount+0x9ff(0, ffffff0010455e30, ffffff02f09e8900,
ffffff034ed39978, ffffff0010455e28)
ffffff0010455e80 mount+0xd2(ffffff02e97cce38, ffffff0010455eb8)
ffffff0010455ec0 syscall_ap+0x8f()
ffffff0010455f10 sys_syscall32+0x101()
> hs_mountfs+0x8b9::dis
hs_mountfs+0x88f: movq -0x78(%rbp),%r8
hs_mountfs+0x893: xorq %r9,%r9
hs_mountfs+0x896: call +0x34c9f65 <fop_close>
hs_mountfs+0x89b: movq 0x30(%rsp),%rdi
hs_mountfs+0x8a0: call +0x34c700b <vn_rele>
hs_mountfs+0x8a5: testq %r13,%r13
hs_mountfs+0x8a8: je +0xf <hs_mountfs+0x8b9>
hs_mountfs+0x8aa: movq %r13,%rdi
hs_mountfs+0x8ad: movq $0xe8,%rsi
hs_mountfs+0x8b4: call +0x33e0b57 <kmem_free>
hs_mountfs+0x8b9: testq %r12,%r12
<<<<<<<<<<<<<<<<<<<<<
hs_mountfs+0x8bc: je +0x1b <hs_mountfs+0x8d9>
hs_mountfs+0x8be: movq %r12,%rdi
hs_mountfs+0x8c1: movq $0xe8,%rsi
hs_mountfs+0x8c8: call +0x33e0b43 <kmem_free>
hs_mountfs+0x8cd: jmp +0xa <hs_mountfs+0x8d9>
hs_mountfs+0x8cf: movq 0x30(%rsp),%rdi
hs_mountfs+0x8d4: call +0x34c6fd7 <vn_rele>
hs_mountfs+0x8d9: movl %ebx,%eax
hs_mountfs+0x8db: popq %r15
hs_mountfs+0x8dd: popq %r14
> ::dis
hs_mountfs+0x8df: popq %r13
hs_mountfs+0x8e1: popq %r12
hs_mountfs+0x8e3: popq %rbx
hs_mountfs+0x8e4: leave
hs_mountfs+0x8e5: ret
hs_mountfs+0x8e6: movq %r15,%rdi
hs_mountfs+0x8e9: nop
hs_mountfs+0x8ea: nop
hs_mountfs+0x8eb: nop
hs_mountfs+0x8ec: nop
hs_mountfs+0x8ed: nop
> ffffff0010455e30::whatis
ffffff0010455e30 is in thread ffffff03a05ad060's stack
_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org
