On 11.10.2015 18:54, Sebastien Marie wrote:
On Sun, Oct 11, 2015 at 11:53:10AM +0300, Atanas Vladimirov wrote:
Hi,
I got *who(XXXXX): syscall 54* in the last few snapshots.
If you need more info just ask.
syscall 54 is for ioctl syscall.
~$ ktrace -i who
~$ kdump
............................................
16759 who RET read 2819/0xb03
16759 who CALL close(4)
16759 who RET close 0
16759 who CALL kbind(0x7f7ffffdcd58,0x18,0x962191a9ce60cd08)
16759 who RET kbind 0
16759 who CALL kbind(0x7f7ffffdccc8,0x18,0x962191a9ce60cd08)
16759 who RET kbind 0
16759 who CALL write(1,0x1d987d241000,0x2f)
16759 who GIO fd 1 wrote 47 bytes
"vlado ttyp0 Oct 11 11:37 (192.168.1.2)
"
16759 who RET write 47/0x2f
16759 who CALL read(3,0x1d98baae1000,0x4000)
16759 who RET read 0
16759 who CALL kbind(0x7f7ffffdce28,0x18,0x962191a9ce60cd08)
16759 who RET kbind 0
16759 who CALL kbind(0x7f7ffffdce08,0x18,0x962191a9ce60cd08)
16759 who RET kbind 0
16759 who CALL
mprotect(0x1d98aa7a1000,0x1000,0x3<PROT_READ|PROT_WRITE>)
16759 who RET mprotect 0
16759 who CALL mprotect(0x1d98aa7a1000,0x1000,0x1<PROT_READ>)
16759 who RET mprotect 0
16759 who CALL
mprotect(0x1d98aa7a1000,0x1000,0x3<PROT_READ|PROT_WRITE>)
16759 who RET mprotect 0
16759 who CALL mprotect(0x1d98aa7a1000,0x1000,0x1<PROT_READ>)
16759 who RET mprotect 0
16759 who CALL
mprotect(0x1d98aa7a1000,0x1000,0x3<PROT_READ|PROT_WRITE>)
16759 who RET mprotect 0
16759 who CALL mprotect(0x1d98aa7a1000,0x1000,0x1<PROT_READ>)
16759 who RET mprotect 0
16759 who CALL munmap(0x1d98aa7a1000,0x1000)
16759 who RET munmap 0
16759 who CALL exit(0)
This ktrace showed a process that exit(0). This process wasn't killed
by pledge(2).
~$ dmesg
OpenBSD 5.8-current (GENERIC.MP) #1456: Sat Oct 10 21:51:05 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Could you try to rebuild who(1) ? You will need to add `abort' in all
pledge calls in order to generate a coredump, and obtain a
fullbacktrace.
$ grep -FRn 'pledge(' /usr/src/usr.bin/who/
/usr/src/usr.bin/who/who.c:77: if (pledge("stdio rpath getpw tty",
NULL) == -1)
/usr/src/usr.bin/who/who.c:293: if (pledge("stdio rpath
getpw", NULL) == -1)
/usr/src/usr.bin/who/who.c:296: if (pledge("stdio getpw", NULL)
== -1)
For example, line 77: if (pledge("stdio rpath getpw tty abort", NULL)
== -1)
When you get a who.core, you can use gdb to extract the backtrace:
$ gdb who who.core
(gdb) bt
Thanks.
I rebuild who(1) with DEBUG and add 'abort' in all pledge calls.
Also I changed kern.nosuidcoredump=3 and made /var/crash/who but I can't
find who.core.
Meanwhile I got syscall 54 every 5 min. Is it possible another
process/daemon to generate this errors?
How can I find it?
~$ tail /var/log/messages
Oct 11 19:54:37 ns /bsd: who(5929): syscall 54
Oct 11 19:59:37 ns /bsd: who(6769): syscall 54
Oct 11 20:04:37 ns /bsd: who(13907): syscall 54
Oct 11 20:09:37 ns /bsd: who(27822): syscall 54
Oct 11 20:14:37 ns /bsd: who(25574): syscall 54
Oct 11 20:19:37 ns /bsd: who(8480): syscall 54
Oct 11 20:24:37 ns /bsd: who(28849): syscall 54
Oct 11 20:29:37 ns /bsd: who(11423): syscall 54
Oct 11 20:34:37 ns /bsd: who(20946): syscall 54