Bug 134408

Summary: [dtrace] [panic] "opensnoop" DTrace script panics every time (trace trap 10)
Product: Base System Reporter: Thomas Backman <serenity>
Component: kernAssignee: Andriy Gapon <avg>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 7.2-RELEASE   
Hardware: Any   
OS: Any   

Description Thomas Backman 2009-05-10 08:50:01 UTC 
When running a simple DTrace script to keep track of file opens, the kernel panics, apparently while trying to copy in the file/directory path into kernel memory (copyinstr()). Switching out copyinstr() with a simple "file opened" printf causes no panic.

How-To-Repeat: 1) Compile a DTrace capable kernel (I followed the DTrace wiki article)
2) Run: dtrace -n 'syscall::open:entry { self->path = arg0; } syscall::open:return /self->path/ { printf("%s\n", copyinstr(self->path)); }'
3) The system crashes after a few seconds (in my case).

(Broken) backtrace:
Unread portion of the kernel message buffer:

Fatal trap 10: trace trap while in kernel mode
cpuid = 0; apic id = 00
instruction pointer	= 0x8:0xffffffff812c7e40
stack pointer	        = 0x10:0xfffffffebe806420
frame pointer	        = 0x10:0xfffffffebe806510
code segment		= base rx0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags	= trace trap, interrupt enabled, nested task, IOPL = 2
current process		= 1306 (find)
trap number		= 10
panic: trace trap
cpuid = 0
Uptime: 56m18s
Physical memory: 2031 MB
Dumping 655 MB: 640 624 608 592 576 560 544 528 512 496 480 464 448 432 416 400 384 368 352 336 320 304 288 272 256 240 224 208 192 176 160 144 128 112 96 80 64 48 32 16

Reading symbols from /boot/kernel/zfs.ko...Reading symbols from /bootdir/boot/kernel/zfs.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/zfs.ko
Reading symbols from /boot/kernel/opensolaris.ko...Reading symbols from /bootdir/boot/kernel/opensolaris.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/opensolaris.ko
Reading symbols from /boot/kernel/smbfs.ko...Reading symbols from /bootdir/boot/kernel/smbfs.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/smbfs.ko
Reading symbols from /boot/kernel/libiconv.ko...Reading symbols from /bootdir/boot/kernel/libiconv.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/libiconv.ko
Reading symbols from /boot/kernel/libmchain.ko...Reading symbols from /bootdir/boot/kernel/libmchain.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/libmchain.ko
Reading symbols from /boot/kernel/dtraceall.ko...Reading symbols from /bootdir/boot/kernel/dtraceall.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/dtraceall.ko
Reading symbols from /boot/kernel/profile.ko...Reading symbols from /bootdir/boot/kernel/profile.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/profile.ko
Reading symbols from /boot/kernel/cyclic.ko...Reading symbols from /bootdir/boot/kernel/cyclic.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/cyclic.ko
Reading symbols from /boot/kernel/dtrace.ko...Reading symbols from /bootdir/boot/kernel/dtrace.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/dtrace.ko
Reading symbols from /boot/kernel/systrace.ko...Reading symbols from /bootdir/boot/kernel/systrace.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/systrace.ko
Reading symbols from /boot/kernel/sdt.ko...Reading symbols from /bootdir/boot/kernel/sdt.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/sdt.ko
Reading symbols from /boot/kernel/fbt.ko...Reading symbols from /bootdir/boot/kernel/fbt.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/fbt.ko
Reading symbols from /boot/kernel/dtmalloc.ko...Reading symbols from /bootdir/boot/kernel/dtmalloc.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/dtmalloc.ko
#0  doadump () at pcpu.h:195
195		__asm __volatile("movq %%gs:0,%0" : "=r" (td));
(kgdb) bt
#0  doadump () at pcpu.h:195
#1  0xffffffff80517f28 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418
#2  0xffffffff8051836c in panic (fmt=0xffffffff808ad39c "%s") at /usr/src/sys/kern/kern_shutdown.c:574
#3  0xffffffff807e3e1c in trap_fatal (frame=0xffffff000ff6f000, eva=Variable "eva" is not available.
) at /usr/src/sys/amd64/amd64/trap.c:757
#4  0xffffffff807e4b0a in trap (frame=0xfffffffebe806370) at /usr/src/sys/amd64/amd64/trap.c:558
#5  0xffffffff807c8a93 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:209
#6  0xffffffff812c7e40 in vpanic_common () from /boot/kernel/dtrace.ko
#7  0xffffffff812b2127 in dtrace_panic () from /boot/kernel/dtrace.ko
#8  0xffffffff812b215d in dtrace_assfail () from /boot/kernel/dtrace.ko
#9  0x00000008007272f3 in ?? ()
#10 0xfffffffebe806560 in ?? ()
#11 0xffffffff812b2200 in dtrace_copycheck () from /boot/kernel/dtrace.ko
Previous frame inner to this frame (corrupt stack?)
Comment 1 dfilter service freebsd_committer freebsd_triage 2009-06-24 17:04:08 UTC 
Author: avg
Date: Wed Jun 24 16:03:57 2009
New Revision: 194850
URL: http://svn.freebsd.org/changeset/base/194850

Log:
  dtrace/amd64: fix virtual address checks
  
  On amd64 KERNBASE/kernbase does not mean start of kernel memory.
  This should fix a KASSERT panic in dtrace_copycheck when copyin*()
  is used in D program.
  Also make checks for user memory a bit stricter.
  
  Reported by:	Thomas Backman <serenity@exscape.org>
  Submitted by:	wxs (kaddr part)
  Tested by:	Thomas Backman (prototype), wxs
  Reviewed by:	alc (concept), jhb, current@
  Aprroved by:	jb (concept)
  MFC after:	2 weeks
  PR:		kern/134408

Modified:
  head/sys/cddl/dev/dtrace/amd64/dtrace_isa.c
  head/sys/cddl/dev/dtrace/amd64/dtrace_subr.c

Modified: head/sys/cddl/dev/dtrace/amd64/dtrace_isa.c
==============================================================================
--- head/sys/cddl/dev/dtrace/amd64/dtrace_isa.c	Wed Jun 24 15:48:20 2009	(r194849)
+++ head/sys/cddl/dev/dtrace/amd64/dtrace_isa.c	Wed Jun 24 16:03:57 2009	(r194850)
@@ -42,8 +42,6 @@
 #include <vm/vm_param.h>
 #include <vm/pmap.h>
 
-extern uintptr_t kernbase;
-uintptr_t kernelbase = (uintptr_t) &kernbase;
 
 uint8_t dtrace_fuword8_nocheck(void *);
 uint16_t dtrace_fuword16_nocheck(void *);
@@ -524,9 +522,9 @@ dtrace_getreg(struct regs *rp, uint_t re
 static int
 dtrace_copycheck(uintptr_t uaddr, uintptr_t kaddr, size_t size)
 {
-	ASSERT(kaddr >= kernelbase && kaddr + size >= kaddr);
+	ASSERT(INKERNEL(kaddr) && kaddr + size >= kaddr);
 
-	if (uaddr + size >= kernelbase || uaddr + size < uaddr) {
+	if (uaddr + size > VM_MAXUSER_ADDRESS || uaddr + size < uaddr) {
 		DTRACE_CPUFLAG_SET(CPU_DTRACE_BADADDR);
 		cpu_core[curcpu].cpuc_dtrace_illval = uaddr;
 		return (0);
@@ -570,7 +568,7 @@ dtrace_copyoutstr(uintptr_t kaddr, uintp
 uint8_t
 dtrace_fuword8(void *uaddr)
 {
-	if ((uintptr_t)uaddr >= kernelbase) {
+	if ((uintptr_t)uaddr > VM_MAXUSER_ADDRESS) {
 		DTRACE_CPUFLAG_SET(CPU_DTRACE_BADADDR);
 		cpu_core[curcpu].cpuc_dtrace_illval = (uintptr_t)uaddr;
 		return (0);
@@ -581,7 +579,7 @@ dtrace_fuword8(void *uaddr)
 uint16_t
 dtrace_fuword16(void *uaddr)
 {
-	if ((uintptr_t)uaddr >= kernelbase) {
+	if ((uintptr_t)uaddr > VM_MAXUSER_ADDRESS) {
 		DTRACE_CPUFLAG_SET(CPU_DTRACE_BADADDR);
 		cpu_core[curcpu].cpuc_dtrace_illval = (uintptr_t)uaddr;
 		return (0);
@@ -592,7 +590,7 @@ dtrace_fuword16(void *uaddr)
 uint32_t
 dtrace_fuword32(void *uaddr)
 {
-	if ((uintptr_t)uaddr >= kernelbase) {
+	if ((uintptr_t)uaddr > VM_MAXUSER_ADDRESS) {
 		DTRACE_CPUFLAG_SET(CPU_DTRACE_BADADDR);
 		cpu_core[curcpu].cpuc_dtrace_illval = (uintptr_t)uaddr;
 		return (0);
@@ -603,7 +601,7 @@ dtrace_fuword32(void *uaddr)
 uint64_t
 dtrace_fuword64(void *uaddr)
 {
-	if ((uintptr_t)uaddr >= kernelbase) {
+	if ((uintptr_t)uaddr > VM_MAXUSER_ADDRESS) {
 		DTRACE_CPUFLAG_SET(CPU_DTRACE_BADADDR);
 		cpu_core[curcpu].cpuc_dtrace_illval = (uintptr_t)uaddr;
 		return (0);

Modified: head/sys/cddl/dev/dtrace/amd64/dtrace_subr.c
==============================================================================
--- head/sys/cddl/dev/dtrace/amd64/dtrace_subr.c	Wed Jun 24 15:48:20 2009	(r194849)
+++ head/sys/cddl/dev/dtrace/amd64/dtrace_subr.c	Wed Jun 24 16:03:57 2009	(r194850)
@@ -40,7 +40,6 @@
 #include <machine/frame.h>
 #include <vm/pmap.h>
 
-extern uintptr_t 	kernelbase;
 extern uintptr_t 	dtrace_in_probe_addr;
 extern int		dtrace_in_probe;
 
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2011-03-01 15:15:53 UTC 
State Changed
From-To: open->patched

committed in head (r194850)
Comment 3 Eitan Adler freebsd_committer freebsd_triage 2011-03-01 15:23:12 UTC 
Responsible Changed
From-To: freebsd-bugs->avg

same as above
Comment 4 Andriy Gapon freebsd_committer freebsd_triage 2011-04-02 09:21:56 UTC 
State Changed
From-To: patched->closed

I think that this has been resolved actually.