133289 – [vm] [panic] DEBUG_MEMGUARD with vm.memguard.desc="devbuf" panics the kernel

Bug 133289 - [vm] [panic] DEBUG_MEMGUARD with vm.memguard.desc="devbuf" panics the kernel

Summary: [vm] [panic] DEBUG_MEMGUARD with vm.memguard.desc="devbuf" panics the kernel

Status:	Closed Feedback Timeout

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	7.1-RELEASE
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-04-02 00:50 UTC by Eugene M. Kim
Modified:	2021-04-01 16:04 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Eugene M. Kim 2009-04-02 00:50:01 UTC

A kernel with DEBUG_MEMGUARD and vm.memguard.desc="devbuf" set in
/boot/loader.conf panics upon a null pointer dereference in memguard_free().

Kernel dmesg buffer with the panic message:
--- BEGIN dmesg-buffer ---
Copyright (c) 1992-2009 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
	The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 7.1-RELEASE #1 r190573: Wed Apr  1 15:00:45 PDT 2009
    root@burrito.p2p.nttmcl.com:/usr/obj/usr/src7/sys/PAPERBOY
MEMGUARD DEBUGGING ALLOCATOR INITIALIZED:
	MEMGUARD map base: 0xc671e000
	MEMGUARD map limit: 0xc871f000
	MEMGUARD map size: 33558528 (Bytes)
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Xeon(R) CPU           E3110  @ 3.00GHz (3000.23-MHz 686-class CPU)
  Origin = "GenuineIntel"  Id = 0x10676  Stepping = 6
  Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
  Features2=0x8e3fd<SSE3,DTES64,MON,DS_CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1>
  AMD Features=0x20100000<NX,LM>
  AMD Features2=0x1<LAHF>
  Cores per package: 2
real memory  = 3488292864 (3326 MB)
avail memory = 3408990208 (3251 MB)
ACPI APIC Table: <DELL   PE_SC3  >
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
 cpu0 (BSP): APIC ID:  0
 cpu1 (AP): APIC ID:  1
ioapic0: Changing APIC ID to 2
ioapic1: Changing APIC ID to 3
ioapic0 <Version 2.0> irqs 0-23 on motherboard
ioapic1 <Version 2.0> irqs 32-55 on motherboard
kbd1 at kbdmux0
ath_hal: 0.9.20.3 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
cryptosoft0: <software crypto> on motherboard
acpi0: <DELL PE_SC3> on motherboard
acpi0: [ITHREAD]
acpi0: Power Button (fixed)
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x808-0x80b on acpi0
acpi_hpet0: <High Precision Event Timer> iomem 0xfed00000-0xfed003ff on acpi0
Timecounter "HPET" frequency 14318180 Hz quality 900
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
pcib1: <ACPI PCI-PCI bridge> irq 16 at device 1.0 on pci0
pci1: <ACPI PCI bus> on pcib1
mpt0: <LSILogic SAS/SATA Adapter> port 0xec00-0xecff mem 0xdfbec000-0xdfbeffff,0xdfbf0000-0xdfbfffff irq 16 at device 0.0 on pci1
mpt0: [ITHREAD]
mpt0: MPI Version=1.5.14.0
mpt0: Capabilities: ( RAID-0 RAID-1E RAID-1 )
mpt0: 1 Active Volume (2 Max)
mpt0: 2 Hidden Drive Members (14 Max)
pcib2: <ACPI PCI-PCI bridge> irq 16 at device 28.0 on pci0
pci2: <ACPI PCI bus> on pcib2
pcib3: <ACPI PCI-PCI bridge> at device 0.0 on pci2
pci3: <ACPI PCI bus> on pcib3
ubsec0 mem 0xdfcf0000-0xdfcfffff irq 35 at device 2.0 on pci3
ubsec0: [ITHREAD]
ubsec0: Broadcom 5821
pcib4: <ACPI PCI-PCI bridge> irq 16 at device 28.4 on pci0
pci4: <ACPI PCI bus> on pcib4
bge0: <Broadcom NetXtreme Gigabit Ethernet Controller, ASIC rev. 0x4201> mem 0xdfdf0000-0xdfdfffff irq 16 at device 0.0 on pci4
miibus0: <MII bus> on bge0
brgphy0: <BCM5750 10/100/1000baseTX PHY> PHY 1 on miibus0
brgphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto
bge0: Ethernet address: 00:1e:c9:bb:a0:a1
bge0: [ITHREAD]
pcib5: <ACPI PCI-PCI bridge> irq 17 at device 28.5 on pci0
pci5: <ACPI PCI bus> on pcib5
bge1: <Broadcom NetXtreme Gigabit Ethernet Controller, ASIC rev. 0x4201> mem 0xdfef0000-0xdfefffff irq 17 at device 0.0 on pci5
miibus1: <MII bus> on bge1
brgphy1: <BCM5750 10/100/1000baseTX PHY> PHY 1 on miibus1
brgphy1:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto
bge1: Ethernet address: 00:1e:c9:bb:a0:a2
bge1: [ITHREAD]
uhci0: <UHCI (generic) USB controller> port 0xcc60-0xcc7f irq 21 at device 29.0 on pci0
uhci0: [GIANT-LOCKED]
uhci0: [ITHREAD]
usb0: <UHCI (generic) USB controller> on uhci0
usb0: USB revision 1.0
uhub0: <Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1> on usb0
uhub0: 2 ports with 2 removable, self powered
uhci1: <UHCI (generic) USB controller> port 0xcc80-0xcc9f irq 20 at device 29.1 on pci0
uhci1: [GIANT-LOCKED]
uhci1: [ITHREAD]
usb1: <UHCI (generic) USB controller> on uhci1
usb1: USB revision 1.0
uhub1: <Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1> on usb1
uhub1: 2 ports with 2 removable, self powered
uhci2: <UHCI (generic) USB controller> port 0xcca0-0xccbf irq 21 at device 29.2 on pci0
uhci2: [GIANT-LOCKED]
uhci2: [ITHREAD]
usb2: <UHCI (generic) USB controller> on uhci2
usb2: USB revision 1.0
uhub2: <Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1> on usb2
uhub2: 2 ports with 2 removable, self powered
ehci0: <EHCI (generic) USB 2.0 controller> mem 0xdf9ffc00-0xdf9fffff irq 21 at device 29.7 on pci0
ehci0: [GIANT-LOCKED]
ehci0: [ITHREAD]
usb3: EHCI version 1.0
usb3: companion controllers, 2 ports each: usb0 usb1 usb2
usb3: <EHCI (generic) USB 2.0 controller> on ehci0
usb3: USB revision 2.0
uhub3: <Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1> on usb3
uhub3: 6 ports with 6 removable, self powered
uhub4: <vendor 0x04b4 product 0x6560, class 9/0, rev 2.00/0.0b, addr 2> on uhub3
uhub4: multiple transaction translators
uhub4: 4 ports with 4 removable, self powered
pcib6: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci6: <ACPI PCI bus> on pcib6
vgapci0: <VGA-compatible display> port 0xdc00-0xdcff mem 0xd0000000-0xd7ffffff,0xdfff0000-0xdfffffff irq 19 at device 5.0 on pci6
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel ICH9 SATA300 controller> port 0xcc30-0xcc37,0xcc28-0xcc2b,0xcc38-0xcc3f,0xcc2c-0xcc2f,0xcc40-0xcc4f,0xcc50-0xcc5f irq 23 at device 31.2 on pci0
atapci0: [ITHREAD]
ata2: <ATA channel 0> on atapci0
ata2: [ITHREAD]
ata3: <ATA channel 1> on atapci0
ata3: [ITHREAD]
fdc0: <floppy drive controller> port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0
fdc0: does not respond
device_attach: fdc0 attach returned 6
sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x90 on acpi0
sio0: type 16550A
sio0: [FILTER]
sio1: configured irq 3 not in bitmap of probed irqs 0
sio1: port may not be enabled
atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
atkbd0: [ITHREAD]
psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: [GIANT-LOCKED]
psm0: [ITHREAD]
psm0: model IntelliMouse, device ID 3
cpu0: <ACPI CPU> on acpi0
est0: <Enhanced SpeedStep Frequency Control> on cpu0
p4tcc0: <CPU Frequency Thermal Control> on cpu0
cpu1: <ACPI CPU> on acpi0
est1: <Enhanced SpeedStep Frequency Control> on cpu1
p4tcc1: <CPU Frequency Thermal Control> on cpu1
fdc0: <floppy drive controller> port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0
fdc0: does not respond
device_attach: fdc0 attach returned 6
sio1: configured irq 3 not in bitmap of probed irqs 0
sio1: port may not be enabled
pmtimer0 on isa0
orm0: <ISA Option ROMs> at iomem 0xc0000-0xc8fff,0xc9000-0xc9fff,0xca000-0xcb7ff,0xec000-0xeffff pnpid ORM0000 on isa0
ata0 at port 0x1f0-0x1f7,0x3f6 irq 14 on isa0
ata0: [ITHREAD]
ata1 at port 0x170-0x177,0x376 irq 15 on isa0
ata1: [ITHREAD]
ppc0: parallel port not found.
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
sio1: configured irq 3 not in bitmap of probed irqs 0
sio1: port may not be enabled
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
Timecounters tick every 1.000 msec
IPsec: Initialized Security Association Processing.
mpt0:vol0(mpt0:0:0): Settings ( Member-WCE Hot-Plug-Spares High-Priority-ReSync )
mpt0:vol0(mpt0:0:0): Using Spare Pool: 0
mpt0:vol0(mpt0:0:0): 2 Members:
      (mpt0:1:8:0): Primary Online
      (mpt0:1:1:0): Secondary Online
mpt0:vol0(mpt0:0:0): RAID-1 - Optimal
mpt0:vol0(mpt0:0:0): Status ( Enabled )
(mpt0:vol0:1): Physical (mpt0:0:1:0), Pass-thru (mpt0:1:0:0)
(mpt0:vol0:1): Online
(mpt0:vol0:0): Physical (mpt0:0:8:0), Pass-thru (mpt0:1:1:0)
(mpt0:vol0:0): Online
acd0: DVDROM <TEAC DVD-ROM DV28SV/D.0E> at ata2-slave SATA150


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address	= 0x8
fault code		= supervisor read, page not present
instruction pointer	= 0x20:0xc09e5c14
stack pointer	        = 0x28:0xe6dbfa54
frame pointer	        = 0x28:0xe6dbfa88
code segment		= base rx0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 20 (swi2: cambio)
--- END dmesg-buffer ---

The following stack trace was obtained via a remote kgdb session.

--- BEGIN stack trace ---
#0  memguard_free (addr=Variable "addr" is not available.
) at /usr/src7/sys/vm/memguard.c:286
#1  0xc078cf21 in free (addr=0xc894a000, mtp=0xc0c28f80)
    at /usr/src7/sys/kern/kern_malloc.c:431
#2  0xc0475731 in probedone (periph=0xc87f7700, done_ccb=0xc8ad4400)
    at /usr/src7/sys/cam/cam_xpt.c:6175
#3  0xc04714af in camisr_runqueue (V_queue=Variable "V_queue" is not available.
)
    at /usr/src7/sys/cam/cam_xpt.c:7316
#4  0xc04715ea in camisr (dummy=0x0) at /usr/src7/sys/cam/cam_xpt.c:7216
#5  0xc077dd45 in ithread_loop (arg=0xc8865c80)
    at /usr/src7/sys/kern/kern_intr.c:1088
#6  0xc077b0d8 in fork_exit (callout=0xc077db80 <ithread_loop>, 
    arg=0xc8865c80, frame=0xe6dbfd38) at /usr/src7/sys/kern/kern_fork.c:804
#7  0xc0ab1f40 in fork_trampoline () at /usr/src7/sys/i386/i386/exception.s:264
--- END stack trace ---

Fix: 

None known.
How-To-Repeat: Compile DEBUG_MEMGUARD into the kernel; set vm.memguard.desc="devbuf" in
/boot/loader.conf; reboot.

Comment 1 mdf freebsd_committer

2010-09-01 18:54:14 UTC

Based on the stack trace it looks like mgfifo is NULL (the lines are
off by one, it appears, but that's the only reasonable place to
dereference 0x8).

This did not repro on a virtual machine for me.  However, there is a
new memguard implementation in -current now.  I am unable to determine
conclusively from just the stack whether this is a bug in memguard or
if memguard found a bug in the use of M_DEVBUF but didn't print an
error in a friendly format.

Would it be possible to re-try this on the same hardware, but using
CURRENT?  If not, I hope to backport the memguard changes in a few
weeks to stable/8 and stable/7.

Thanks,
matthew

Comment 2 Eitan Adler freebsd_committer

2017-12-31 07:59:02 UTC

For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped