OpenSolaris

Printable Version Enter a New Search
Bug ID 6325383
Synopsis panic: anon_decref dereferenced bad pointer
State 10-Fix Delivered (Fix available in build)
Category:Subcategory kernel:vm
Keywords onnv_triage | rtiq_reviewed
Responsible Engineer Stan Studzinski
Reported Against s10 , snv_22 , s10u1_fcs
Duplicate Of
Introduced In solaris_7
Commit to Fix snv_68
Fixed In snv_68
Release Fixed solaris_nevada(snv_68) , solaris_10u6(s10u6_02) (Bug ID:2160974)
Related Bugs 6444367
Submit Date 16-September-2005
Last Update Date 26-May-2008
Description 
My x64 laptop panicked when the shell tried to exec something:

panic[cpu0]/thread=ffffffff813b2460: 
BAD TRAP: type=e (#pf Page fault) rp=fffffe800062c680 addr=18 occurred in module
 "genunix" due to a NULL pointer dereference


bash: 
#pf Page fault
Bad kernel fault at addr=0x18
pid=1540, pc=0xfffffffffba20d84, sp=0xfffffe800062c770, eflags=0x10282
cr0: 8005003b<pg,wp,ne,et,ts,mp,pe> cr4: 6f0<xmme,fxsr,pge,mce,pae,pse>
cr2: 18 cr3: 8541000 cr8: c
        rdi:               18 rsi:                2 rdx: ffffffff847298a8
        rcx:                c  r8:                3  r9:                5
        rax:                0 rbx:                2 rbp: fffffe800062c790
        r10: ffffffff809b86c0 r11:                0 r12:                2
        r13:               18 r14: ffffffff846342e8 r15:         fef3f000
        fsb: ffffffff80000000 gsb: fffffffffbc22ba0  ds:               43
         es:               43  fs:                0  gs:              1c3
        trp:                e err:                0 rip: fffffffffba20d84
         cs:               28 rfl:            10282 rsp: fffffe800062c770
         ss:               30

fffffe800062c590 unix:die+da ()
fffffe800062c670 unix:trap+5ea ()
fffffe800062c680 unix:cmntrap+140 ()
fffffe800062c790 genunix:anon_decref+24 ()
fffffe800062c7d0 genunix:anon_free+6d ()
fffffe800062c800 genunix:segvn_free+1c1 ()
fffffe800062c820 genunix:seg_free+3f ()
fffffe800062c900 genunix:segvn_unmap+54b ()
fffffe800062c950 genunix:as_free+ac ()
fffffe800062c980 genunix:relvm+1f7 ()
fffffe800062c9f0 genunix:exec_args+1c5 ()
fffffe800062cb60 elfexec:elf32exec+34c ()
fffffe800062ccb0 genunix:gexec+1f3 ()
fffffe800062ceb0 genunix:exec_common+38b ()
fffffe800062cec0 genunix:exece+9 ()
fffffe800062cf10 unix:sys_syscall32+101 ()

syncing file systems...

dumps are attached.

It looks like anon_decref() was given a bad pointer by anon_free():

> fffffffffba20d84::dis
anon_decref:                    pushq  %rbp
anon_decref+1:                  movq   %rsp,%rbp
anon_decref+4:                  subq   $0x20,%rsp
anon_decref+8:                  movl   0xffe7ec82(%rip),%ecx
anon_decref+0xe:                movq   %r13,0x10(%rsp)
anon_decref+0x13:               movq   %r14,0x18(%rsp)
anon_decref+0x18:               movq   %rdi,%r13
anon_decref+0x1b:               movq   %rbx,(%rsp)
anon_decref+0x1f:               movq   %r12,0x8(%rsp)
anon_decref+0x24:               movq   (%rdi),%rax

anon_free(struct anon_hdr *ahp, ulong_t index, size_t size)
{
        struct anon *ap;

        while (npages > 0) {
                old = index;
                if ((ap = anon_get_next_ptr(ahp, &index)) == NULL)
                        break;

  		..
                (void) anon_set_ptr(ahp, index, NULL, ANON_SLEEP);
                anon_decref(ap);
		...
Work Around 
N/A
Comments 
N/A