OpenSolaris

Printable Version Enter a New Search
Bug ID 6577279
Synopsis nl7c_logd_init causes kernel heap corruption when KMF_BUFTAG is enabled.
State 10-Fix Delivered (Fix available in build)
Category:Subcategory kernel:sockfs
Keywords rtiq_reviewed
Responsible Engineer George Shepherd
Reported Against
Duplicate Of
Introduced In
Commit to Fix s10u5_03
Fixed In s10u5_03
Release Fixed solaris_10u5(s10u5_03) , solaris_nevada(snv_75) (Bug ID:2150797)
Related Bugs 6500850
Submit Date 5-July-2007
Last Update Date 19-November-2007
Description 
nl7c_logd_init causes kernel heap corruption when KMF_BUFTAG is enabled.
Panic stack is very similar to CR#6500850 but the cause is different.

panic string:   kernel heap corruption detected
==== panic user (LWP_SYS) thread: 0x3000996baa0  PID: 6492  on CPU: 0 ====
cmd: proxyd -r /opt/sun/proxyserver40 -d /opt/sun/proxyserver40/proxy-server2/config
t_procp: 0x3000bbeb8b0
  p_as: 0x30007766618  size: 55517184  rss: 19652608
  hat: 0x3000bacb198  cnum: 0x0  cpusran: 0
  zone: global
t_stk: 0x2a1012dfae0  sp: 0x185f791  t_stkbase: 0x2a1012da000
t_pri: 59(TS)  pctcpu: 0.000000
t_lwp: 0x30009fc8550  machpcb: 0x2a1012dfae0
  mstate: LMS_SYSTEM  ms_prev: LMS_SYSTEM
  ms_state_start: 0.0001722 seconds earlier
  ms_start: 1 minutes 19.1148241 seconds earlier
psrset: 0  last CPU: 0
idle: 3 ticks (0.03 seconds)
start: Fri May 18 12:00:26 2007
age: 79 seconds (1 minutes 19 seconds)
syscall: #3 read(, 0xfc28fc80) (sysent: genunix:read32+0x0)
tstate: TS_ONPROC - thread is being run on a processor
tflg:   T_PANIC - thread initiated a system panic
        T_DFLTSTK - stack is default size
tpflg:  TP_MSACCT - collect micro-state accounting information
tsched: TS_LOAD - thread is in memory
        TS_DONT_SWAP - thread/LWP should not be swapped
        TS_SIGNALLED - thread was awakened by cv_signal()
pflag:  SJCTL - SIGCLD sent when children stop/continue
        SMSACCT - process is keeping micro-state accounting
        SMSFORK - child inherits micro-state accounting

pc:      0x1061048      unix:panicsys+0x48:   call      unix:setjmp

unix:panicsys+0x48(0x11ed578, 0x2a1012df138, 0x1860160, 0x1, , , 0x80001602, , , , , , , , 0x11ed578, 0x2a1012df138)
unix:vpanic_common+0x78(0x11ed578, 0x2a1012df138, 0x50, 0x185a000, 0xc8, 0x2000)
unix:panic+0x1c(0x11ed578, 0x30003cf4388, 0x0, 0x30000096060, 0x1, 0x1872c00)
genunix:kmem_error+0x4b4(, 0x30000096008?, 0x30003cf4388?)
genunix:kmem_free(0x30003cf4388) - frame recycled
sockfs:nl7c_logd_init+0x718(0xf4240, 0x702129b8)
sockfs:nl7clogd_startup+0x44()
sockfs:nl7c_logd_log+0x4c(0x3000cde7840, 0x3000cde7e10, 0x464d1719, 0xc0a80a23)
sockfs:nl7c_parse+0x41c(0x30009efedb0, 0x80, 0x2a1012df694, , , 0x30004e346e7)
sockfs:nl7c_process+0x29c(0x30009efedb0, 0x80, , , 0x80, 0x32000a1)
sockfs:sotpi_recvmsg+0x100(0x30009efedb0, 0x2a1012df870, 0x2a1012dfa10)
sockfs:socktpi_read+0x44(0x3000bcec780, 0x2a1012dfa10, 0x0, 0x30008ea2010, 0x0)
genunix:fop_read+0x20(0x3000bcec780, 0x2a1012dfa10, 0x0, , 0x0)
genunix:read+0x274(0x17)
unix:syscall_trap32+0xcc()

This occurs only when KMF_BUFTAG is enabled. 
Without this flag, minor memory leak should occur.
Work Around 
N/A
Comments 
N/A