panic in g_io_schedule_down

Daniil Cherednik Mon, 24 Jun 2013 07:27:21 -0700

Hello. I have got panic, see attached file

We are using FreeBSD 8.3-amd64 but this part of code wasn`t modified inHEAD

part of disassembled code:


ffffffff803d88b8:       4c 8b 43 18             mov    0x18(%rbx),%r8
ffffffff803d88bc:       89 c6                   mov    %eax,%esi
ffffffff803d88be:       4c 89 c2                mov    %r8,%rdx
ffffffff803d88c1:       4c 89 c0                mov    %r8,%rax
ffffffff803d88c4:       48 c1 fa 3f             sar    $0x3f,%rdx
ffffffff803d88c8:       48 f7 fe                idiv   %rsi
ffffffff803d88cb:       48 85 d2                test   %rdx,%rdx

ffffffff803d88ce: 0f 85 29 01 00 00 jne ffffffff803d89fd<g_io_schedule_down+0x21d>

ffffffff803d88d4:       48 8b 93 90 00 00 00    mov    0x90(%rbx),%rdx
ffffffff803d88db:       48 89 d0                mov    %rdx,%rax
ffffffff803d88de:       48 c1 fa 3f             sar    $0x3f,%rdx
ffffffff803d88e2:       48 f7 fe                idiv   %rsi
ffffffff803d88e5:       48 85 d2                test   %rdx,%rdx

ffffffff803d88e8: 0f 85 0f 01 00 00 jne ffffffff803d89fd<g_io_schedule_down+0x21d>

ffffffff803d88ee:       4d 85 c0                test   %r8,%r8

ffffffff803d88f1: 78 05 js ffffffff803d88f8<g_io_schedule_down+0x118>

ffffffff803d88f3:       4d 39 c1                cmp    %r8,%r9

ffffffff803d88f6: 7d 60 jge ffffffff803d8958<g_io_schedule_down+0x178>

ffffffff803d88f8:       be 05 00 00 00          mov    $0x5,%esi
ffffffff803d88fd:       66                      data16
ffffffff803d88fe:       66                      data16
ffffffff803d88ff:       90                      nop
ffffffff803d8900:       48 89 df                mov    %rbx,%rdi

ffffffff803d8903: e8 68 f7 ff ff callq ffffffff803d8070<g_io_deliver>ffffffff803d8908: e9 e3 fe ff ff jmpq ffffffff803d87f0<g_io_schedule_down+0x10>

ffffffff803d890d:       66                      data16
ffffffff803d890e:       66                      data16
ffffffff803d890f:       90                      nop
ffffffff803d8910:       44 8b 5a 34             mov    0x34(%rdx),%r11d
ffffffff803d8914:       45 85 db                test   %r11d,%r11d

g_io_check function was inlined and quite good optimized. But it looklike we have possibility to get access to wrong address ing_io_check(struct bio *bp) function here:


        if (cp->acr == 0)
               return (EPERM);
        break;
case BIO_WRITE:
case BIO_DELETE:
case BIO_FLUSH:
       if (cp->acw == 0)
               return (EPERM);
       break;
default:
return (EPERM);

for example in g_io_deliver we have additional checking:

cp = bp->bio_from;
if (cp == NULL) {
        bp->bio_error = error;
        bp->bio_done(bp);
        return;
}

also in this function we have KASSERTed bp and pp. So the question isin which case bio_from can be equal to null? Do we have to do someadditional checks in g_io_check?

<<attachment: panic-g_io_schedule_down.gif>>

_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"

panic in g_io_schedule_down

Reply via email to