DragonFly 3.6-RELEASE: how to crash the kernel from userland

Nelson H. F. Beebe beebe at math.utah.edu
Thu Jul 17 14:08:40 PDT 2014 

I run DragonFly 3.6-RELEASE (and also 3.4) on VMware ESX on Sun AMD64
hardware, along with dozens of other virtual machines.

Today, I found out how to reliably, and preproducibly, crash the 3.6
kernel from a user process: build GNU rcs-5.9.1 or rcs-5.9.2, available
at

	ftp://ftp.gnu.org/gnu/rcs/

There is a kernel panic immediately after this report from the
configure run:

    checking signal received if referencing nonexistent part of mmapped file... 

I cannot capture the exact panic report easily from the VMware
console, which puts me into a debugger with prompt "db>", at which
typing "reset" reboots the system.

After the reboot, examination of /var/log/messages shows something
similar to what I saw in the VMware console window:

    Jul 17 14:52:47 xxx syslogd: kernel boot file is /boot/kernel/kernel
    Jul 17 14:52:47 xxx kernel: pid 23179 (conftest), uid 887: exited on signal 11
    Jul 17 14:52:47 xxx kernel: panic: assertion "ref >= &td->td_toks_base && ref->tr_tok == tok" failed in lwkt_reltoken at /build/home/justin/src/sys/kern/lwkt_token.c:812
    Jul 17 14:52:47 xxx kernel: cpuid = 0
    Jul 17 14:52:47 xxx kernel: Trace beginning at frame 0xffffffe05ce377d8
    Jul 17 14:52:47 xxx kernel: panic() at panic+0x223 0xffffffff80561c0c
    Jul 17 14:52:47 xxx kernel: panic() at panic+0x223 0xffffffff80561c0c
    Jul 17 14:52:47 xxx kernel: lwkt_reltoken() at lwkt_reltoken+0x5d 0xffffffff80575f98
    Jul 17 14:52:47 xxx kernel: sigexit() at sigexit+0xce 0xffffffff80564a78
    Jul 17 14:52:47 xxx kernel: postsig() at postsig+0x1c7 0xffffffff80564c46
    Jul 17 14:52:47 xxx kernel: userret() at userret+0x18d 0xffffffff8092ed6d
    Jul 17 14:52:47 xxx kernel: trap() at trap+0x6b4 0xffffffff8092fb4c
    Jul 17 14:52:47 xxx kernel: calltrap() at calltrap+0x9 0xffffffff80919bef
    Jul 17 14:52:47 xxx kernel: --- trap 000000000000000c, rip = 0000000000400ab4, rsp = ffffffe05ce37ab0, rbp = 00007fffffffe990 ---
    Jul 17 14:52:47 xxx kernel: kernmxps() at 0x400ab4 0x400ab4
    Jul 17 14:52:47 xxx kernel: kernmxps() at 0x400926 0x400926
    Jul 17 14:52:47 xxx kernel: Debugger("panic")
    Jul 17 14:52:47 xxx kernel:
    Jul 17 14:52:47 xxx kernel: CPU0 stopping CPUs: 0x00000000
    Jul 17 14:52:47 xxx kernel: stopped

Can anyone reproduce this crash on physical hardware?

Builds of the two named releases of GNU rcs on DragonflyBSD 3.4 work
just fine.

All of the files in /boot/kernel on my 3.6 system are dated
20-Feb-2014 14:47, and the panic persists even after running

	pkg update
	pkg upgrade

to ensure that all software components are current (as expected,
because the kernel files themselves do not change).

-------------------------------------------------------------------------------
- Nelson H. F. Beebe                    Tel: +1 801 581 5254                  -
- University of Utah                    FAX: +1 801 581 4148                  -
- Department of Mathematics, 110 LCB    Internet e-mail: beebe at math.utah.edu  -
- 155 S 1400 E RM 233                       beebe at acm.org  beebe at computer.org -
- Salt Lake City, UT 84112-0090, USA    URL: http://www.math.utah.edu/~beebe/ -
-------------------------------------------------------------------------------

More information about the Users mailing list