# Panic in syscall



## abonege (May 6, 2015)

Dear,
     I just upgrade my code base from FreeBSD 7.0 to FreeBSD 10.1. But some times, it panics in syscall (my user-defined syscall).
     the panic reason are all the same, access the userland memory  in syscall.
     There's no any issue in 7.0, but on FreeBSD 10, it always occurred, especially running with high CPU.


```
int
sys_uproxy_get_next_event(struct thread *td, struct uproxy_get_next_event_args *uap)
{
    .................
     
    if (uap->cpuid == KML_MODULE_CACHE_ID) {
    error = ucache_read_q(&eh, uap->howmany, uap->cpuid, uap->timeout);
    } else {
        error = uproxy_read_q(&eh, uap->howmany, uap->cpuid, uap->timeout);
    }

    if (!error) {
        *uap->eh = eh;  <---------panic at here.
    }
    .................
}
```


```
Unread portion of the kernel message buffer:
interrupt enabled, resume, IOPL = 0
current process         = 42946 (uproxy)
trap number             = 12
panic: page fault
cpuid = 1
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe015a245580
kdb_backtrace() at kdb_backtrace+0x39/frame 0xfffffe015a245630
panic() at panic+0x166/frame 0xfffffe015a2456b0
trap_fatal() at trap_fatal+0x38f/frame 0xfffffe015a245710
trap_pfault() at trap_pfault+0x308/frame 0xfffffe015a2457b0
trap() at trap+0x47a/frame 0xfffffe015a2459c0
calltrap() at calltrap+0x8/frame 0xfffffe015a2459c0
--- trap 0xc, rip = 0xffffffff8098adc2, rsp = 0xfffffe015a245a80, rbp = 0xfffffe015a245ae0 ---
sys_uproxy_get_next_event() at sys_uproxy_get_next_event+0x6f2/frame 0xfffffe015a245ae0
amd64_syscall() at amd64_syscall+0x325/frame 0xfffffe015a245bf0
Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe015a245bf0

0xffffffff8098adb3 <sys_uproxy_get_next_event+1763>: mov WORD PTR [rax+0x20e7f8],r14w
0xffffffff8098adbb <sys_uproxy_get_next_event+1771>: mov rax,QWORD PTR [rbp-0x38]
0xffffffff8098adbf <sys_uproxy_get_next_event+1775>: mov rax,QWORD PTR [rax]
0xffffffff8098adc2 <sys_uproxy_get_next_event+1778>: mov QWORD PTR [rax],r15 <----------
0xffffffff8098adc5 <sys_uproxy_get_next_event+1781>: mov rax,QWORD PTR [rbp-0x30]
0xffffffff8098adc9 <sys_uproxy_get_next_event+1785>: mov QWORD PTR [rax+0x380],0x0
0xffffffff8098add4 <sys_uproxy_get_next_event+1796>: xor eax,eax

(kgdb) info reg
rax 0x7fffffffec20 140737488350240 <------------
rbx 0x3e8 1000
rcx 0x0 0
rdx 0xffffffff8dc28978 -1916630664
rsi 0xfffff8010a138490 -8791629003632
rdi 0x0 0
rbp 0xfffffe015a245ae0 0xfffffe015a245ae0


if (!error) {
*uap->eh = eh; <--------------
}
```


----------



## abonege (May 6, 2015)

Any different in FreeBSD 7.0 and FreeBSD 10.0 about syscall feature?


----------



## SirDice (May 6, 2015)

I'm not much of a programmer but the failure probably occurs when uap isn't pointing to a valid structure, i.e. it's a dangling pointer. There shouldn't be too much of a difference in the way syscalls are handled but I can imagine an error condition that didn't happen on 7.0 but on 10.1 it may happen.


----------

