Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix kernel panic when try to free null lock #486

Merged
merged 2 commits into from Mar 14, 2019

Conversation

Projects
None yet
4 participants
@nevermoe
Copy link
Contributor

nevermoe commented Mar 11, 2019

In some rare case, when loading kext and initialzing phase failed, the pmem_cleanup will always be called. And pmem_cleanup will always call pmem_meta_cleanup who tries to free pmem_cached_info_lock in any case. If pmem_cached_info_lock hasn't been init before, the call to lck_rw_free will cause kernel panic. This bug occurs on my machine and cuases my mac to restart from time to time. It's better to be fixed when you try to dump the memory of a Mac but it paniced and all the memories are gone.

@googlebot

This comment has been minimized.

Copy link

googlebot commented Mar 11, 2019

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here (e.g. I signed it!) and we'll verify it.


What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@nevermoe

This comment has been minimized.

Copy link
Contributor Author

nevermoe commented Mar 11, 2019

I signed it!

@googlebot

This comment has been minimized.

Copy link

googlebot commented Mar 11, 2019

We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google.
In order to pass this check, please resolve this problem and have the pull request author add another comment and the bot will run again. If the bot doesn't comment, it means it doesn't think anything has changed.

ℹ️ Googlers: Go here for more info.

nevermoe added some commits Mar 11, 2019

nevermoe nevermoe
nevermoe nevermoe

@nevermoe nevermoe force-pushed the nevermoe:master branch from a380d29 to a77732f Mar 11, 2019

@googlebot

This comment has been minimized.

Copy link

googlebot commented Mar 11, 2019

CLAs look good, thanks!

ℹ️ Googlers: Go here for more info.

@effolkronium

This comment has been minimized.

Copy link

effolkronium commented Mar 13, 2019

Can you please share panic report?

@nevermoe

This comment has been minimized.

Copy link
Contributor Author

nevermoe commented Mar 14, 2019

@effolkronium hi, this is the panic report:

Anonymous UUID:       F5807C4F-B57A-5236-65F0-3C2C7C5858B8

Fri Feb 22 16:37:52 2019

*** Panic Report ***
panic(cpu 0 caller 0xffffff8018f8776f): Kernel trap at 0xffffff8018f7e99a, type 14=page fault, registers:
CR0: 0x0000000080010033, CR2: 0x0000000000000004, CR3: 0x0000000039f6418c, CR4: 0x00000000003627e0
RAX: 0xb33253d2feee0013, RBX: 0x0000000000000000, RCX: 0x0100000100000000, RDX: 0x0000000100000000
RSP: 0xffffff921b4dbb20, RBP: 0xffffff921b4dbb50, RSI: 0xffffff80708d5800, RDI: 0x0000000000000000
R8:  0x0000001a11cef494, R9:  0xffffff81e83c4dd0, R10: 0x0000020000011000, R11: 0x0000000000000000
R12: 0x0000000000000000, R13: 0x0000000000000006, R14: 0x0000000000000000, R15: 0xffffff804e69a360
RFL: 0x0000000000010282, RIP: 0xffffff8018f7e99a, CS:  0x0000000000000008, SS:  0x0000000000000010
Fault CR2: 0x0000000000000004, Error code: 0x0000000000000000, Fault CPU: 0x0, PL: 0, VF: 0

Backtrace (CPU 0), Frame : Return Address
0xffffff921b4db5f0 : 0xffffff8018e6c1c6 
0xffffff921b4db640 : 0xffffff8018f95274 
0xffffff921b4db680 : 0xffffff8018f87544 
0xffffff921b4db6f0 : 0xffffff8018e1e1e0 
0xffffff921b4db710 : 0xffffff8018e6bc3c 
0xffffff921b4db840 : 0xffffff8018e6b9fc 
0xffffff921b4db8a0 : 0xffffff8018f8776f 
0xffffff921b4dba10 : 0xffffff8018e1e1e0 
0xffffff921b4dba30 : 0xffffff8018f7e99a 
0xffffff921b4dbb50 : 0xffffff7f9d6f5a6a 
0xffffff921b4dbb60 : 0xffffff7f9d6f4ca3 
0xffffff921b4dbb80 : 0xffffff8019420136 
0xffffff921b4dbbe0 : 0xffffff801941d2e3 
0xffffff921b4dbc50 : 0xffffff801942a384 
0xffffff921b4dbca0 : 0xffffff801942a16f 
0xffffff921b4dbd00 : 0xffffff801943b982 
0xffffff921b4dbd70 : 0xffffff8018ec1075 
0xffffff921b4dbdc0 : 0xffffff8018e716e0 
0xffffff921b4dbe10 : 0xffffff8018e4ea3d 
0xffffff921b4dbe60 : 0xffffff8018e6154b 
0xffffff921b4dbef0 : 0xffffff8018f7171d 
0xffffff921b4dbfa0 : 0xffffff8018e1e9e6 
      Kernel Extensions in backtrace:
         com.google.MacPmem(1.0)[55994DA3-8B4B-37EB-81A3-AB99E1282335]@0xffffff7f9d6f4000->0xffffff7f9d6f9fff

BSD process name corresponding to current thread: kextutil

Mac OS version:
17G65

Kernel version:
Darwin Kernel Version 17.7.0: Thu Jun 21 22:53:14 PDT 2018; root:xnu-4570.71.2~1/RELEASE_X86_64
Kernel UUID: 1AE5ACFD-3B6F-3D74-AD52-31F1430DBC6F
Kernel slide:     0x0000000018c00000
Kernel text base: 0xffffff8018e00000
__HIB  text base: 0xffffff8018d00000
System model name: MacBookPro14,3 (Mac-551B86E5744E2388)

System uptime in nanoseconds: 104944681973102
last loaded kext at 104944679749184: com.google.MacPmem	1 (addr 0xffffff7f9d6f4000, size 24576)
last unloaded kext at 104781435560236: com.apple.driver.usb.cdc.acm	5.0.0 (addr 0xffffff7f9d6f4000, size 57344)
loaded kexts:
com.google.MacPmem	1
com.vmware.kext.vmioplug.17.1.3	17.1.3
com.vmware.kext.vmx86	0752.01.54
com.vmware.kext.vmnet	0752.01.54
com.vmware.kext.vmci	90.8.1
org.virtualbox.kext.VBoxNetAdp	5.0.10
org.virtualbox.kext.VBoxNetFlt	5.0.10
org.virtualbox.kext.VBoxUSB	5.0.10
com.intel.kext.intelhaxm	6.2.1
org.virtualbox.kext.VBoxDrv	5.0.10
com.symantec.ips.kext	14.2.1f52
com.symantec.nfm.kext	14.2.1f52
com.symantec.internetSecurity.kext	14.2.1f52
com.symantec.SymXIPS	8.1.0
com.apple.driver.usb.AppleUSBHostBillboardDevice	1.0
com.apple.filesystems.smbfs	3.2.3
com.apple.filesystems.autofs	3.0
com.apple.driver.AudioAUUC	1.70
com.apple.driver.AGPM	110.23.37
com.apple.driver.ApplePlatformEnabler	2.7.0d0
com.apple.driver.X86PlatformShim	1.0.0
com.apple.driver.AppleUpstreamUserClient	3.6.5
com.apple.kext.AMDFramebuffer	1.6.8
com.apple.driver.AppleHDA	281.52
com.apple.kext.AMDRadeonX4000	1.6.8
com.apple.driver.AppleGraphicsDevicePolicy	3.20.13
com.apple.AGDCPluginDisplayMetrics	3.20.13
com.apple.driver.AppleHIDALSService	1
com.apple.driver.AppleHV	1
com.apple.iokit.IOUserEthernet	1.0.1
com.apple.iokit.IOBluetoothSerialManager	6.0.7f10
com.apple.driver.AppleIntelKBLGraphics	10.3.6
com.apple.driver.pmtelemetry	1
com.apple.driver.AGDCBacklightControl	3.20.13
com.apple.kext.AMD9500Controller	1.6.8
com.apple.Dont_Steal_Mac_OS_X	7.0.0
com.apple.driver.AppleIntelKBLGraphicsFramebuffer	10.3.6
com.apple.driver.SMCMotionSensor	3.0.4d1
com.apple.driver.eficheck	1
com.apple.driver.AppleGFXHDA	100.1.17
com.apple.driver.AppleEmbeddedOSSupportHost	1
com.apple.driver.AppleMuxControl	3.20.13
com.apple.driver.AppleIntelSlowAdaptiveClocking	4.0.0
com.apple.driver.AppleIntelPCHPMC	2.0.1
com.apple.driver.AppleOSXWatchdog	1
com.apple.driver.AppleMCCSControl	1.5.5
com.apple.driver.AppleThunderboltIP	3.1.1
com.apple.filesystems.hfs.kext	407.50.6
com.apple.AppleFSCompression.AppleFSCompressionTypeDataless	1.0.0d1
com.apple.BootCache	40
com.apple.AppleFSCompression.AppleFSCompressionTypeZlib	1.0.0
com.apple.AppleSystemPolicy	1.0
com.apple.driver.AppleTopCaseHIDEventDriver	133
com.apple.driver.AirPort.BrcmNIC	1241.31.1a9
com.apple.filesystems.apfs	748.51.0
com.apple.driver.AppleSmartBatteryManager	161.0.0
com.apple.driver.AppleACPIButtons	6.1
com.apple.driver.AppleRTC	2.0
com.apple.driver.AppleSMBIOS	2.1
com.apple.driver.AppleACPIEC	6.1
com.apple.driver.AppleAPIC	1.7
com.apple.nke.applicationfirewall	183
com.apple.security.TMSafetyNet	8
com.apple.security.quarantine	3
com.apple.driver.usb.cdc.ecm	5.0.0
com.apple.kext.triggers	1.0
com.apple.iokit.IOUSBUserClient	900.4.1
com.apple.driver.DspFuncLib	281.52
com.apple.kext.OSvKernDSPLib	526
com.apple.kext.AMDRadeonX4100HWLibs	1.0
com.apple.kext.AMDRadeonX4000HWServices	1.6.8
com.apple.iokit.IOAVBFamily	680.2
com.apple.plugin.IOgPTPPlugin	680.15
com.apple.iokit.IOEthernetAVBController	1.1.0
com.apple.driver.AppleSSE	1.0
com.apple.iokit.IOBluetoothHostControllerUARTTransport	6.0.7f10
com.apple.iokit.IOBluetoothHostControllerTransport	6.0.7f10
com.apple.driver.AppleHDAController	281.52
com.apple.iokit.IOHDAFamily	281.52
com.apple.iokit.IOAcceleratorFamily2	378.26
com.apple.iokit.IOSurface	211.15
com.apple.iokit.IOAudioFamily	206.5
com.apple.vecLib.kext	1.2.0
com.apple.driver.AppleBacklightExpert	1.1.0
com.apple.iokit.IONDRVSupport	519.20
com.apple.kext.AMDSupport	1.6.8
com.apple.driver.X86PlatformPlugin	1.0.0
com.apple.driver.AppleGraphicsControl	3.20.13
com.apple.AppleGPUWrangler	3.20.13
com.apple.AppleGraphicsDeviceControl	3.20.13
com.apple.iokit.IOSlowAdaptiveClockingFamily	1.0.0
com.apple.driver.AppleIntelLpssUARTv1	3.0.60
com.apple.driver.AppleIntelLpssUARTCommon	3.0.60
com.apple.driver.AppleOnboardSerial	1.0
com.apple.iokit.IOSkywalkFamily	1
com.apple.iokit.IOSerialFamily	11
com.apple.driver.IOPlatformPluginFamily	6.0.0d8
com.apple.driver.AppleSMBusController	1.0.18d1
com.apple.iokit.IOGraphicsFamily	519.20
com.apple.driver.usb.IOUSBHostHIDDevice	1.2
com.apple.driver.usb.cdc.ncm	5.0.0
com.apple.driver.usb.AppleUSBiBridge	1.0
com.apple.driver.usb.cdc	5.0.0
com.apple.driver.usb.networking	5.0.0
com.apple.driver.usb.AppleUSBHostCompositeDevice	1.2
com.apple.driver.usb.AppleUSBHub	1.2
com.apple.driver.AppleUSBHostMergeProperties	1.2
com.apple.filesystems.hfs.encodings.kext	1
com.apple.driver.AppleActuatorDriver	1404.4
com.apple.driver.AppleHIDKeyboard	205
com.apple.driver.AppleHSBluetoothDriver	133
com.apple.driver.IOBluetoothHIDDriver	6.0.7f10
com.apple.iokit.IOBluetoothFamily	6.0.7f10
com.apple.driver.AppleMultitouchDriver	1404.4
com.apple.driver.AppleInputDeviceSupport	1404.3
com.apple.driver.AppleHSSPIHIDDriver	53
com.apple.driver.AppleHSSPISupport	53
com.apple.driver.AppleIntelLpssSpiController	3.0.60
com.apple.iokit.IO80211Family	1200.12.2
com.apple.driver.mDNSOffloadUserClient	1.0.1b8
com.apple.driver.corecapture	1.0.4
com.apple.driver.AppleThunderboltDPInAdapter	5.5.5
com.apple.driver.AppleThunderboltDPAdapterFamily	5.5.5
com.apple.driver.AppleThunderboltPCIDownAdapter	2.1.3
com.apple.iokit.IONVMeFamily	2.1.0
com.apple.driver.AppleThunderboltNHI	4.7.2
com.apple.driver.AppleHPM	3.1.3
com.apple.iokit.IOThunderboltFamily	6.7.8
com.apple.driver.AppleIntelLpssI2CController	3.0.60
com.apple.driver.AppleIntelLpssDmac	3.0.60
com.apple.driver.AppleIntelLpssGspi	3.0.60
com.apple.driver.AppleIntelLpssI2C	3.0.60
com.apple.driver.usb.AppleUSBXHCIPCI	1.2
com.apple.driver.usb.AppleUSBXHCI	1.2
com.apple.driver.usb.AppleUSBHostPacketFilter	1.0
com.apple.iokit.IOUSBFamily	900.4.1
com.apple.driver.AppleEFINVRAM	2.1
com.apple.driver.AppleEFIRuntime	2.1
com.apple.iokit.IOSMBusFamily	1.1
com.apple.iokit.IOHIDFamily	2.0.0
com.apple.security.sandbox	300.0
com.apple.kext.AppleMatch	1.0.0d1
com.apple.driver.DiskImages	480.60.1
com.apple.driver.AppleFDEKeyStore	28.30
com.apple.driver.AppleEffaceableStorage	1.0
com.apple.driver.AppleKeyStore	2
com.apple.driver.AppleUSBTDM	439.70.3
com.apple.driver.AppleMobileFileIntegrity	1.0.5
com.apple.iokit.IOUSBMassStorageDriver	140.70.2
com.apple.iokit.IOSCSIBlockCommandsDevice	404.30.2
com.apple.iokit.IOSCSIArchitectureModelFamily	404.30.2
com.apple.iokit.IOStorageFamily	2.1
com.apple.driver.AppleCredentialManager	1.0
com.apple.driver.KernelRelayHost	1
com.apple.iokit.IOUSBHostFamily	1.2
com.apple.driver.usb.AppleUSBCommon	1.0
com.apple.driver.AppleBusPowerController	1.0
com.apple.driver.AppleSEPManager	1.0.1
com.apple.driver.IOSlaveProcessor	1
com.apple.iokit.IOReportFamily	31
com.apple.iokit.IOTimeSyncFamily	680.15
com.apple.iokit.IONetworkingFamily	3.4
com.apple.driver.AppleACPIPlatform	6.1
com.apple.driver.AppleSMC	3.1.9
com.apple.iokit.IOPCIFamily	2.9
com.apple.iokit.IOACPIFamily	1.4
com.apple.kec.pthread	1
com.apple.kec.Libm	1
com.apple.kec.corecrypto	1.0

EOF

The address 0xffffff7f9d6f5a6a is one instruction below call _lck_rw_free in function _pmem_meta_cleanup, which means the kernel paniced during the call _lck_rw_free in function _pmem_meta_cleanup. And the address 0xffffff7f9d6f4ca3 is one instruction below call _pmem_meta_cleanup in function _pmem_cleanup. (I was using the lastest release of osxpmen in 2016)

And address 0xffffff801941d2e3 seems to be the kernel's OSKext::load function which means this panic happened at kext loading phase.

@scudette

This comment has been minimized.

Copy link
Collaborator

scudette commented Mar 14, 2019

Its kind of weird because the c library free function is supposed to accept a null (https://stackoverflow.com/questions/1938735/does-freeptr-where-ptr-is-null-corrupt-memory/1938758) but maybe _lck_rw_free does not.

Anyway this is good detective work! Unfortunately we can not rebuild the driver because I dont know anyone with code signing cert for apple.

@scudette scudette merged commit 7dd3594 into google:master Mar 14, 2019

1 check passed

cla/google All necessary CLAs are signed
@nevermoe

This comment has been minimized.

Copy link
Contributor Author

nevermoe commented Mar 14, 2019

@scudette

Its kind of weird because the c library free function is supposed to accept a null (https://stackoverflow.com/questions/1938735/does-freeptr-where-ptr-is-null-corrupt-memory/1938758) but maybe _lck_rw_free does not.

Yeah, right. So I tried to call pmem_cleanup before pmem_cached_info_lock manually and the kernel paniced at the exactly same location. So I assume null is not acceptable for _lck_rw_free.

@nevermoe

This comment has been minimized.

Copy link
Contributor Author

nevermoe commented Mar 14, 2019

https://github.com/apple/darwin-xnu/tree/xnu-4570.71.2/osfmk/i386#L887
I found that lck_rw_free will call lck_rw_destroy, in which will use lck without checking if it is NULL. And this is probably the cause of the panic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.