Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 6 subscribers
  • Views 22213 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos related kernel panic

brvx

Wondering how this can be explained: Just after using Disk Utility Restore to put an image of an EFI Apple Service Diagnostic on a flash drive. (Btw, scanned the ASD dmg and its mounted image beforehand with Sophos, and it gave it a clean bill of health. The restore went perfectly fine (the ASD appears as a bootable volume from the starup manager), which the DU log shows, except, curiously, the destination turned blank just after the restore finished and a few seconds later it KPed.

Wonder if Sophos InterCheck got into the middle of things causing the KP? Subsequent mounting of the ASD volume does not cause a KP. This appears to have been a one off event.

The backtrace from the panic log appears to be the tipoff.

Kernel Extensions in backtrace:
      com.sophos.kext.sav(9.0.11)[00000000-0000-0000-0000-000000000000]@0xffffff7f8b17d000->0xffffff7f8b181fff

Seems to be USB kext related (DU restore to USB flash drive).

last loaded kext at 428532771928: com.apple.driver.AppleUSBCDC    4.1.23 (addr 0xffffff7f8ce54000, size 16384)

last unloaded kext at 543438186261: com.apple.driver.AppleUSBCDC    4.1.23 (addr 0xffffff7f8ce54000, size 12288)

Here is the full panic log. (Never had a KP before from Sophos, and never from Little Snitch or Bresink/Hardware Monitor. In fact, this is the very first KP on this Mac in four + years).

Thu Aug 14 09:09:29 2014
panic(cpu 0 caller 0xffffff800acf7ab2): "vnode_rele_ext: vp 0xffffff802e5813e0 usecount -ve : -1.  v_tag = 16, v_type = 1, v_flag = 84800."@/SourceCache/xnu/xnu-2050.48.12/bsd/vfs/vfs_subr.c:1788
Backtrace (CPU 0), Frame : Return Address
0xffffff816499b600 : 0xffffff800ac1d636
0xffffff816499b670 : 0xffffff800acf7ab2
0xffffff816499b6b0 : 0xffffff7f8b17e762
0xffffff816499b6d0 : 0xffffff7f8b17df54
0xffffff816499ba00 : 0xffffff7f8b17feb3
0xffffff816499ba40 : 0xffffff800af48dc1
0xffffff816499baa0 : 0xffffff800acfc6ee
0xffffff816499baf0 : 0xffffff800ad103ee
0xffffff816499bb90 : 0xffffff800ad02bc9
0xffffff816499bc40 : 0xffffff800ad03394
0xffffff816499bf50 : 0xffffff800afe97ba
0xffffff816499bfb0 : 0xffffff800accf453
      Kernel Extensions in backtrace:
         com.sophos.kext.sav(9.0.11)[00000000-0000-0000-0000-000000000000]@0xffffff7f8b17d000->0xffffff7f8b181fff

BSD process name corresponding to current thread: mds

Mac OS version:
12F45

Kernel version:
Darwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64
Kernel UUID: EA38B02E-2B88-309F-BA68-1DE29F605DD8
Kernel slide:     0x000000000aa00000
Kernel text base: 0xffffff800ac00000
System model name: iMac10,1 (Mac-F2268CC8)

System uptime in nanoseconds: 697371228172
last loaded kext at 428532771928: com.apple.driver.AppleUSBCDC    4.1.23 (addr 0xffffff7f8ce54000, size 16384)
last unloaded kext at 543438186261: com.apple.driver.AppleUSBCDC    4.1.23 (addr 0xffffff7f8ce54000, size 12288)
loaded kexts:
com.sophos.kext.sav    9.0.11
com.bresink.driver.BRESINKx86Monitoring    9.0
com.sophos.nke.swi    9.0.3
at.obdev.nke.LittleSnitch    2.5.4
com.apple.driver.AppleBluetoothMultitouch    75.19
com.apple.driver.AppleHWSensor    1.9.5d0
com.apple.driver.AGPM    100.13.14
com.apple.iokit.IOBluetoothSerialManager    4.1.7f2
com.apple.driver.AudioAUUC    1.60
com.apple.filesystems.autofs    3.0
com.apple.driver.AppleHDA    2.4.7fc4
com.apple.driver.AppleMikeyHIDDriver    124
com.apple.iokit.IOUserEthernet    1.0.0d1
com.apple.driver.AppleMikeyDriver    2.4.7fc4
com.apple.Dont_Steal_Mac_OS_X    7.0.0
com.apple.driver.ApplePolicyControl    3.4.5
com.apple.driver.AppleSMBusPCI    1.0.11d1
com.apple.driver.AppleLPC    1.6.3
com.apple.driver.AppleUpstreamUserClient    3.5.12
com.apple.GeForce    8.1.6
com.apple.iokit.BroadcomBluetoothHostControllerUSBTransport    4.1.7f4
com.apple.driver.ACPI_SMC_PlatformPlugin    1.0.0
com.apple.driver.AppleBacklight    170.3.5
com.apple.driver.AppleMCCSControl    1.1.11
com.apple.driver.AppleIRController    320.15
com.apple.driver.AppleUSBCardReader    3.3.1
com.apple.driver.Oxford_Semi    3.3.1
com.apple.AppleFSCompression.AppleFSCompressionTypeDataless    1.0.0d1
com.apple.AppleFSCompression.AppleFSCompressionTypeZlib    1.0.0d1
com.apple.BootCache    34
com.apple.iokit.SCSITaskUserClient    3.5.6
com.apple.driver.XsanFilter    404
com.apple.iokit.IOAHCIBlockStorage    2.3.5
com.apple.driver.AirPort.Atheros40    600.72.2
com.apple.driver.AppleUSBHub    635.4.0
com.apple.driver.AppleFWOHCI    4.9.9
com.apple.driver.AppleRTC    1.5
com.apple.driver.AppleAHCIPort    2.6.6
com.apple.nvenet    2.0.19
com.apple.driver.AppleUSBEHCI    621.4.6
com.apple.driver.AppleUSBOHCI    621.4.0
com.apple.driver.AppleHPET    1.8
com.apple.driver.AppleACPIButtons    1.8
com.apple.driver.AppleSMBIOS    1.9
com.apple.driver.AppleACPIEC    1.8
com.apple.driver.AppleAPIC    1.7
com.apple.driver.AppleIntelCPUPowerManagementClient    214.0.0
com.apple.nke.applicationfirewall    4.0.39
com.apple.security.quarantine    2.1
com.apple.driver.AppleIntelCPUPowerManagement    214.0.0
com.apple.driver.IOBluetoothHIDDriver    4.1.7f2
com.apple.driver.AppleMultitouchDriver    237.4
com.apple.iokit.IOSerialFamily    10.0.6
com.apple.kext.triggers    1.0
com.apple.driver.DspFuncLib    2.4.7fc4
com.apple.iokit.IOSurface    86.0.4
com.apple.iokit.IOBluetoothFamily    4.1.7f2
com.apple.nvidia.nv50hal    8.1.6
com.apple.NVDAResman    8.1.6
com.apple.iokit.IOFireWireIP    2.2.5
com.apple.iokit.IOBluetoothHostControllerUSBTransport    4.1.7f2
com.apple.driver.AppleUSBAudio    2.9.3f3
com.apple.iokit.IOAudioFamily    1.9.2fc7
com.apple.kext.OSvKernDSPLib    1.12
com.apple.driver.AppleSMC    3.1.5d4
com.apple.driver.IOPlatformPluginLegacy    1.0.0
com.apple.driver.IOPlatformPluginFamily    5.4.1d13
com.apple.driver.AppleHDAController    2.4.7fc4
com.apple.iokit.IOHDAFamily    2.4.7fc4
com.apple.driver.AppleGraphicsControl    3.4.5
com.apple.driver.AppleBacklightExpert    1.0.4
com.apple.driver.AppleSMBusController    1.0.11d1
com.apple.iokit.IONDRVSupport    2.3.7
com.apple.iokit.IOGraphicsFamily    2.3.7
com.apple.iokit.IOUSBHIDDriver    623.4.0
com.apple.iokit.IOSCSIBlockCommandsDevice    3.5.6
com.apple.iokit.IOUSBMassStorageClass    3.5.2
com.apple.iokit.IOFireWireSerialBusProtocolTransport    2.1.1
com.apple.iokit.IOFireWireSBP2    4.2.5
com.apple.driver.AppleUSBMergeNub    621.4.6
com.apple.driver.AppleUSBComposite    621.4.0
com.apple.iokit.IOSCSIMultimediaCommandsDevice    3.5.6
com.apple.iokit.IOBDStorageFamily    1.7
com.apple.iokit.IODVDStorageFamily    1.7.1
com.apple.iokit.IOCDStorageFamily    1.7.1
com.apple.iokit.IOAHCISerialATAPI    2.5.5
com.apple.iokit.IOSCSIArchitectureModelFamily    3.5.6
com.apple.iokit.IO80211Family    530.5
com.apple.iokit.IOUSBUserClient    630.4.4
com.apple.iokit.IOFireWireFamily    4.5.5
com.apple.iokit.IOAHCIFamily    2.5.1
com.apple.iokit.IONetworkingFamily    3.0
com.apple.iokit.IOUSBFamily    635.4.0
com.apple.driver.NVSMU    2.2.9
com.apple.driver.AppleEFINVRAM    2.0
com.apple.driver.AppleEFIRuntime    2.0
com.apple.iokit.IOHIDFamily    1.8.1
com.apple.iokit.IOSMBusFamily    1.1
com.apple.security.sandbox    220.3
com.apple.kext.AppleMatch    1.0.0d1
com.apple.security.TMSafetyNet    7
com.apple.driver.DiskImages    345
com.apple.iokit.IOStorageFamily    1.8
com.apple.driver.AppleKeyStore    28.21
com.apple.driver.AppleACPIPlatform    1.8
com.apple.iokit.IOPCIFamily    2.8
com.apple.iokit.IOACPIFamily    1.4
com.apple.ke

:1018707


This thread was automatically locked due to age.
  • 0

    Even though this appears to have been a one-off event, I'd appreciate it if someone could try to explain what might have happened.

    :1018727
  • 0

    FYI: I've asked our development to comment.

    :1018733

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0

    Hello brvx,

    The panic trace shows that the mds process (part of Spotlight) caused a panic when a reference count to an open vnode became a negative number. Depending on your experience with kernel and filesystem programming, that might not make any sense!

    The files on your disk are attached to things called vnodes, and when our kernel extension is accessing files for scanning we interrupt the current process (in this case, one of the Spotlight processes) while we scan. In order to ensure that the vnode doesn't get closed unexpectedly while its in use, there is a "reference count" that is increased every time there is another process reading the file, and decreased when a process stops reading. When the "reference count" reaches zero, nobody is using it any longer and the system could consider the file fully closed.

    In this case, someone (maybe us, maybe somone else like Spotlight, its impossible to know for certain) closed the file one too many times. For a variety of reasons, version 9.1 no longer intercepts the Spotlight processes. I'd recommend upgrading to the preview version (see the front page for my post about how to do it).

    Hope that helps.

    :1018747

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

  • 0

    Thanks Bob,

    Good to know the next update should take care of this, but since this seems to have been a first and, hopefully, last of its kind, I think I will wait for the final relaase. Unless, of course it happens again.

    :1018755
  • 0
    bobcook wrote:

    In this case, someone (maybe us, maybe somone else like Spotlight, its impossible to know for certain) closed the file one too many times. For a variety of reasons, version 9.1 no longer intercepts the Spotlight processes.

    Correction to my previous post. We are still filtering the Spotlight processes. I was thinking of Time Machine, which is no longer filtered in 9.1, when I wrote that. Apologies for the confusion.

    My advice to upgrade yourself is still worthwhile - there are many good things in 9.1 vs. 9.0.

    :1018757

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

  • 0

    Might try the update, but wanted to point out that I do not use TM or have it enabled. In that case, how does that change the explanation you gave before for the KP?

    If I do run the update, can it be downgraded back to the 9.0.11. Would that require simply uninstaling the 9.1 and reinstalling the 9.0.11? Just in case something gets weird.

    :1018763
  • 0
    brvx wrote:

    Might try the update, but wanted to point out that I do not use TM or have it enabled. In that case, how does that change the explanation you gave before for the KP?

    No change, the explanation still holds true. My follow-on comment about not filtering those processes was the only incorrect part.

    brvx wrote:

    If I do run the update, can it be downgraded back to the 9.0.11. Would that require simply uninstaling the 9.1 and reinstalling the 9.0.11? Just in case something gets weird.

    Running the new installer over top of the existing version will upgrade. Running the old installer over the new version will downgrade it. Its a supported workflow.

    :1018765

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

  • 0

    Running the new 9.1preview (beta?) for a while now problem free (had no problems with the 9.0 either, except for that one-time KP). But haven't tried reproducing what caused that KP, so no idea if the update is the fix.

    :1018905
  • 0

    HI,

    I am having the same problem as OP - 7 panics all with com.sophos.kext.sav in the backtrace.  Pancis have happened 1/9, 2/9 (x2), 4/9, 7/9, 9/9, 21/9.  All apart from the one on the 21st were in the middle of the night 1am - 3am...

    I have clicked the "Update Now" in the drop down on Sophos so I am not sure if htis has updated the the virus definitions only or the actauly Sophos software as well.  It says I am running 9.1.5 home edition (after the update now was clicked).

    Here is the latest panic  - any suggestions would be greatly appreacited....

    Source: /Library/Logs/DiagnosticReports/Kernel_2014-09-21-104050_Richard.panic

      Size: 6 KB (6,488 bytes)

      Last Modified: 21/9/14 10:40 am

      Recent Contents: Anonymous UUID:       A45348C7-0337-0366-F6E3-408A40EA9275

    Sun Sep 21 10:40:50 2014

    panic(cpu 0 caller 0xffffff80017db450): "vnode_rele_ext: vp 0xffffff801db111e0 usecount -ve : -1.  v_tag = 16, v_type = 1, v_flag = 184800."@/SourceCache/xnu/xnu-2422.110.17/bsd/vfs/vfs_subr.c:1788

    Backtrace (CPU 0), Frame : Return Address

    0xffffff800ea6af70 : 0xffffff8001622f79 

    0xffffff800ea6aff0 : 0xffffff80017db450 

    0xffffff800ea6b030 : 0xffffff7f81bc2762 

    0xffffff800ea6b050 : 0xffffff7f81bc1f54 

    0xffffff800ea6b380 : 0xffffff7f81bc3eb3 

    0xffffff800ea6b3c0 : 0xffffff80019b6041 

    0xffffff800ea6b420 : 0xffffff80017e013b 

    0xffffff800ea6b470 : 0xffffff800196ebbe 

    0xffffff800ea6bb10 : 0xffffff800196db3f 

    0xffffff800ea6bbf0 : 0xffffff80017fe2f0 

    0xffffff800ea6bc70 : 0xffffff80017ef079 

    0xffffff800ea6bd70 : 0xffffff80017eee2a 

    0xffffff800ea6bf50 : 0xffffff8001a40a33 

    0xffffff800ea6bfb0 : 0xffffff80016f3f46 

          Kernel Extensions in backtrace:

             com.sophos.kext.sav(9.0.61)[00000000-0000-0000-0000-000000000000]@0xffffff7f81bc1000->0xffffff7f81bc5fff

    BSD process name corresponding to current thread: mds

    Mac OS version:

    13E28

    Kernel version:

    Darwin Kernel Version 13.3.0: Tue Jun  3 21:27:35 PDT 2014; root:xnu-2422.110.17~1/RELEASE_X86_64

    Kernel UUID: BBFADD17-672B-35A2-9B7F-E4B12213E4B8

    Kernel slide:     0x0000000001400000

    Kernel text base: 0xffffff8001600000

    System model name: iMac11,2 (Mac-F2238AC8)

    System uptime in nanoseconds: 434799799675527

    last loaded kext at 434729969194094: com.apple.driver.AppleUSBCDC 4.2.1b5 (addr 0xffffff7f83e0e000, size 20480)

    last unloaded kext at 432400302396814: com.apple.driver.AppleUSBCDC 4.2.1b5 (addr 0xffffff7f83e0e000, size 16384)

    loaded kexts:

    com.sophos.kext.sav 9.0.61

    com.delantis.kext.tcpblocknke 2.2.6

    com.madcatz.driver.CyborgRAT 1.62

    com.sophos.nke.swi 9.0.53

    com.Cycling74.driver.Soundflower 1.5.1

    com.squirrels.airparrot.framebuffer 3

    com.squirrels.driver.AirParrotSpeakers 1.7

    com.apple.driver.AppleUSBCDC 4.2.1b5

    com.apple.filesystems.smbfs 2.0.2

    com.apple.filesystems.afpfs 11.1

    com.apple.nke.asp-tcp 8.0.1

    com.apple.filesystems.msdosfs 1.9

    com.apple.driver.AppleBluetoothMultitouch 80.14

    com.apple.driver.AppleHWSensor 1.9.5d0

    com.apple.driver.AGPM 100.14.28

    com.apple.filesystems.autofs 3.0

    com.apple.iokit.IOBluetoothSerialManager 4.2.6f1

    com.apple.driver.AppleMikeyHIDDriver 124

    com.apple.driver.AppleHDA 2.6.3f4

    com.apple.driver.ACPI_SMC_PlatformPlugin 1.0.0

    com.apple.kext.AMDFramebuffer 1.2.4

    com.apple.AMDRadeonX3000 1.2.4

    com.apple.driver.AppleLPC 1.7.0

    com.apple.driver.AppleUpstreamUserClient 3.5.13

    com.apple.driver.AudioAUUC 1.60

    com.apple.iokit.IOUserEthernet 1.0.0d1

    com.apple.Dont_Steal_Mac_OS_X 7.0.0

    com.apple.driver.AppleHWAccess 1

    com.apple.driver.AppleBacklight 170.3.5

    com.apple.driver.AppleMCCSControl 1.2.5

    com.apple.iokit.BroadcomBluetoothHostControllerUSBTransport 4.2.6f1

    com.apple.driver.AppleMikeyDriver 2.6.3f4

    com.apple.kext.AMD5000Controller 1.2.4

    com.apple.driver.AppleIRController 325.7

    com.apple.driver.AppleUSBCardReader 3.4.1

    com.apple.AppleFSCompression.AppleFSCompressionTypeDataless 1.0.0d1

    com.apple.AppleFSCompression.AppleFSCompressionTypeLZVN 1.0.0d1

    com.apple.AppleFSCompression.AppleFSCompressionTypeZlib 1.0.0d1

    com.apple.BootCache 35

    com.apple.iokit.SCSITaskUserClient 3.6.6

    com.apple.driver.XsanFilter 404

    com.apple.driver.AppleUSBHub 683.4.0

    com.apple.iokit.IOAHCIBlockStorage 2.6.0

    com.apple.iokit.AppleBCM5701Ethernet 3.8.1b2

    com.apple.driver.AirPort.Atheros40 700.74.5

    com.apple.driver.AppleFWOHCI 5.0.2

    com.apple.driver.AppleAHCIPort 3.0.5

    com.apple.driver.AppleUSBEHCI 660.4.0

    com.apple.driver.AppleRTC 2.0

    com.apple.driver.AppleACPIButtons 2.0

    com.apple.driver.AppleHPET 1.8

    com.apple.driver.AppleSMBIOS 2.1

    com.apple.driver.AppleACPIEC 2.0

    com.apple.driver.AppleAPIC 1.7

    com.apple.driver.AppleIntelCPUPowerManagementClient 217.92.1

    com.apple.nke.applicationfirewall 153

    com.apple.security.quarantine 3

    com.apple.driver.AppleIntelCPUPowerManagement 217.92.1

    com.apple.security.SecureRemotePassword 1.0

    com.apple.driver.AppleMultitouchDriver 245.13

    com.apple.driver.AppleBluetoothHIDKeyboard 170.15

    com.apple.driver.IOBluetoothHIDDriver 4.2.6f1

    com.apple.driver.AppleHIDKeyboard 170.15

    com.apple.kext.triggers 1.0

    com.apple.iokit.IOSerialFamily 10.0.7

    com.apple.driver.DspFuncLib 2.6.3f4

    com.apple.vecLib.kext 1.0.0

    com.apple.driver.IOPlatformPluginLegacy 1.0.0

    com.apple.iokit.IOAcceleratorFamily 98.22

    com.apple.driver.IOPlatformPluginFamily 5.7.1d6

    com.apple.iokit.IOSurface 91.1

    com.apple.iokit.IOBluetoothFamily 4.2.6f1

    com.apple.driver.AppleSMC 3.1.8

    com.apple.iokit.IOAudioFamily 1.9.7fc2

    com.apple.kext.OSvKernDSPLib 1.14

    com.apple.driver.AppleBacklightExpert 1.0.4

    com.apple.iokit.IONDRVSupport 2.4.1

    com.apple.iokit.IOBluetoothHostControllerUSBTransport 4.2.6f1

    com.apple.iokit.IOFireWireIP 2.2.6

    com.apple.driver.AppleHDAController 2.6.3f4

    com.apple.iokit.IOHDAFamily 2.6.3f4

    com.apple.driver.AppleSMBusController 1.0.12d1

    com.apple.driver.AppleSMBusPCI 1.0.12d1

    com.apple.kext.AMDSupport 1.2.4

    com.apple.AppleGraphicsDeviceControl 3.6.22

    com.apple.iokit.IOGraphicsFamily 2.4.1

    com.apple.iokit.IOUSBHIDDriver 660.4.0

    com.apple.iokit.IOSCSIBlockCommandsDevice 3.6.6

    com.apple.iokit.IOUSBMassStorageClass 3.6.0

    com.apple.driver.AppleUSBMergeNub 650.4.0

    com.apple.driver.AppleUSBComposite 656.4.1

    com.apple.iokit.IOSCSIMultimediaCommandsDevice 3.6.6

    com.apple.iokit.IOBDStorageFamily 1.7

    com.apple.iokit.IODVDStorageFamily 1.7.1

    com.apple.iokit.IOCDStorageFamily 1.7.1

    com.apple.iokit.IOAHCISerialATAPI 2.6.1

    com.apple.iokit.IOSCSIArchitectureModelFamily 3.6.6

    com.apple.iokit.IOEthernetAVBController 1.0.3b4

    com.apple.driver.mDNSOffloadUserClient 1.0.1b5

    com.apple.iokit.IOUSBUserClient 660.4.2

    com.apple.iokit.IO80211Family 640.36

    com.apple.iokit.IONetworkingFamily 3.2

    com.apple.iokit.IOFireWireFamily 4.5.5

    com.apple.iokit.IOAHCIFamily 2.6.5

    com.apple.iokit.IOUSBFamily 683.4.0

    com.apple.driver.AppleEFINVRAM 2.0

    com.apple.driver.AppleEFIRuntime 2.0

    com.apple.iokit.IOHIDFamily 2.0.0

    com.apple.iokit.IOSMBusFamily 1.1

    com.apple.security.sandbox 278.11.1

    com.apple.kext.AppleMatch 1.0.0d1

    com.apple.security.TMSafetyNet 7

    com.apple.driver.AppleKeyStore 2

    com.apple.driver.DiskImages 371.1

    com.apple.iokit.IOStorageFamily 1.9

    com.apple.iokit.IOReportFamily 23

    com.apple.driver.AppleFDEKeyStore 28.30

    com.apple.driver.AppleACPIPlatform 2.0

    com.apple.iokit.IOPCIFamily 2.9

    com.apple.iokit.IOACPIFamily 1.4

    com.apple.kec.pthread 1

    com.apple.kec.corecrypto 1.0

    :1019235
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?