Panic on pxeboot: kernel trap 12 with interrupts disabled

I'm not sure when this began, but my pxeboot test box at work seems pretty
unhappy.  I'll attempt to extract more debugging information, but here's a
first pass.  Looks like map->system_map is NULL.

/boot/kernel/acpi.ko text=0x3fb40 data=0x17a4+0x116c
syms=[0x4+0x6300+0x4+0x80f6]
kernel trap 12 with interrupts disabled


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x91
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc07ba4b9
stack pointer           = 0x10:0xc0c21b3c
frame pointer           = 0x10:0xc0c21b4c
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 0 ()
kernel: type 12 trap, code=0
Stopped at      0xc07ba4b9:     cmpb    $0,0x91(%edx)
db> trace
(null)(0,c088c02e,b36,1c2011a,c1013000) at 0xc07ba4b9
(null)(c0c21c14,c1013000,1,c0c21c18,c0c21c08) at 0xc07be108
(null)(0,c1013000,1,0,c092ec80) at 0xc07b4f8f
(null)(c0c21cf0,0,c1013fe9,c0001000,c1013fe9) at 0xc08096d2
(null)(18,10,10,0,c1014000) at 0xc08092f3
(null)(c1013fe5,c1014000,ffffffe5,c0c21d94,c07fe88c) at 0xc07f4e38
(null)(c1014000,1,f,0,8) at 0xc0663668
(null)(c29000) at 0xc07fe88c
(null)() at 0xc043c85d
db> 

(kgdb) l *0xc07ba4b9
0xc07ba4b9 is in _vm_map_lock_read (../../../vm/vm_map.c:375).
370     void
371     _vm_map_lock_read(vm_map_t map, const char *file, int line)
372     {
373             int error;
374
375             if (map->system_map)
376                     _mtx_lock_flags(&map->system_mtx, 0, file, line);
377             else {
378                     error = lockmgr(&map->lock, LK_EXCLUSIVE, NULL, curthread);
379                     KASSERT(error == 0, ("%s: failed to get lock", __func__));
(kgdb) l *0xc07be108
0xc07be108 is in vm_map_lookup (../../../vm/vm_map.c:2881).
2876
2877            /*
2878             * If the map has an interesting hint, try it before calling full
2879             * blown lookup routine.
2880             */
2881            entry = map->root;
2882            *out_entry = entry;
2883            if (entry == NULL ||
2884                (vaddr < entry->start) || (vaddr >= entry->end)) {
2885                    /*
(kgdb) l *0xc07b4f8f
0xc07b4f8f is in vm_fault (../../../vm/vm_fault.c:232).
227             /*
228              * Find the backing store object and offset into it to begin the
229              * search.
230              */
231             fs.map = map;
232             result = vm_map_lookup(&fs.map, vaddr, fault_type, &fs.entry,
233                 &fs.first_object, &fs.first_pindex, &prot, &wired);
234             if (result != KERN_SUCCESS) {
235                     if (result != KERN_PROTECTION_FAILURE ||
236                         (fault_flags & VM_FAULT_WIRE_MASK) != VM_FAULT_USER_WIRE) {
(kgdb) l *0xc08096d2
0xc08096d2 is in trap_pfault (../../../i386/i386/trap.c:722).
717             } else {
718                     /*
719                      * Don't have to worry about process locking or stacks in the
720                      * kernel.
721                      */
722                     rv = vm_fault(map, va, ftype, VM_FAULT_NORMAL);
723             }
724             if (rv == KERN_SUCCESS)
725                     return (0);
726     nogo:
(kgdb) l *0xc08092f3
0xc08092f3 is in trap (../../../i386/i386/trap.c:421).
416                     KASSERT(cold || td->td_ucred != NULL,
417                         ("kernel trap doesn't have ucred"));
418                     switch (type) {
419                     case T_PAGEFLT:                 /* page fault */
420                             (void) trap_pfault(&frame, FALSE, eva);
421                             goto out;
422
423                     case T_DNA:
424     #ifdef DEV_NPX
425                             /*
(kgdb) l *0xc07f4e38
0xc07f4e38 is at {standard input}:100.
95      {standard input}: No such file or directory.
        in {standard input}
(kgdb) l *0xc0663668
0xc0663668 is in msgbufinit (../../../kern/subr_prf.c:821).
816
817             size -= sizeof(*msgbufp);
818             cp = (char *)ptr;
819             msgbufp = (struct msgbuf *)(cp + size);
820             msgbuf_reinit(msgbufp, cp, size);
821             if (msgbufmapped && oldp != msgbufp)
822                     msgbuf_copy(oldp, msgbufp);
823             msgbufmapped = 1;
824             oldp = msgbufp;
825     }
(kgdb) l *0xc07fe88c
0xc07fe88c is in init386 (../../../i386/i386/machdep.c:2158).
2153            msgbufinit(msgbufp, MSGBUF_SIZE);
2154
2155            /* make a call gate to reenter kernel with */
2156            gdp = &ldt[LSYS5CALLS_SEL].gd;
2157
2158            x = (int) &IDTVEC(lcall_syscall);
2159            gdp->gd_looffset = x;
2160            gdp->gd_selector = GSEL(GCODE_SEL,SEL_KPL);
2161            gdp->gd_stkcpy = 1;
2162            gdp->gd_type = SDT_SYS386CGT;


Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert_at_fledge.watson.org      Senior Research Scientist, McAfee Research