panic from Saturday's -CURRENT

From: Bruce M Simpson <bms_at_spc.org> Date: Thu, 19 Feb 2004 08:09:03 +0000 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:43 UTC

Witnessed whilst running HostAP on a PRISM2 card which was being used to
test something else (with xmms and various ssh sessions):-

saboteur# uname -a
FreeBSD saboteur.dek.spc.org 5.2-CURRENT FreeBSD 5.2-CURRENT #0: Sat Feb 14 04:34:06 GMT 2004     bms_at_kimchi.dek.spc.org:/usr/src/sys/i386/compile/SABOTEUR  i386

Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x24
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc04e603e
stack pointer           = 0x10:0xcdadbacc
frame pointer           = 0x10:0xcdadbaec
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = resume, IOPL = 0
current process         = 27 (swi1: net)
trap number             = 12
panic: page fault
at line 819 in file ../../../i386/i386/trap.c
Stack backtrace:
backtrace(c06696d0,c06ba6c0,333,c0682b80,100) at backtrace+0x17
__panic(c0682b80,333,c067acad,c06829d8,1) at __panic+0xd4
trap_fatal(cdadba8c,24,0,c2b42c00,24) at trap_fatal+0x346
trap(18,10,10,0,c14f8000) at trap+0x123
calltrap() at calltrap+0x5
propagate_priority(c14f8000,c362b690,c04d4937,c2ce8bd0,c06bbe08) at propagate_pr
turnstile_wait(0,c06c05cc,c362b690,14,28) at turnstile_wait+0x2f4
_mtx_lock_sleep(c06c05cc,0,0,0,c362c518) at _mtx_lock_sleep+0xd5
tcp_input(c150aa00,14,c2b4e000,1,0) at tcp_input+0x4c8
ip_input(c150aa00,df371db0,c06e2374,0,c06bde98) at ip_input+0xc79
netisr_processqueue(c06bde98,3a95b430,4515ec3b,0,c2acd080) at netisr_processqueu
e+0xd9
swi_net(0,1,3c45c,3a044,c14f8000) at swi_net+0xc9
ithread_loop(c14f5600,cdadbd48,9b78,40bec,40aa0) at ithread_loop+0x1d8
fork_exit(c04a7360,c14f5600,cdadbd48) at fork_exit+0x78
fork_trampoline() at fork_trampoline+0x8
--- trap 0x1, eip = 0, esp = 0xcdadbd7c, ebp = 0 ---

(kgdb) bt
#0  doadump () at ../../../kern/kern_shutdown.c:240
#1  0xc04bdb22 in boot (howto=260) at ../../../kern/kern_shutdown.c:374
#2  0xc04bdf28 in __panic () at ../../../kern/kern_shutdown.c:552
#3  0xc063b0c6 in trap_fatal (frame=0xcdadebd0, eva=0)
    at ../../../i386/i386/trap.c:819
#4  0xc063a6e3 in trap (frame=
      {tf_fs = 24, tf_es = -844300272, tf_ds = 16, tf_edi = 0, tf_esi = -1051754160, tf_ebp = -844239824, tf_isp = -844239876, tf_ebx = -1016940912, tf_edx = -1066662452, tf_ecx = -1051754160, tf_eax = 36, tf_trapno = 12, tf_err = 0, tf_eip = -1068605378, tf_cs = 8, tf_eflags = 65687, tf_esp = -1026655280, tf_ss = 14}) at ../../../i386/i386/trap.c:250
#5  0xc04e603e in propagate_priority (td=0xc362b690)
    at ../../../kern/subr_turnstile.c:230
#6  0xc04e68c4 in turnstile_wait (ts=0xc14f0b00, lock=0xc06c05cc, owner=0x0)
    at ../../../kern/subr_turnstile.c:510
#7  0xc04b2e85 in _mtx_lock_sleep (m=0xc06c05cc, opts=0, file=0x0, line=0)
    at ../../../kern/kern_mutex.c:536
#8  0xc0566928 in tcp_slowtimo () at ../../../netinet/tcp_timer.c:141
#9  0xc04fc0f9 in pfslowtimo (arg=0x0) at ../../../kern/uipc_domain.c:242
#10 0xc04d007e in softclock (dummy=0x0) at ../../../kern/kern_timeout.c:226
#11 0xc04a7538 in ithread_loop (arg=0xc14f5580)
    at ../../../kern/kern_intr.c:547
#12 0xc04a6198 in fork_exit (callout=0xc04a7360 <ithread_loop>, arg=0x0, 
    frame=0x0) at ../../../kern/kern_fork.c:802
(kgdb) frame 8
#8  0xc0566928 in tcp_slowtimo () at ../../../netinet/tcp_timer.c:141
141             INP_INFO_WLOCK(&tcbinfo);
(kgdb) print tcbinfo
$1 = {hashbase = 0xc2b72000, hashmask = 511, porthashbase = 0xc2bf0000, 
  porthashmask = 511, listhead = 0xc06c0590, lastport = 49440, lastlow = 0, 
  lasthi = 0, ipi_zone = 0xc1023f00, ipi_count = 6, ipi_gencnt = 864, 
  ipi_mtx = {mtx_object = {lo_class = 0xc069463c, lo_name = 0xc066f604 "tcp", 
      lo_type = 0xc066f604 "tcp", lo_flags = 720896, lo_list = {
        tqe_next = 0x0, tqe_prev = 0x0}, lo_witness = 0x0}, 
    mtx_lock = 3278026386, mtx_recurse = 0}}

DDB and GDB backtraces look different but appear to refer to the same
lock:-

(kgdb) print *((struct mtx *)0xc06c05cc)
$5 = {mtx_object = {lo_class = 0xc069463c, lo_name = 0xc066f604 "tcp", 
    lo_type = 0xc066f604 "tcp", lo_flags = 720896, lo_list = {tqe_next = 0x0, 
      tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 3278026386, 
  mtx_recurse = 0}
(kgdb) frame 5
#5  0xc04e603e in propagate_priority (td=0xc362b690)
    at ../../../kern/subr_turnstile.c:230
230                     ts = td->td_blocked;
(kgdb) print td->td_blocked
$7 = (struct turnstile *) 0x0
(kgdb) print *td
$6 = {td_proc = 0xc362a370, td_ksegrp = 0xc2fff500, td_plist = {
    tqe_next = 0x0, tqe_prev = 0xc362a380}, td_kglist = {tqe_next = 0x0, 
    tqe_prev = 0xc2fff51c}, td_slpq = {tqe_next = 0xc40212a0, 
    tqe_prev = 0xc35f7a98}, td_lockq = {tqe_next = 0x0, tqe_prev = 0x0}, 
  td_runq = {tqe_next = 0x0, tqe_prev = 0xc362a388}, td_selq = {
    tqh_first = 0xc3679ea4, tqh_last = 0xc3f068fc}, td_turnstile = 0xc3620d40, 
  td_flags = 88, td_inhibitors = 0, td_pflags = 0, td_last_kse = 0xc2c03be0, 
  td_kse = 0xc2c03be0, td_dupfd = 0, td_wchan = 0x0, td_wmesg = 0x0, 
  td_lastcpu = 0 '\0', td_oncpu = 255 '', td_locks = 0, td_blocked = 0x0, 
  td_ithd = 0x0, td_lockname = 0x0, td_contested = {lh_first = 0xc14f0b00}, 
  td_sleeplocks = 0x0, td_intr_nesting_level = 0, td_pinned = 0, 
  td_mailbox = 0x0, td_ucred = 0xc3e89000, td_standin = 0x0, td_prticks = 0, 
  td_upcall = 0x0, td_sticks = 6, td_uuticks = 0, td_usticks = 0, 
  td_intrval = 0, td_oldsigmask = {__bits = {0, 0, 0, 0}}, td_sigmask = {
    __bits = {0, 0, 0, 0}}, td_siglist = {__bits = {0, 0, 0, 0}}, 
  td_waitset = 0x0, td_umtx = {tqe_next = 0x0, tqe_prev = 0x0}, 
  td_generation = 132, td_sigstk = {ss_sp = 0x0, ss_size = 0, ss_flags = 4}, 
  td_base_pri = 160 '', td_priority = 36 '$', td_pcb = 0xd30c5da0, 
  td_state = TDS_CAN_RUN, td_retval = {0, 0}, td_slpcallout = {c_links = {
      sle = {sle_next = 0xc40213a4}, tqe = {tqe_next = 0xc40213a4, 
        tqe_prev = 0xc7b8b0e0}}, c_time = 1754632, c_arg = 0xc362b690, 
    c_func = 0, c_flags = 10}, td_frame = 0xd30c5d48, 
  td_kstack_obj = 0xc362239c, td_kstack = 3540795392, td_kstack_pages = 2, 
  td_altkstack_obj = 0x0, td_altkstack = 0, td_altkstack_pages = 0, 
  td_critnest = 1, td_md = {md_savecrit = 582}, td_sched = 0xc362b7d4}
...
231                     MPASS(ts != NULL);
232                     tc = TC_LOOKUP(ts->ts_lockobj);
233                     mtx_lock_spin(&tc->tc_lock);
...
(kgdb) print &ts->ts_lockobj
$9 = (struct lock_object **) 0x24

Any ideas?
BMS