Trap 12 at tty_pty.c:249 in 5.3-STABLE

Got this on a 5.3-STABLE cvsupped around 05:00 UTC on the 18th:

Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 00
fault virtual address   = 0x467
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc05ded3d
stack pointer           = 0x10:0xe6ab6994
frame pointer           = 0x10:0xe6ab6994
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 9771 (screen)
panic: from debugger
cpuid = 1
KDB: stack backtrace:   
--- trap 0xc, eip = 0xc05ded3d, esp = 0xe6ab6994, ebp = 0xe6ab6994 ---
ptsstart(c3690a00,e6ab69c8,c05d91e3,c3690a00,0) at ptsstart+0xd
ttstart(c3690a00,0,20,c488680a,c2637000) at ttstart+0x1c
ttymodem(c3690a00,1,c05ded70,c32dbd00,c07da540) at ttymodem+0xf3
ptcopen(c32dbd00,3,2000,c289c000,e6ab6a44) at ptcopen+0x68
spec_open(e6ab6a68,ffffffdf,c05f946b,180,c289c000) at spec_open+0x3c2
vn_open_cred(e6ab6bd4,e6ab6cd4,0,c2e48b80,c) at vn_open_cred+0x37e
vn_open(e6ab6bd4,e6ab6cd4,0,c,10002) at vn_open+0x33
kern_open(c289c000,bfbf9d60,0,3,0) at kern_open+0xf2
open(c289c000,e6ab6d14,c,c,c289c000) at open+0x2e
syscall(821002f,2f,bfbf002f,ffffffff,808cb04) at syscall+0x210
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (5, FreeBSD ELF32, open), eip = 0x2817177f, esp = 0xbfbf9d2c, ebp = 0xbfbf9d88 ---

gdb equivalent is (although it gets most of the pointer arguments
wrong):

#23 0xc05ded3d in ptsstart (tp=0x0) at ../../../kern/tty_pty.c:249
#24 0xc05d7bac in ttstart (tp=0x0) at ../../../kern/tty.c:1553
#25 0xc05d91e3 in ttymodem (tp=0xc3690a00, flag=0) at ../../../kern/tty.c:1587
#26 0xc05dedd8 in ptcopen (dev=0xc32dbd00, flag=3, devtype=8192, td=0x0)
    at linedisc.h:136
#27 0xc055cbe2 in spec_open (ap=0xe6ab6a68)
    at ../../../fs/specfs/spec_vnops.c:207
#28 0xc0616eee in vn_open_cred (ndp=0xe6ab6bd4, flagp=0xe6ab6cd4, cmode=0,
    cred=0xc2e48b80, fdidx=0) at vnode_if.h:228
#29 0xc06171a3 in vn_open (ndp=0x0, flagp=0x0, cmode=0, fdidx=0)
    at ../../../kern/vfs_vnops.c:91
#30 0xc060e682 in kern_open (td=0xc289c000, path=0x0, pathseg=UIO_USERSPACE,
    flags=3, mode=0) at ../../../kern/vfs_syscalls.c:957
#31 0xc060f06e in open (td=0x0, uap=0x0) at ../../../kern/vfs_syscalls.c:926

0xc3690a00 seems to point to garbage. "p *((struct tty*)0xc3690a00)"
prints invalid values for lots of fields:

(kgdb) p *tp
$16 = {t_rawq = {c_cc = -503508748, c_cbcount = 1, c_cbmax = 0, 
    c_cbreserved = -1033670128, c_cf = 0x0, 
    c_cl = 0xc2627318 "\204T}└y&z└y&z└"}, t_rawcc = -1033266608, t_canq = {
    c_cc = 1, c_cbcount = -1005040620, c_cbmax = 0, c_cbreserved = 0, 
    c_cf = 0x20c044 <Address 0x20c044 out of bounds>, 
    c_cl = 0xc2d28af0 "\230Ω-├αáτ┬"}, t_cancc = -1030858752, t_outq = {
    c_cc = -1005040640, c_cbcount = -1005040631, c_cbmax = 11, 
    c_cbreserved = 0, c_cf = 0x1 <Address 0x1 out of bounds>, 
    c_cl = 0x1016d <Address 0x1016d out of bounds>}, t_outcc = 0, t_line = 0, 
  t_dev = 0x40f, t_state = 21033, t_flags = 413982, t_timeout = -1, 
  t_pgrp = 0x2000, t_session = 0x416e914f, t_sigio = 0x0, t_rsel = {
    si_thrlist = {tqe_next = 0x41082f59, tqe_prev = 0x0}, 
    si_thread = 0x41082f59, si_note = {kl_lock = 0x0, kl_list = {
        slh_first = 0x0}}, si_flags = 0}, t_wsel = {si_thrlist = {
      tqe_next = 0x4dc63a16, tqe_prev = 0x20000}, si_thread = 0x179e0, 
    si_note = {kl_lock = 0x68000, kl_list = {slh_first = 0x0}}, 
    si_flags = 30810}, t_termios = {c_iflag = 11, c_oflag = 3268736812, 
    c_cflag = 3302587516, c_lflag = 3274566296, 
    c_cc = '\0' <repeats 12 times>, "\030sb┬\030S\004┴", 
    c_ispeed = 3278441032, c_ospeed = 3787014144}, t_winsize = {
    ws_row = 19376, ws_col = 49967, ws_xpixel = 57480, ws_ypixel = 50250}, 
  t_sc = 0xc4860e58, t_column = -1001787256, t_rocount = -1020310132, 
  t_rocol = -997848960, t_ififosize = -983092364, t_ihiwat = -1016934756, 
  t_ilowat = -1001723436, t_ispeedwat = 3266556652, t_ohiwat = -983090664, 
  t_olowat = -1027033232, t_ospeedwat = 0, t_gen = 0, t_list = {
    tqe_next = 0x0, tqe_prev = 0x0}, t_mtx = {mtx_object = {lo_class = 0x0, 
      lo_name = 0x0, lo_type = 0x0, lo_flags = 0, lo_list = {tqe_next = 0x0, 
        tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 0, mtx_recurse = 0}, 
  t_refcnt = 0, t_hotchar = 0, t_dtr_wait = 0, 
  t_oproc = 0xc05ded30 <ptsstart>, t_stop = 0xc05df140 <ptsstop>, t_param = 0, 
  t_modem = 0, t_break = 0, t_ioctl = 0}

In frame 26 (I hate inline macros BTW, ptcopen is *not* in linedisc.h),
dev looks okay to my untrained eyes:

(kgdb) p *dev
$15 = {si_flags = 4, si_atime = {tv_sec = 1098140465, tv_nsec = 0},
  si_ctime = {tv_sec = 1098140674, tv_nsec = 0}, si_mtime = {
    tv_sec = 1098139449, tv_nsec = 0}, si_udev = 1541, si_refcount = 2,
  si_list = {le_next = 0xc3637900, le_prev = 0xc32dbc24}, si_clone = {
    le_next = 0x0, le_prev = 0x0}, si_hash = {le_next = 0xc260d100,
    le_prev = 0xc08023bc}, si_hlist = {slh_first = 0xc342bd68}, si_children = {
    lh_first = 0x0}, si_siblings = {le_next = 0x0, le_prev = 0x0},
  si_parent = 0x0, si_inode = 134, si_name = 0xc32dbda8 "ptyp5",
  si_drv1 = 0xc2d6e200, si_drv2 = 0x0, si_devsw = 0xc07da540,
  si_iosize_max = 65536, si_stripesize = 0, si_stripeoffset = 0, si_uid = 0,
  si_gid = 0, si_mode = 438, si_usecount = 1, si_threadcount = 0, __si_u = {
    __si_tty = {__sit_tty = 0xc3690a00}, __si_disk = {
      __sid_mountpoint = 0xc3690a00, __sid_bsize_phys = 0,
      __sid_bsize_best = 0, __sid_snapshots = {tqh_first = 0x0,
        tqh_last = 0xc32dbd90}, __sid_snaplistsize = 0,
      __sid_snapblklist = 0x0, __sid_copyonwrite = 0}},
  __si_namebuf = "ptyp5", '\0' <repeats 58 times>}



-- 
	Dan Nelson
	dnelson_at_allantgroup.com