if_dc.c causes page fault while in kernel mode; coredump; reproducible

From: Martin P. Hansen <mph_at_lima.dyndns.dk> Date: Sat, 24 Dec 2005 17:00:47 +0100 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:49 UTC

I'm currently experiencing periodic page faults with my FreeBSD
when shutting down (power-down). I've experienced this behavior in
6.0-RELEASE (GENERIC) and in 6.0-STABLE (GENERIC) cvsup'ed 2005-12-22
14:19.

Not beeing a kernelhacker myself I've come to the conclusion that
something in the dc driver is freed to soon or perhaps a lock isn't
held. It might have something to do with ACPI as the powerdown is close.

I've got two crashdumps for 6.0-RELEASE and three for 6.0-STABLE and
it seems to be reproducible. To reproduce I set up a machine to
ping my FreeBSD box and tell the FreeBSD box ``shutdown -p now''.
All suggestions are welcome.

uname -a:
FreeBSD mph 6.0-STABLE FreeBSD 6.0-STABLE #0: Thu Dec 22 13:38:15 CET 2005
     mph_at_mph:/usr/obj/usr/src/sys/GENERIC  i386

The crashdump header looks like this:
Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x18
fault code              = supervisor write, page not present
instruction pointer     = 0x20:0xc073d480
stack pointer           = 0x28:0xd5865cb4
frame pointer           = 0x28:0xd5865ccc
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 28 (irq17: pcm0 dc0)
trap number             = 12
panic: page fault

The crash happens at
0xc073d480 is in dc_rxeof (/usr/src/sys/pci/if_dc.c:2779)
2774                     * If we are on an architecture with alignment problems, or
2775                     * if the allocation fails, then use m_devget and leave the
2776                     * existing buffer in the receive ring.
2777                     */
2778                    if (dc_quick && dc_newbuf(sc, i, 1) == 0) {
2779                            m->m_pkthdr.rcvif = ifp;
2780                            m->m_pkthdr.len = m->m_len = total_len;
2781                            DC_INC(i, DC_RX_LIST_CNT);
2782                    } else
2783    #endif

(kgdb) print m
$1 = (struct mbuf *) 0x0

(kgdb) print sc->dc_cdata.dc_rx_prod
$2 = 43

Unread portion of the kernel message buffer:
<118>Shutting down daemon processes:
<118>.
<118>Shutting down local daemons:
<118>.
<118>Writing entropy file:
<118>.
<118>Terminated
<118>.
<118>Dec 22 17:55:14 mph syslogd: exiting on signal 15
Waiting (max 60 seconds) for system process `vnlru' to stop...done
Waiting (max 60 seconds) for system process `bufdaemon' to stop...done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining...2 1 1 0 0 0 done
All buffers synced.
Uptime: 3h34m52s

-- 
Martin P. Hansen