panic on kldunload

From: Gleb Smirnoff <glebius_at_FreeBSD.org>
Date: Sun, 27 Nov 2005 06:12:21 +0300
  Today running 'kldunload ng_netflow' I have experienced the
following panic:

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 01
fault virtual address   = 0x15
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc06568cd
stack pointer           = 0x28:0xe889fbcc
frame pointer           = 0x28:0xe889fbec
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 91858 (kldunload)
trap number             = 12
panic: page fault
cpuid = 1
Uptime: 15h36m21s
Dumping 1023 MB (2 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 1023MB (261856 pages) 1007 991 975 959 (CTRL-C to abort)  943 927 911 895 879 863 847 831 815 799 783 767 751 735 719 703 687 671 655 639 623 607 591 575 559 543 527 511 495 479 463 447 431 415 399 383 367 351 335 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15

#0  doadump () at pcpu.h:165
During symbol reading, Incomplete CFI data; unspecified registers at 0xc051f7c2.
#1  0xc051fe2f in boot (howto=0x104) at /usr/src/sys/kern/kern_shutdown.c:399
#2  0xc052020e in panic (fmt=0xc06d69b8 "%s") at /usr/src/sys/kern/kern_shutdown.c:555
#3  0xc06af7b1 in trap_fatal (frame=0xe889fb8c, eva=0x0) at /usr/src/sys/i386/i386/trap.c:831
#4  0xc06af46f in trap_pfault (frame=0xe889fb8c, usermode=0x0, eva=0x15) at /usr/src/sys/i386/i386/trap.c:742
#5  0xc06aeff9 in trap (frame=
      {tf_fs = 0xc8d20008, tf_es = 0xe8890028, tf_ds = 0xc0540028, tf_edi = 0xc0c61960, tf_esi = 0xc0c6c8c0, tf_ebp = 0xe889fbec, tf_isp = 0xe889fbb8, tf_ebx = 0x1, tf_edx = 0xc0c6c8c8, tf_ecx = 0x0, tf_eax = 0x18, tf_trapno = 0xc, tf_err = 0x0, tf_eip = 0xc06568cd, tf_cs = 0x20, tf_eflags = 0x10202, tf_esp = 0x0, tf_ss = 0xe889fc10})
    at /usr/src/sys/i386/i386/trap.c:432
#6  0xc069a5aa in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#7  0xc06568cd in uma_zfree_internal (zone=0xc0c61960, item=0xcc763c00, udata=0x0, skip=SKIP_DTOR, flags=0x3)
    at /usr/src/sys/vm/uma_core.c:2465
#8  0xc06567c5 in uma_zfree_arg (zone=0xc0c61960, item=0xcc763c00, udata=0x0) at /usr/src/sys/vm/uma_core.c:2420
#9  0xc0512474 in malloc_uninit (data=0xcc742300) at uma.h:303
#10 0xc050cfb3 in linker_file_sysuninit (lf=0x18) at /usr/src/sys/kern/kern_linker.c:238
#11 0xc050d845 in linker_file_unload (file=0xc9238000, flags=0x0) at /usr/src/sys/kern/kern_linker.c:539
#12 0xc050e104 in kern_kldunload (td=0xc9238000, fileid=0x18, flags=0x18) at /usr/src/sys/kern/kern_linker.c:828
#13 0xc050e1ac in kldunloadf (td=0x18, uap=0xc0c6c8c8) at /usr/src/sys/kern/kern_linker.c:858
#14 0xc06afb6d in syscall (frame=
      {tf_fs = 0x3b, tf_es = 0x3b, tf_ds = 0x3b, tf_edi = 0x3, tf_esi = 0xbfbfed06, tf_ebp = 0xbfbfebd8, tf_isp = 0xe889fd64, tf_ebx = 0x1, tf_edx = 0xbfbfed06, tf_ecx = 0x1, tf_eax = 0x1bc, tf_trapno = 0xc, tf_err = 0x2, tf_eip = 0xe4b65eb, tf_cs = 0x33, tf_eflags = 0x246, tf_esp = 0xbfbfe76c, tf_ss = 0x3b}) at /usr/src/sys/i386/i386/trap.c:976
#15 0xc069a5ff in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200

What I can't understand here, is why did it panic?! Looking at frame 7 I see
a valid pointer and a cast:

(kgdb) frame 7
#7  0xc06568cd in uma_zfree_internal (zone=0xc0c61960, item=0xcc763c00, udata=0x0, skip=SKIP_DTOR, flags=0x3)
    at /usr/src/sys/vm/uma_core.c:2465
2465                            slab = (uma_slab_t)mem;
(kgdb) list
2460                    mem = (u_int8_t *)((unsigned long)item & (~UMA_SLAB_MASK));
2461                    if (keg->uk_flags & UMA_ZONE_HASH)
2462                            slab = hash_sfind(&keg->uk_hash, mem);
2463                    else {
2464                            mem += keg->uk_pgoff;
2465                            slab = (uma_slab_t)mem;
2466                    }
2467            } else {
2468                    slab = (uma_slab_t)udata;
2469            }
(kgdb) p mem
$9 = (u_int8_t *) 0xc0c6c8c8 "¤/qÀ LnÀs5nÀ"
(kgdb) p slab
$10 = 0x0
(kgdb) p *(uma_slab_t)mem
$11 = {
  us_head = {
    us_keg = 0xc0712fa4, 
    us_type = {
      _us_link = {
        le_next = 0xc06e4c20, 
        le_prev = 0xc06e3573
      }, 
      _us_size = 0xc06e4c20
    }, 
    us_hlink = {
      sle_next = 0x430000
    }, 
    us_data = 0x0, 
    us_flags = 0x0, 
    us_freecount = 0x0, 
    us_firstfree = 0x0
  }, 
  us_freelist = {{
      us_item = 0x0
    }}
}
(kgdb) 

  The panic happened on 6.0-STABLE, but I don't think it isn't
applicable to CURRENT.

-- 
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE
Received on Sun Nov 27 2005 - 02:12:24 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:48 UTC