Re: kernel panic: page fault

Robert Watson wrote:
> Since you have a kernel dump, could I ask you to print the following in 
> the tcp_input frame using kgdb:
> 
> p inp
> p *inp
> p *inp->inp_socket
> p *inp->inp_ppcb

(kgdb) frame 8
#8  0xc07159d8 in tcp_input (m=0xc3a27400, off0=20) at /usr/src/sys/netinet/tcp_input.c:763
763                     if (tcp_timewait((struct tcptw *)inp->inp_ppcb,
(kgdb) p inp
$1 = (struct inpcb *) 0xc47c12a0
(kgdb) p *inp
$1 = {inp_hash = {le_next = 0x0, le_prev = 0xc3544bd4}, inp_list = {le_next = 0xc47c1348, le_prev = 0xc47c1200}, inp_flow = 0,
   inp_inc = {inc_flags = 0 '\0', inc_len = 0 '\0', inc_pad = 0, inc_ie = {ie_fport = 28169, ie_lport = 20480, ie_dependfaddr = {
         ie46_foreign = {ia46_pad32 = {0, 0, 0}, ia46_addr4 = {s_addr = 84650176}}, ie6_foreign = {__u6_addr = {
             __u6_addr8 = '\0' <repeats 12 times>, "ˬ\v\005", __u6_addr16 = {0, 0, 0, 0, 0, 0, 43200, 1291}, __u6_addr32 = {0,
               0, 0, 84650176}}}}, ie_dependladdr = {ie46_local = {ia46_pad32 = {0, 0, 0}, ia46_addr4 = {s_addr = 51095744}},
         ie6_local = {__u6_addr = {__u6_addr8 = '\0' <repeats 12 times>, "ˬ\v\003", __u6_addr16 = {0, 0, 0, 0, 0, 0, 43200,
               779}, __u6_addr32 = {0, 0, 0, 51095744}}}}}}, inp_ppcb = 0x0, inp_pcbinfo = 0xc0972a80, inp_socket = 0xc476d298,
   inp_label = 0x0, inp_flags = 8388608, inp_sp = 0x0, inp_vflag = 41 ')', inp_ip_ttl = 64 '_at_', inp_ip_p = 0 '\0',
   inp_ip_minttl = 0 '\0', inp_depend4 = {inp4_ip_tos = 0 '\0', inp4_options = 0x0, inp4_moptions = 0x0}, inp_depend6 = {
     inp6_options = 0x0, inp6_outputopts = 0x0, inp6_moptions = 0x0, inp6_icmp6filt = 0x0, inp6_cksum = 0, inp6_ifindex = 0,
     inp6_hops = 0}, inp_portlist = {le_next = 0xc47c1348, le_prev = 0xc47c1274}, inp_phd = 0xc35562f0, inp_gencnt = 36,
   inp_mtx = {mtx_object = {lo_name = 0xc08b6d26 "inp", lo_type = 0xc08b4853 "tcpinp", lo_flags = 21692416, lo_witness_data = {
         lod_list = {stqe_next = 0x0}, lod_witness = 0x0}}, mtx_lock = 3274697680, mtx_recurse = 0}}
(kgdb) p *inp->inp_socket
$3 = {so_count = 1, so_type = 1, so_options = 12, so_linger = 0, so_state = 8192, so_qstate = 0, so_pcb = 0xc47c12a0,
   so_proto = 0xc093a6e8, so_head = 0x0, so_incomp = {tqh_first = 0x0, tqh_last = 0x0}, so_comp = {tqh_first = 0x0,
     tqh_last = 0x0}, so_list = {tqe_next = 0xc476d14c, tqe_prev = 0xc37ae6a0}, so_qlen = 0, so_incqlen = 0, so_qlimit = 0,
   so_timeo = 0, so_error = 0, so_sigio = 0x0, so_oobmark = 0, so_aiojobq = {tqh_first = 0x0, tqh_last = 0xc476d2e0}, so_rcv = {
     sb_sel = {si_thrlist = {tqe_next = 0x0, tqe_prev = 0xc36ea540}, si_thread = 0x0, si_note = {kl_list = {slh_first = 0x0},
         kl_lock = 0xc065364c <knlist_mtx_lock>, kl_unlock = 0xc0653684 <knlist_mtx_unlock>,
         kl_locked = 0xc06536c0 <knlist_mtx_locked>, kl_lockarg = 0xc476d30c}, si_flags = 0}, sb_mtx = {mtx_object = {
         lo_name = 0xc08adc57 "so_rcv", lo_type = 0xc08adc57 "so_rcv", lo_flags = 16973824, lo_witness_data = {lod_list = {
             stqe_next = 0x0}, lod_witness = 0x0}}, mtx_lock = 4, mtx_recurse = 0}, sb_state = 32, sb_mb = 0x0, sb_mbtail = 0x0,
     sb_lastrecord = 0x0, sb_cc = 0, sb_hiwat = 66608, sb_mbcnt = 0, sb_mbmax = 262144, sb_ctl = 0, sb_lowat = 1, sb_timeo = 0,
     sb_flags = 0}, so_snd = {sb_sel = {si_thrlist = {tqe_next = 0x0, tqe_prev = 0x0}, si_thread = 0x0, si_note = {kl_list = {
           slh_first = 0x0}, kl_lock = 0xc065364c <knlist_mtx_lock>, kl_unlock = 0xc0653684 <knlist_mtx_unlock>,
         kl_locked = 0xc06536c0 <knlist_mtx_locked>, kl_lockarg = 0xc476d378}, si_flags = 0}, sb_mtx = {mtx_object = {
         lo_name = 0xc08adc50 "so_snd", lo_type = 0xc08adc50 "so_snd", lo_flags = 16973824, lo_witness_data = {lod_list = {
             stqe_next = 0x0}, lod_witness = 0x0}}, mtx_lock = 4, mtx_recurse = 0}, sb_state = 16, sb_mb = 0x0, sb_mbtail = 0x0,
     sb_lastrecord = 0x0, sb_cc = 0, sb_hiwat = 33304, sb_mbcnt = 0, sb_mbmax = 262144, sb_ctl = 0, sb_lowat = 2048,
     sb_timeo = 0, sb_flags = 0}, so_upcall = 0, so_upcallarg = 0x0, so_cred = 0xc3a9d180, so_label = 0x0, so_peerlabel = 0x0,
   so_gencnt = 485, so_emuldata = 0x0, so_accf = 0x0}
(kgdb) p *inp->inp_ppcb
Cannot access memory at address 0x0

> In the tcp_timewait frame, could you print the following:
> 
> p tw
> p *tw
> p *to
> p *th

kgdb) frame 7
#7  0xc0718779 in tcp_timewait (tw=0x0, to=0xd4422c40, th=0xc3a4f024, m=0xc3a27400, tlen=0)
     at /usr/src/sys/netinet/tcp_input.c:3202
3202            if ((thflags & TH_SYN) && SEQ_GT(th->th_seq, tw->rcv_nxt)) {
(kgdb) p tw
$4 = (struct tcptw *) 0x0
(kgdb) p *tw
Cannot access memory at address 0x0
(kgdb) p *to
$5 = {to_flags = 49, to_tsval = 82773511, to_tsecr = 0, to_mss = 1460, to_requested_s_scale = 0 '\0', to_nsacks = 0 '\0',
   to_sacks = 0x0}
(kgdb) p *th
$6 = {th_sport = 28169, th_dport = 20480, th_seq = 1498072816, th_ack = 0, th_x2 = 0, th_off = 10, th_flags = 2 '\002',
   th_win = 57344, th_sum = 0, th_urp = 0}

> Also, are you running with INVARIANTS and/or WITNESS?

Sorry, I compiled kernel without INVARIANTS and WITNESS.

--
Kazuaki Oda