HEADSUP: New pts code triggers panics on amd64 systems.

From: Steve Kargl <sgk_at_troutmask.apl.washington.edu>
Date: Wed, 1 Feb 2006 15:55:56 -0800
After a binary search, I have determined that the new pts code is
triggering kernel panics on an AMD64 system. 

Using this supfile file, I retrieve the src/sys

*default host=cvsup10.freebsd.org
*default base=/usr
*default release=cvs tag=.
*default delete use-rel-suffix
*default prefix=/usr
#*default date=2006.01.26.01.30.00  <-- Good working kernel
*default date=2006.01.26.01.31.00   <-- kernel dies within 5 to 10 minutes.
src-sys

The difference in the src/sys between the above time stamps are
Updating collection src-sys/cvs
 Edit src/sys/conf/files
 Checkout src/sys/kern/tty_pts.c
 Edit src/sys/kern/tty_pty.c
 Edit src/sys/sys/ttycom.h

My kernel is UP on a dual processor Tyan K8S Pro motherboard with 12 GB
of memory.  I have no loaded modules.  I have neither MEMGUARD or REDZONES
compiled into the kernel.  Attempts to use MEMGUARD results in a kernel
that does not even make to single user mode.

With vm.old_contigmalloc=1

Memory modified after free 0xfffffff024e38f200(504) val = deadc0dd _at_ 0xfffffff024e38f2d0
panic: Most recently used by DEVFS1

KDB: stack backtrace:
panic() at panic+0x1c1
mtrash_ctor() at mtrash_ctor+0x78
uma_zalloc_arg() at uma_zalloc_arg+0x306
malloc() at malloc+0x3a
fdinit() at fdinit+0x24
fdcopy() at fdcopy+0x24
fork1() at fork1+0x6df
vfork() at vfork+0x1c
syscall() at syscall+0x517
Xfast_syscall() at Xfast_syscall+0xa8
--- syscall (66, FreeBSD ELF64, vfork) rip = 0x2006a5b4d, rsp=0xfffffffda50, rbp = 0 ---


With vm.old_contigmalloc=0

Memory modified after free  (sorry forgot to write this down)
panic: Most recently used by DEVFS1

KDB: stack backtrace:
panic() at panic+0x1c1
mtrash_ctor() at mtrash_ctor+0x78
uma_zalloc_arg() at uma_zalloc_arg+0x306
malloc() at malloc+0x3a
devfs_alloc() at devfs_alloc+0x1a
make_dev_credv() at make_dev_credv+0x4b
make_dev_cred() at make_dev_cred+0x8e
ptcopen() at ptcopen+0x111
giant_open() at giant_open+0x5f
devfs_open() at devfs_open+0x23b
VOP_OPEN_APV() at VOP_OPEN_APV+0x74
vn_open_cred() at vn_open_cred+0x38c
kern_open() at kern_open+0xfd
open() at open+0x25
syscall() at syscall+0x517
Xfast_syscall() at Xfast_syscall+0xa8
--- syscall (5, FreeBSD ELF64, open) rip = 0x200aeebcc, rsp=0xfffffff2e58, 
    rbp = 0xffffffff ---

Script started on Wed Feb  1 15:32:43 2006
troutmask:root[201] kgdb /boot/kernel/kernel vmcore.0 
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd".

Unread portion of the kernel message buffer:
Memory modified after free 0xffffff0254d62600(504) val=deadc0dd _at_ 0xffffff0254d626d0
panic: Most recently used by DEVFS1

KDB: stack backtrace:
panic() at panic+0x1c1
mtrash_ctor() at mtrash_ctor+0x78
uma_zalloc_arg() at uma_zalloc_arg+0x306
malloc() at malloc+0xa3
devfs_alloc() at devfs_alloc+0x1a
make_dev_credv() at make_dev_credv+0x4b
make_dev_cred() at make_dev_cred+0x8e
ptcopen() at ptcopen+0x111
giant_open() at giant_open+0x5f
devfs_open() at devfs_open+0x23b
VOP_OPEN_APV() at VOP_OPEN_APV+0x74
vn_open_cred() at vn_open_cred+0x38c
kern_open() at kern_open+0xfd
open() at open+0x25
syscall() at syscall+0x517
Xfast_syscall() at Xfast_syscall+0xa8
--- syscall (5, FreeBSD ELF64, open), rip = 0x200aeebcc, rsp = 0x7fffffff2e58, rbp = 0xffffffff ---

KDB: enter: panic
Uptime: 6m10s
Dumping 12223 MB (3 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 4031MB (1031920 pages) ... ok
  chunk 2: 8192MB (2097152 pages) 

#0  doadump () at pcpu.h:172
172	pcpu.h: No such file or directory.
	in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:172
#1  0xffffffff8027f809 in boot (howto=260)
    at /usr/src/sys/kern/kern_shutdown.c:399
#2  0xffffffff8027f2da in panic (
    fmt=0xffffffff80476e34 "Most recently used by %s\n")
    at /usr/src/sys/kern/kern_shutdown.c:555
#3  0xffffffff803b9ad8 in mtrash_ctor (mem=0x0, size=0, arg=0x0, flags=0)
    at /usr/src/sys/vm/uma_dbg.c:137
#4  0xffffffff803b8046 in uma_zalloc_arg (zone=0xffffff02fffeae40, udata=0x0, 
    flags=1282) at /usr/src/sys/vm/uma_core.c:1846
#5  0xffffffff80273d93 in malloc (size=15, mtp=0xffffffff805aac60, flags=1282)
    at uma.h:275
#6  0xffffffff80228dca in devfs_alloc ()
    at /usr/src/sys/fs/devfs/devfs_devs.c:121
#7  0xffffffff80254d1b in make_dev_credv (devsw=0xffffffff805c0e40, 
    minornr=0, cr=0xffffff0250378380, uid=0, gid=0, mode=438, 
    fmt=0xffffffff80462900 "tty%c%r", ap=0xffffffffbd5e2530)
    at /usr/src/sys/kern/kern_conf.c:523
#8  0xffffffff80254ebe in make_dev_cred (devsw=0x0, minornr=0, cr=0x0, uid=0, 
    gid=0, mode=0, fmt=0x0) at /usr/src/sys/kern/kern_conf.c:581
#9  0xffffffff802c0ce1 in ptcopen (dev=0x0, flag=0, devtype=0, 
    td=0xffffff0250378380) at /usr/src/sys/kern/tty_pty.c:163
#10 0xffffffff80253caf in giant_open (dev=0xffffff024d8fc400, oflags=32771, 
    devtype=8192, td=0xffffff024fcc5000) at /usr/src/sys/kern/kern_conf.c:242
#11 0xffffffff8022bcdb in devfs_open (ap=0xffffffffbd5e2770)
    at /usr/src/sys/fs/devfs/devfs_vnops.c:680
#12 0xffffffff8042b3f4 in VOP_OPEN_APV (vop=0x0, a=0xffffffffbd5e2770)
    at vnode_if.c:365
#13 0xffffffff802f855c in vn_open_cred (ndp=0xffffffffbd5e2990, 
    flagp=0xffffffffbd5e28dc, cmode=8, cred=0xffffff0250378380, fdidx=6)
    at vnode_if.h:198
#14 0xffffffff802ee83d in kern_open (td=0xffffff024fcc5000, 
    path=0x519fab <Address 0x519fab out of bounds>, pathseg=UIO_USERSPACE, 
    flags=32771, mode=-1117902448) at /usr/src/sys/kern/vfs_syscalls.c:977
#15 0xffffffff802eef35 in open (td=0x0, uap=0xffffffffbd5e2c00)
    at /usr/src/sys/kern/vfs_syscalls.c:943
#16 0xffffffff803ea0e7 in syscall (frame=
      {tf_rdi = 5349291, tf_rsi = 32770, tf_rdx = 10, tf_rcx = 8601451180, tf_r8 = -2142762872, tf_r9 = 140737488301656, tf_rax = 5, tf_rbx = 0, tf_rbp = 4294967295, tf_r10 = 1, tf_r11 = 514, tf_r12 = 6, tf_r13 = 5349291, tf_r14 = 5349280, tf_r15 = 1, tf_trapno = 22, tf_addr = 0, tf_flags = 0, tf_err = 2, tf_rip = 8601398220, tf_cs = 43, tf_rflags = 582, tf_rsp = 140737488301656, tf_ss = 35}) at /usr/src/sys/amd64/amd64/trap.c:821
#17 0xffffffff803d8048 in Xfast_syscall ()
    at /usr/src/sys/amd64/amd64/exception.S:270
#18 0x0000000200aeebcc in ?? ()
 
--
Steve
Received on Wed Feb 01 2006 - 22:56:00 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:51 UTC