page fault panic in kern_access/crcopy

From: Pawel Worach <pawel.worach_at_gmail.com>
Date: Sun, 23 Jul 2006 14:07:45 +0200
Hi,

While testing SCTP with NetPIPE I found a reproducible panic, I'm not 
sure if this one is SCTP's fault. This is using:
FreeBSD 7.0-CURRENT #0: Sun Jul 23 13:23:06 CEST 2006 + SCTP patches 
from today.

Procedure:
NPsctp &
NPsctp -h 127.0.0.1
this ends with a "write error" after a while, likely out of resources
try again.
NPsctp

and this happens:

Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x1c
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc05342f6
stack pointer           = 0x28:0xd4880ba8
frame pointer           = 0x28:0xd4880bc4
code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 1047 (NPsctp)
trap number             = 12
panic: page fault
KDB: stack backtrace:
kdb_backtrace(c076731d,c07c8660,c075bc1f,d4880a5c,100,...) at 
kdb_backtrace+0x2e
panic(c075bc1f,c0784dbc,c257483c,1,1,...) at panic+0xb7
trap_fatal(d4880b68,1c,1,0,c276faa4,...) at trap_fatal+0x342
trap_pfault(d4880b68,0,1c,c07bf820,1c,...) at trap_pfault+0x245
trap(c2760008,c1030028,c1040028,c25706c0,c257469c,...) at trap+0x3e3
calltrap() at calltrap+0x5
--- trap 0xc, eip = 0xc05342f6, esp = 0xd4880ba8, ebp = 0xd4880bc4 ---
uihold(0,c28f4804,64,c28f4800,d4880bf0,...) at uihold+0x16
crcopy(c28f4800,c28f4800,0,d4880c6c,c05b1f73,...) at crcopy+0x32
crdup(c28f4800,0,0,0,c25706c0,...) at crdup+0x1d
kern_access(c25706c0,28083000,0,0,d4880d30,...) at kern_access+0x23
access(c25706c0,d4880d04,8,c25706c0,d4880d30,...) at access+0x29
syscall(3b,3b,3b,4,28083000,...) at syscall+0x3d3
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (33, FreeBSD ELF32, access), eip = 0x28058b4f, esp = 
0xbfbbf65c, ebp = 0xbfbbf678 ---
Uptime: 11m13s
Physical memory: 502 MB
Dumping 83 MB: 68 52 36 20 4

#0  doadump () at pcpu.h:166
166     pcpu.h: No such file or directory.
         in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:166
#1  0xc0535dd4 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
#2  0xc053614d in panic (fmt=0xc075bc1f "%s")
     at /usr/src/sys/kern/kern_shutdown.c:565
#3  0xc072d7c2 in trap_fatal (frame=0xd4880b68, eva=28)
     at /usr/src/sys/i386/i386/trap.c:869
#4  0xc072d455 in trap_pfault (frame=0xd4880b68, usermode=0, eva=28)
     at /usr/src/sys/i386/i386/trap.c:778
#5  0xc072cfa3 in trap (frame=
       {tf_fs = -1032454136, tf_es = -1056767960, tf_ds = -1056702424, 
tf_edi = -1034484032, tf_esi = -1034467684, tf_ebp = -729281596, tf_isp 
= -729281644, tf_ebx = 0, tf_edx = 0, tf_ecx = -1034484032, tf_eax = 0, 
tf_trapno = 12, tf_err = 0, tf_eip = -1068285194, tf_cs = 32, tf_eflags 
= 66194, tf_esp = -1068339599, tf_ss = -1065760352}) at 
/usr/src/sys/i386/i386/trap.c:463
#6  0xc071c1ea in calltrap () at /usr/src/sys/i386/i386/exception.s:138
#7  0xc05342f6 in uihold (uip=0x0) at pcpu.h:166
#8  0xc0531b92 in crcopy (dest=0xc28f4800, src=0xc28f4800)
     at /usr/src/sys/kern/kern_prot.c:1954
#9  0xc0531bed in crdup (cr=0x0) at /usr/src/sys/kern/kern_prot.c:1973
#10 0xc05b1f73 in kern_access (td=0xc25706c0, path=0x0, 
pathseg=UIO_USERSPACE,
     flags=0) at /usr/src/sys/kern/vfs_syscalls.c:1895
#11 0xc05b1f49 in access (td=0x0, uap=0x0)
     at /usr/src/sys/kern/vfs_syscalls.c:1877
---Type <return> to continue, or q <return> to quit---
#12 0xc072dc03 in syscall (frame=
       {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 4, tf_esi = 
671625216, tf_ebp = -1078200712, tf_isp = -729281180, tf_ebx = 
671568152, tf_edx = -1078199800, tf_ecx = 671625229, tf_eax = 33, 
tf_trapno = 12, tf_err = 2, tf_eip = 671451983, tf_cs = 51, tf_eflags = 
582, tf_esp = -1078200740, tf_ss = 59})
     at /usr/src/sys/i386/i386/trap.c:1015
#13 0xc071c23f in Xint0x80_syscall () at 
/usr/src/sys/i386/i386/exception.s:191
#14 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) f 8
#8  0xc0531b92 in crcopy (dest=0xc28f4800, src=0xc28f4800)
     at /usr/src/sys/kern/kern_prot.c:1954
1954            uihold(dest->cr_uidinfo);
(kgdb) p *dest
$1 = {cr_ref = 1, cr_uid = 0, cr_ruid = 0, cr_svuid = 0, cr_ngroups = 0,
   cr_groups = {0 <repeats 16 times>}, cr_rgid = 0, cr_svgid = 0,
   cr_uidinfo = 0x0, cr_ruidinfo = 0x0, cr_prison = 0x0, cr_label = 0x0}
(kgdb) p *src
$2 = {cr_ref = 1, cr_uid = 0, cr_ruid = 0, cr_svuid = 0, cr_ngroups = 0,
   cr_groups = {0 <repeats 16 times>}, cr_rgid = 0, cr_svgid = 0,
   cr_uidinfo = 0x0, cr_ruidinfo = 0x0, cr_prison = 0x0, cr_label = 0x0}
(kgdb) list
1949
1950            KASSERT(crshared(dest) == 0, ("crcopy of shared ucred"));
1951            bcopy(&src->cr_startcopy, &dest->cr_startcopy,
1952                (unsigned)((caddr_t)&src->cr_endcopy -
1953                    (caddr_t)&src->cr_startcopy));
1954            uihold(dest->cr_uidinfo);
1955            uihold(dest->cr_ruidinfo);
1956            if (jailed(dest))
1957                    prison_hold(dest->cr_prison);
1958    #ifdef MAC

Regards
-- 
Pawel
Received on Sun Jul 23 2006 - 10:08:00 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:58 UTC