callout_reset page fault panic

From: Pawel Worach <pawel.worach_at_gmail.com> Date: Sat, 20 May 2006 15:22:14 +0200 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:56 UTC

One day old CURRENT, i368 UP. Died while installing some ports and 
running mplayer. vmcore and kernel available (minidumps kick ass!).

Unread portion of the kernel message buffer:
kernel trap 12 with interrupts disabled

Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0xc5b29ebc
fault code              = supervisor write, page not present
instruction pointer     = 0x20:0xc054ca12
stack pointer           = 0x28:0xe6150bb8
frame pointer           = 0x28:0xe6150bc8
code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, def32 1, gran 1
processor eflags        = resume, IOPL = 0
current process         = 59233 (mplayer)
trap number             = 12
panic: page fault
KDB: stack backtrace:
kdb_backtrace(c073637c,c078e2a0,c072ad84,e6150ab0,100) at kdb_backtrace+0x2e
panic(c072ad84,c0737a49,c3a53ed8,1,1) at panic+0xb7
trap_fatal(e6150b78,c5b29ebc,0,c5ed4740,c5b29ebc) at trap_fatal+0x33e
trap(e6150008,c08c0028,c3440028,b,c5ed4884) at trap+0x11e
calltrap() at calltrap+0x5
--- trap 0xc, eip = 0xc054ca12, esp = 0xe6150bb8, ebp = 0xe6150bc8 ---
callout_reset(c5ed4884,b,c0563d20,c5ed4740,e6150c10) at callout_reset+0x142
sleepq_set_timeout(c078e944,b,c0736ccc,100,c104d6c8) at 
sleepq_set_timeout+0x2e
msleep(c078e944,0,15c,c0736ccc,b) at msleep+0x205
kern_nanosleep(c5ed4740,e6150c74,e6150c6c,c4f30480,0) at kern_nanosleep+0xc0
nanosleep(c5ed4740,e6150d04,8,16,e6150d30) at nanosleep+0x6d
syscall(3b,3b,bfbf003b,bfbfd6d0,0) at syscall+0x3f3
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (240, FreeBSD ELF32, nanosleep), eip = 0x28bf3423, esp = 
0xbfbfd63c, ebp = 0xbfbfd698 ---
Uptime: 16h13m31s
Physical memory: 1014 MB
Dumping 180 MB: 165 149 133 117 101 85 69 53 37 21 5

#0  doadump () at pcpu.h:166
166     pcpu.h: No such file or directory.
         in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:166
#1  0xc053a0b4 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
#2  0xc053a42d in panic (fmt=0xc072ad84 "%s")
     at /usr/src/sys/kern/kern_shutdown.c:565
#3  0xc06fc4de in trap_fatal (frame=0xe6150b78, eva=0)
     at /usr/src/sys/i386/i386/trap.c:870
#4  0xc06fb9fe in trap (frame=
       {tf_fs = -434831352, tf_es = -1064566744, tf_ds = -1018953688, 
tf_edi = 11, tf_esi = -974305148, tf_ebp = -434828344, tf_isp = 
-434828380, tf_ebx = -974305472, tf_edx = 24700, tf_ecx = 24700, tf_eax 
= -978149700, tf_trapno = 12, tf_err = 2, tf_eip = -1068185070, tf_cs = 
32, tf_eflags = 2162690, tf_esp = 0, tf_ss = -434828172}) at 
/usr/src/sys/i386/i386/trap.c:279
#5  0xc06ea66a in calltrap () at /usr/src/sys/i386/i386/exception.s:138
#6  0xc054ca12 in callout_reset (c=0xc5ed4884, to_ticks=11, ftn=0xc5b29ebc,
     arg=0xc5b29ebc) at /usr/src/sys/kern/kern_timeout.c:463
#7  0xc05633ae in sleepq_set_timeout (wchan=0xc078e944, timo=-978149700)
     at /usr/src/sys/kern/subr_sleepqueue.c:344
#8  0xc0542a95 in msleep (ident=0xc078e944, mtx=0x0, priority=348,
     wmesg=0xc5b29ebc <Address 0xc5b29ebc out of bounds>, timo=11)
     at /usr/src/sys/kern/kern_synch.c:193
#9  0xc05497e0 in kern_nanosleep (td=0xc5ed4740, rqt=0xe6150c74,
     rmt=0xe6150c6c) at /usr/src/sys/kern/kern_time.c:376
#10 0xc054994d in nanosleep (td=0xc5b29ebc, uap=0xe6150d04)
---Type <return> to continue, or q <return> to quit---
     at /usr/src/sys/kern/kern_time.c:422
#11 0xc06fc943 in syscall (frame=
       {tf_fs = 59, tf_es = 59, tf_ds = -1078001605, tf_edi = 
-1077946672, tf_esi = 0, tf_ebp = -1077946728, tf_isp = -434827932, 
tf_ebx = 681145780, tf_edx = 0, tf_ecx = 10000000, tf_eax = 240, 
tf_trapno = 22, tf_err = 2, tf_eip = 683619363, tf_cs = 51, tf_eflags = 
2097666, tf_esp = -1077946820, tf_ss = 59})
     at /usr/src/sys/i386/i386/trap.c:1016
#12 0xc06ea6bf in Xint0x80_syscall () at 
/usr/src/sys/i386/i386/exception.s:191
#13 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) l *0xc054ca12
0xc054ca12 is in callout_reset (/usr/src/sys/kern/kern_timeout.c:463).
458
459             c->c_arg = arg;
460             c->c_flags |= (CALLOUT_ACTIVE | CALLOUT_PENDING);
461             c->c_func = ftn;
462             c->c_time = ticks + to_ticks;
463             TAILQ_INSERT_TAIL(&callwheel[c->c_time & callwheelmask],
464                               c, c_links.tqe);
465             mtx_unlock_spin(&callout_lock);
466
467             return (cancelled);
(kgdb) frame 6
#6  0xc054ca12 in callout_reset (c=0xc5ed4884, to_ticks=11, ftn=0xc5b29ebc,
     arg=0xc5b29ebc) at /usr/src/sys/kern/kern_timeout.c:463
463             TAILQ_INSERT_TAIL(&callwheel[c->c_time & callwheelmask],
(kgdb) p c
$1 = (struct callout *) 0xc5ed4884
(kgdb) p *c
$2 = {c_links = {sle = {sle_next = 0x0}, tqe = {tqe_next = 0x0,
       tqe_prev = 0xc5b29ebc}}, c_time = 58417276, c_arg = 0xc5ed4740,
   c_func = 0xc0563d20 <sleepq_timeout>, c_mtx = 0x0, c_flags = 22}

-- 
Pawel