On Tue, Dec 15, 2015 at 05:42:38PM +0100, Fabian Keil wrote: > I've seen the following panic a couple of times in the last three > months, usually while poudriere was running and with sh being the > current process. > > This one is from a system based on r290926 running with > kern.randompid=9001 and forking frequently (>1000 forks/second) > due to poudriere and afl-fuzz: > > Fatal trap 12: page fault while in kernel mode > cpuid = 1; apic id = 04 > fault virtual address = 0x618b00a8 > fault code = supervisor read data, page not present > instruction pointer = 0x20:0xffffffff80909158 > stack pointer = 0x28:0xfffffe011e03b940 > frame pointer = 0x28:0xfffffe011e03b960 > code segment = base 0x0, limit 0xfffff, type 0x1b > = DPL 0, pres 1, long 1, def32 0, gran 1 > processor eflags = interrupt enabled, resume, IOPL = 0 > current process = 71325 (sh) > trap number = 12 > panic: page fault > cpuid = 1 > KDB: stack backtrace: > [...] > Uptime: 13d20h43m20s > [...] > (kgdb) where > #0 doadump (textdump=1) at pcpu.h:221 > #1 0xffffffff8094a923 in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:364 > #2 0xffffffff8094ae8b in vpanic (fmt=<value optimized out>, ap=<value optimized out>) at /usr/src/sys/kern/kern_shutdown.c:757 > #3 0xffffffff8094acc3 in panic (fmt=0x0) at /usr/src/sys/kern/kern_shutdown.c:688 > #4 0xffffffff80c2fbb1 in trap_fatal (frame=<value optimized out>, eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:834 > #5 0xffffffff80c2fda4 in trap_pfault (frame=0xfffffe011e03b890, usermode=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:684 > #6 0xffffffff80c2f55e in trap (frame=0xfffffe011e03b890) at /usr/src/sys/amd64/amd64/trap.c:435 > #7 0xffffffff80c120a7 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:234 > #8 0xffffffff80909158 in fork_findpid (flags=<value optimized out>) at /usr/src/sys/kern/kern_fork.c:281 It is the values of *p and *(p->p_pgrp) that are needed, from the frame 8. > #9 0xffffffff80907225 in do_fork (td=0xfffff8009db9a9a0, flags=20, p2=0xfffff8009dbe1a90, td2=0xfffff800aa6884d0, vm2=0xfffff800a9eee000, pdflags=0) at /usr/src/sys/kern/kern_fork.c:385 > #10 0xffffffff80906c08 in fork1 (td=0xfffff8009db9a9a0, flags=20, pages=<value optimized out>, procp=0xfffffe011e03bac0, procdescp=0x0, pdflags=99999, fcaps=<value optimized out>) > at /usr/src/sys/kern/kern_fork.c:937 > #11 0xffffffff809066ca in sys_fork (td=0xfffff8009db9a9a0, uap=<value optimized out>) at /usr/src/sys/kern/kern_fork.c:108 > #12 0xffffffff80c3054b in amd64_syscall (td=0xfffff8009db9a9a0, traced=0) at subr_syscall.c:140 > #13 0xffffffff80c1238b in Xfast_syscall () at /usr/src/sys/amd64/amd64/exception.S:394 > #14 0x00000008009257aa in ?? () > Previous frame inner to this frame (corrupt stack?) > Current language: auto; currently minimal > (kgdb) f 8 > #8 0xffffffff80909158 in fork_findpid (flags=<value optimized out>) at /usr/src/sys/kern/kern_fork.c:281 > warning: Source file is more recent than executable. > > 281 (p->p_pgrp != NULL && > (kgdb) l - > 271 * id is kept reserved only while there is a > 272 * non-reaped process in the subtree, so amount of > 273 * reserved pids is limited by process limit times > 274 * two. > 275 */ > 276 p = LIST_FIRST(&allproc); > 277 again: > 278 for (; p != NULL; p = LIST_NEXT(p, p_list)) { > 279 while (p->p_pid == trypid || > 280 p->p_reapsubtree == trypid || > (kgdb) l > 281 (p->p_pgrp != NULL && > 282 (p->p_pgrp->pg_id == trypid || > 283 (p->p_session != NULL && > 284 p->p_session->s_sid == trypid)))) { > 285 trypid++; > 286 if (trypid >= pidchecked) > 287 goto retry; > 288 } > 289 if (p->p_pid > trypid && pidchecked > p->p_pid) > 290 pidchecked = p->p_pid;Received on Wed Dec 16 2015 - 12:33:24 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:01 UTC