Date: Sat, 22 Jun 1996 15:12:27 +0300 (EET DST) From: Heikki Suonsivu <hsu@clinet.fi> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/1345: kernel page fault, NULL pointer dereference in exit() Message-ID: <199606221212.PAA02472@katiska.clinet.fi> Resent-Message-ID: <199606221220.FAA23664@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 1345 >Category: kern >Synopsis: kernel page fault, NULL pointer dereference in exit() >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jun 22 05:20:00 PDT 1996 >Last-Modified: >Originator: Heikki Suonsivu >Organization: Clinet, Espoo, Finland >Release: FreeBSD 2.2-CURRENT i386 >Environment: loaded news server, -current from jun 17 around 15 GMT. Jun 22 14:32:28 news /kernel: FreeBSD 2.2-CURRENT #13: Mon Jun 17 20:06:43 EET DST 1996 Jun 22 14:32:28 news /kernel: hsu@news.clinet.fi:/usr/current/src/sys/compile/CLINETNEWS Jun 22 14:32:28 news /kernel: Calibrating clock(s) relative to mc146818A clock... Jun 22 14:32:29 news /kernel: i586 clock: 119746140 Hz, i8254 clock: 1193125 Hz Jun 22 14:32:29 news /kernel: CPU: Pentium (119.75-MHz 586-class CPU) Jun 22 14:32:29 news /kernel: Origin = "GenuineIntel" Id = 0x526 Stepping=6 Jun 22 14:32:29 news /kernel: Features=0x1bf<FPU,VME,DE,PSE,TSC,MSR,MCE,CX8> Jun 22 14:32:30 news /kernel: real memory = 50331648 (49152K bytes) Jun 22 14:32:30 news /kernel: avail memory = 47124480 (46020K bytes) Jun 22 14:32:30 news /kernel: DEVFS: ready for devices Jun 22 14:32:30 news /kernel: Probing for devices on PCI bus 0: Jun 22 14:32:30 news /kernel: chip0 <generic PCI bridge (vendor=8086 device=1250 subclass=0)> rev 1 on pci0:0 Jun 22 14:32:30 news /kernel: chip1 <generic PCI bridge (vendor=8086 device=7000 subclass=1)> rev 0 on pci0:7:0 Jun 22 14:32:30 news /kernel: pci0:7:1: Intel Corporation, device=0x7010, class=storage (ide) [no driver assigned] Jun 22 14:32:30 news /kernel: de0 <Digital DC21040 Ethernet> rev 35 int a irq 10 on pci0:11 Jun 22 14:32:30 news /kernel: de0: DC21040 [10Mb/s] pass 2.3 Jun 22 14:32:30 news /kernel: de0: address 00:c0:95:ec:61:21 Jun 22 14:32:30 news /kernel: de0: enabling BNC/AUI port Jun 22 14:32:30 news /kernel: chip2 <DEC 21050 PCI-PCI bridge> rev 2 on pci0:12 Jun 22 14:32:30 news /kernel: Probing for devices on PCI bus 1: Jun 22 14:32:30 news /kernel: ahc0 <Adaptec 3940 SCSI host adapter> rev 0 int a irq 11 on pci1:4 Jun 22 14:32:30 news /kernel: ahc0: aic7870 Channel A, SCSI Id=7, 16 SCBs Jun 22 14:32:30 news /kernel: ahc0 waiting for scsi devices to settle Jun 22 14:32:30 news /kernel: (ahc0:0:0): "SEAGATE ST15230N 0638" type 0 fixed SCSI 2 Jun 22 14:32:30 news /kernel: sd0(ahc0:0:0): Direct-Access 4095MB (8386733 512 byte sectors) Jun 22 14:32:30 news /kernel: sd0(ahc0:0:0): with 3992 cyls, 19 heads, and an average 110 sectors/track Jun 22 14:32:30 news /kernel: (ahc0:1:0): "SEAGATE ST15230N 0638" type 0 fixed SCSI 2 Jun 22 14:32:30 news /kernel: sd1(ahc0:1:0): Direct-Access 4095MB (8386733 512 byte sectors) Jun 22 14:32:30 news /kernel: sd1(ahc0:1:0): with 3992 cyls, 19 heads, and an average 110 sectors/track Jun 22 14:32:30 news /kernel: (ahc0:2:0): "SEAGATE ST15230N 0638" type 0 fixed SCSI 2 Jun 22 14:32:30 news /kernel: sd2(ahc0:2:0): Direct-Access 4095MB (8386733 512 byte sectors) Jun 22 14:32:30 news /kernel: sd2(ahc0:2:0): with 3992 cyls, 19 heads, and an average 110 sectors/track Jun 22 14:32:31 news /kernel: (ahc0:3:0): "SEAGATE ST31200N 9348" type 0 fixed SCSI 2 Jun 22 14:32:31 news /kernel: sd3(ahc0:3:0): Direct-Access 1011MB (2072435 512 byte sectors) Jun 22 14:32:31 news /kernel: sd3(ahc0:3:0): with 2700 cyls, 9 heads, and an average 85 sectors/track Jun 22 14:32:31 news /kernel: ahc1 <Adaptec 3940 SCSI host adapter> rev 0 int a irq 10 on pci1:5 Jun 22 14:32:31 news /kernel: ahc1: aic7870 Channel B, SCSI Id=7, 16 SCBs Jun 22 14:32:31 news /kernel: ahc1 waiting for scsi devices to settle Jun 22 14:32:31 news /kernel: (ahc1:1:0): "SEAGATE ST15230N 0298" type 0 fixed SCSI 2 Jun 22 14:32:31 news /kernel: sd7(ahc1:1:0): Direct-Access 4095MB (8386733 512 byte sectors) Jun 22 14:32:31 news /kernel: sd7(ahc1:1:0): with 3992 cyls, 19 heads, and an average 110 sectors/track Jun 22 14:32:31 news /kernel: (ahc1:2:0): "MICROP 2217-15MQ1001901 HQ30" type 0 fixed SCSI 2 Jun 22 14:32:31 news /kernel: sd8(ahc1:2:0): Direct-Access 1685MB (3450902 512 byte sectors) Jun 22 14:32:31 news /kernel: sd8(ahc1:2:0): with 2372 cyls, 15 heads, and an average 96 sectors/track Jun 22 14:32:31 news /kernel: Probing for devices on the ISA bus: Jun 22 14:32:31 news /kernel: vt0 at 0x60-0x6f irq 1 on motherboard Jun 22 14:32:31 news /kernel: vt0: et3000, 80 col, color, 8 scr, mf2-kbd, [R3.20-b24] Jun 22 14:32:31 news /kernel: ed0 not found at 0x280 Jun 22 14:32:31 news /kernel: lpt0 at 0x378-0x37f irq 7 on isa Jun 22 14:32:31 news /kernel: lpt0: Interrupt-driven port Jun 22 14:32:31 news /kernel: lp0: TCP/IP capable interface Jun 22 14:32:31 news /kernel: lpt1 not found at 0xffffffff Jun 22 14:32:31 news /kernel: sio0 at 0x3f8-0x3ff irq 4 on isa Jun 22 14:32:31 news /kernel: sio0: type 16550A Jun 22 14:32:31 news /kernel: sio1 at 0x2f8-0x2ff irq 3 on isa Jun 22 14:32:32 news /kernel: sio1: type 16550A Jun 22 14:32:32 news /kernel: cy0 not found Jun 22 14:32:32 news /kernel: bt0 not found at 0x330 Jun 22 14:32:32 news /kernel: aha0 not found at 0x330 Jun 22 14:32:32 news /kernel: wdc0 not found at 0x1f0 Jun 22 14:32:32 news /kernel: fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa Jun 22 14:32:32 news /kernel: fdc0: NEC 72065B Jun 22 14:32:32 news /kernel: fd0: 1.44MB 3.5in Jun 22 14:32:32 news /kernel: matcdc0 not found at 0x230 Jun 22 14:32:32 news /kernel: npx0 on motherboard Jun 22 14:32:32 news /kernel: npx0: INT 16 interface Jun 22 14:32:32 news /kernel: changing root device to sd0a Jun 22 14:32:32 news /kernel: DEVFS: ready to run Jun 22 14:32:32 news /kernel: WARNING: / was not properly dismounted. >Description: I think I have seen this twice already with 17 June kernel. Otherwise the kernel seems to be more stable (no vm specific panics) but I cannot be sure as holidays just started so load dropped considerably. kernel and crash dump are ftp://ftp.clinet.fi/pub/FreeBSD/crashdumps/*.89.gz hsu#news.clinet.fi Sat 3: gdb -k kernel.89 vmcore.89 GDB is free software and you are welcome to distribute copies of it under certain conditions; type "show copying" to see the conditions. There is absolutely no warranty for GDB; type "show warranty" for details. GDB 4.13 (i386-unknown-freebsd), Copyright 1994 Free Software Foundation, Inc... IdlePTD 26a000 current pcb at 221684 panic: page fault #0 boot (howto=256) at ../../i386/i386/machdep.c:940 940 dumppcb.pcb_cr3 = rcr3(); (kgdb) bt #0 boot (howto=256) at ../../i386/i386/machdep.c:940 #1 0xf0117546 in panic (fmt=0xf01cbe6c "page fault") at ../../kern/subr_prf.c:127 #2 0xf01cc9da in trap_fatal (frame=0xefbffef0) at ../../i386/i386/trap.c:745 #3 0xf01cc4cc in trap_pfault (frame=0xefbffef0, usermode=0) at ../../i386/i386/trap.c:656 #4 0xf01cc19b in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = 0, tf_esi = -215522560, tf_ebp = -272629960, tf_isp = -272629992, tf_ebx = -215686656, tf_edx = 14751796, tf_ecx = -215522560, tf_eax = 0, tf_trapno = 12, tf_err = 2, tf_eip = -267337695, tf_cs = 8, tf_eflags = 66118, tf_esp = -266342168, tf_ss = -215522560}) at ../../i386/i386/trap.c:319 #5 0xf01c4271 in calltrap () #6 0xf010bde4 in exit (p=0xf3276300, uap=0xefbfff94, retval=0xefbfff84) at ../../kern/kern_exit.c:96 #7 0xf01ccc85 in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 0, tf_esi = -1, tf_ebp = -272640756, tf_isp = -272629788, tf_ebx = 134758496, tf_edx = 0, tf_ecx = 1, tf_eax = 1, tf_trapno = 12, tf_err = 7, tf_eip = 134711469, tf_cs = 31, tf_eflags = 658, tf_esp = -272640776, tf_ss = 39}) at ../../i386/i386/trap.c:895 #8 0xf01c42c5 in Xsyscall () Cannot access memory at address 0xefbfd50c. (kgdb) up #1 0xf0117546 in panic (fmt=0xf01cbe6c "page fault") at ../../kern/subr_prf.c:127 127 boot(bootopt); (kgdb) list 122 123 #if defined(DDB) 124 if (debugger_on_panic) 125 Debugger ("panic"); 126 #endif 127 boot(bootopt); 128 } 129 130 /* 131 * Warn that a system table is full. (kgdb) up #2 0xf01cc9da in trap_fatal (frame=0xefbffef0) at ../../i386/i386/trap.c:745 745 panic(trap_msg[type]); (kgdb) up #3 0xf01cc4cc in trap_pfault (frame=0xefbffef0, usermode=0) at ../../i386/i386/trap.c:656 656 trap_fatal(frame); (kgdb) up #4 0xf01cc19b in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = 0, tf_esi = -215522560, tf_ebp = -272629960, tf_isp = -272629992, tf_ebx = -215686656, tf_edx = 14751796, tf_ecx = -215522560, tf_eax = 0, tf_trapno = 12, tf_err = 2, tf_eip = -267337695, tf_cs = 8, tf_eflags = 66118, tf_esp = -266342168, tf_ss = -215522560}) at ../../i386/i386/trap.c:319 319 (void) trap_pfault(&frame, FALSE); (kgdb) up #5 0xf01c4271 in calltrap () (kgdb) up #6 0xf010bde4 in exit (p=0xf3276300, uap=0xefbfff94, retval=0xefbfff84) at ../../kern/kern_exit.c:96 96 exit1(p, W_EXITCODE(uap->rval, 0)); (kgdb) list 91 int rval; 92 } */ *uap; 93 int *retval; 94 { 95 96 exit1(p, W_EXITCODE(uap->rval, 0)); 97 /* NOTREACHED */ 98 } 99 100 /* (kgdb) print uap $1 = (struct rexit_args *) 0x0 (kgdb) print p $2 = (struct proc *) 0xf3276300 (kgdb) print *p $3 = {p_forw = 0xf024b84c, p_back = 0x0, p_list = {le_next = 0x0, le_prev = 0xf02454d8}, p_cred = 0xf31a93c0, p_fd = 0xf3074400, p_stats = 0xf7196258, p_limit = 0xf020c52c, p_vmspace = 0xf324e200, p_sigacts = 0xf7196128, p_flag = 24582, p_stat = 5 '\005', p_pad1 = "\001\001", p_pid = 14861, p_pglist = {le_next = 0x0, le_prev = 0xf32e4e34}, p_pptr = 0xf32e4e00, p_sibling = {le_next = 0x0, le_prev = 0xf32e4e48}, p_children = {lh_first = 0x0}, p_oppid = 0, p_dupfd = 0, p_estcpu = 2245, p_cpticks = 1990, p_pctcpu = 4, p_wchan = 0x0, p_wmesg = 0xf012c775 "biowait", p_swtime = 1, p_slptime = 0, p_realtimer = { it_interval = {tv_sec = 0, tv_usec = 0}, it_value = {tv_sec = 0, tv_usec = 0}}, p_rtime = {tv_sec = 0, tv_usec = 34136}, p_uticks = 2, p_sticks = 1980, p_iticks = 12, p_traceflag = 0, p_tracep = 0x0, p_siglist = 0, p_textvp = 0xf30ab500, p_lock = 0 '\000', p_pad2 = "\000\000", p_locks = 0, p_simple_locks = 0, p_hash = { le_next = 0x0, le_prev = 0xe11834}, p_sigmask = 0, p_sigignore = 4294967295, p_sigcatch = 20483, p_priority = 16 '\020', p_usrpri = 127 '\177', p_nice = 0 '\000', p_comm = "cc\000e\000\000r\000\000\000\000\000\000\000\000\000", p_pgrp = 0xf31a9380, p_sysent = 0xf01ff8c0, p_rtprio = {type = 1, prio = 0}, p_addr = 0xf7196000, p_md = {md_flags = 0, md_regs = 0xefbfffbc}, p_xstat = 0, p_acflag = 0, p_ru = 0xf3467700} (kgdb) up #7 0xf01ccc85 in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 0, tf_esi = -1, tf_ebp = -272640756, tf_isp = -272629788, tf_ebx = 134758496, tf_edx = 0, tf_ecx = 1, tf_eax = 1, tf_trapno = 12, tf_err = 7, tf_eip = 134711469, tf_cs = 31, tf_eflags = 658, tf_esp = -272640776, tf_ss = 39}) at ../../i386/i386/trap.c:895 895 error = (*callp->sy_call)(p, args, rval); (kgdb) print p $4 = (struct proc *) 0xf3276300 (kgdb) print args $5 = {0, 1, 134328416, 134344720, 134344716, -272629828, 2, 0} (kgdb) print rval $6 = {0, 0} (kgdb) down #6 0xf010bde4 in exit (p=0xf3276300, uap=0xefbfff94, retval=0xefbfff84) at ../../kern/kern_exit.c:96 96 exit1(p, W_EXITCODE(uap->rval, 0)); (kgdb) list 91 int rval; 92 } */ *uap; 93 int *retval; 94 { 95 96 exit1(p, W_EXITCODE(uap->rval, 0)); 97 /* NOTREACHED */ 98 } 99 100 /* (kgdb) print uap $7 = (struct rexit_args *) 0x0 (kgdb) This might be a compiler optimization ghost. I'm compiling with -O. >How-To-Repeat: I do not know >Fix: I do not know. >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606221212.PAA02472>