Site Navigation

Date:      Fri, 19 Jan 1996 11:39:31 +0200 (EET)
From:      Heikki Suonsivu <hsu@clinet.fi>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   kern/956: Kernel page fault, null callp in syscall
Message-ID:  <199601190939.LAA20615@katiska.clinet.fi>
Resent-Message-ID: <199601190950.BAA03448@freefall.freebsd.org>

---

index | next in thread | raw e-mail

---

>Number:         956
>Category:       kern
>Synopsis:       Kernel page fault, null callp
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 19 01:50:03 PST 1996
>Last-Modified:
>Originator:     Heikki Suonsivu
>Organization:
Clinet, Espoo, Finland
>Release:        FreeBSD 2.2-CURRENT i386
>Environment:

	Loaded news & user & WWW server.

Jan 18 21:16:25 katiska /kernel: FreeBSD 2.2-CURRENT #7: Mon Jan  8 04:58:16 EET 1996
Jan 18 21:16:25 katiska /kernel:     hsu@katiska.clinet.fi:/usr/current/src/sys/compile/CLINETSERVER
Jan 18 21:16:26 katiska /kernel: CPU: Pentium (90.19-MHz 586-class CPU)
Jan 18 21:16:26 katiska /kernel:   Origin = "GenuineIntel"  Id = 0x524  Stepping=4
Jan 18 21:16:26 katiska /kernel:   Features=0x1bf<FPU,VME,PSE,MCE,CX8,APIC>
Jan 18 21:16:26 katiska /kernel: real memory  = 67108864 (65536K bytes)
Jan 18 21:16:26 katiska /kernel: avail memory = 63537152 (62048K bytes)
Jan 18 21:16:26 katiska /kernel: DEVFS: ready for devices
Jan 18 21:16:26 katiska /kernel: Probing for devices on the PCI bus:
Jan 18 21:16:26 katiska /kernel: chip0 <Intel 82434NX (Neptune) PCI cache memory controller> rev 17 on pci0:0
Jan 18 21:16:26 katiska /kernel: chip1 <Intel 82378IB PCI-ISA bridge> rev 67 on pci0:2
Jan 18 21:16:26 katiska /kernel: de0 <Digital DC21040 Ethernet> rev 35 int a irq 11 on pci0:6
Jan 18 21:16:27 katiska /kernel: de0: DC21040 [10Mb/s] pass 2.3 Ethernet address 00:c0:95:ec:47:a3
Jan 18 21:16:27 katiska /kernel: de0: enabling Thinwire/AUI port
Jan 18 21:16:27 katiska /kernel: ncr0 <ncr 53c810 scsi> rev 2 int a irq 9 on pci0:12
Jan 18 21:16:27 katiska /kernel: ncr0 waiting for scsi devices to settle
Jan 18 21:16:27 katiska /kernel: (ncr0:0:0): "SEAGATE ST15230N 0298" type 0 fixed SCSI 2
Jan 18 21:16:27 katiska /kernel: sd0(ncr0:0:0): Direct-Access 
Jan 18 21:16:27 katiska /kernel: sd0(ncr0:0:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8.
Jan 18 21:16:27 katiska /kernel: 4095MB (8386733 512 byte sectors)
Jan 18 21:16:27 katiska /kernel: sd0(ncr0:0:0): with 3992 cyls, 19 heads, and an average 110 sectors/track
Jan 18 21:16:27 katiska /kernel: (ncr0:3:0): "SEAGATE ST31200N 9348" type 0 fixed SCSI 2
Jan 18 21:16:27 katiska /kernel: sd3(ncr0:3:0): Direct-Access 
Jan 18 21:16:27 katiska /kernel: sd3(ncr0:3:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8.
Jan 18 21:16:27 katiska /kernel: 1011MB (2072435 512 byte sectors)
Jan 18 21:16:27 katiska /kernel: sd3(ncr0:3:0): with 2700 cyls, 9 heads, and an average 85 sectors/track
Jan 18 21:16:27 katiska /kernel: (ncr0:4:0): "HP C1533A 9503" type 1 removable SCSI 2
Jan 18 21:16:27 katiska /kernel: st4(ncr0:4:0): Sequential-Access 
Jan 18 21:16:27 katiska /kernel: st4(ncr0:4:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8.
Jan 18 21:16:27 katiska /kernel: density code 0x24, 512-byte blocks, write-enabled
Jan 18 21:16:27 katiska /kernel: ncr1 <ncr 53c810 scsi> rev 1 int a irq 9 on pci0:14
Jan 18 21:16:27 katiska /kernel: ncr1 waiting for scsi devices to settle
Jan 18 21:16:27 katiska /kernel: (ncr1:1:0): "SEAGATE ST15230N 0638" type 0 fixed SCSI 2
Jan 18 21:16:27 katiska /kernel: sd7(ncr1:1:0): Direct-Access 
Jan 18 21:16:27 katiska /kernel: sd7(ncr1:1:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8.
Jan 18 21:16:27 katiska /kernel: 4095MB (8386733 512 byte sectors)
Jan 18 21:16:27 katiska /kernel: sd7(ncr1:1:0): with 3992 cyls, 19 heads, and an average 110 sectors/track
Jan 18 21:16:28 katiska /kernel: (ncr1:2:0): "SEAGATE ST15230N 0638" type 0 fixed SCSI 2
Jan 18 21:16:28 katiska /kernel: sd8(ncr1:2:0): Direct-Access 
Jan 18 21:16:28 katiska /kernel: sd8(ncr1:2:0): FAST SCSI-2 100ns (10 Mb/sec) offset 8.
Jan 18 21:16:28 katiska /kernel: 4095MB (8386733 512 byte sectors)
Jan 18 21:16:28 katiska /kernel: sd8(ncr1:2:0): with 3992 cyls, 19 heads, and an average 110 sectors/track
Jan 18 21:16:28 katiska /kernel: Probing for devices on the ISA bus:
Jan 18 21:16:28 katiska /kernel: vt0 at 0x60-0x6f irq 1 on motherboard
Jan 18 21:16:28 katiska /kernel: vt0: generic, 80/132 col, mono, 8 scr, mf2-kbd, [R3.20-b24]
Jan 18 21:16:28 katiska /kernel: ed0 not found at 0x280
Jan 18 21:16:28 katiska /kernel: lpt0 at 0x378-0x37f irq 7 on isa
Jan 18 21:16:28 katiska /kernel: lpt0: Interrupt-driven port
Jan 18 21:16:28 katiska /kernel: lp0: TCP/IP capable interface
Jan 18 21:16:28 katiska /kernel: lpt1 not found at 0xffffffff
Jan 18 21:16:28 katiska /kernel: sio0 at 0x3f8-0x3ff irq 4 on isa
Jan 18 21:16:28 katiska /kernel: sio0: type 16550A
Jan 18 21:16:28 katiska /kernel: sio1 at 0x2f8-0x2ff irq 3 on isa
Jan 18 21:16:28 katiska /kernel: sio1: type 16550A
Jan 18 21:16:29 katiska /kernel: pca0 on motherboard
Jan 18 21:16:29 katiska /kernel: pca0: PC speaker audio driver
Jan 18 21:16:29 katiska /kernel: cy0 not found
Jan 18 21:16:29 katiska /kernel: bt0 not found at 0x330
Jan 18 21:16:29 katiska /kernel: aha0 not found at 0x330
Jan 18 21:16:29 katiska /kernel: wdc0 not found at 0x1f0
Jan 18 21:16:29 katiska /kernel: fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa
Jan 18 21:16:29 katiska /kernel: fdc0: NEC 72065B
Jan 18 21:16:29 katiska /kernel: fd0: 1.44MB 3.5in
Jan 18 21:16:29 katiska /kernel: matcdc0 not found at 0x230
Jan 18 21:16:29 katiska /kernel: npx0 on motherboard
Jan 18 21:16:29 katiska /kernel: npx0: INT 16 interface
Jan 18 21:16:29 katiska /kernel: changing root device to sd0a
Jan 18 21:16:29 katiska /kernel: devfs ready to run
Jan 18 21:16:29 katiska /kernel: new masks: bio c0000240, tty c003089a, net c003089a
Jan 18 21:16:29 katiska /kernel: WARNING: / was not properly dismounted.

>Description:

[Dumps are available in ftp://ftp.clinet.fi/pub/FreeBSD/crashdumps/*.51.gz]

Script started on Thu Jan 18 21:23:24 1996
marko has logged on ttyp0 from ahven.
jsn has logged on ttyp1 from nekku.
ms has logged on ttyp2 from road.
hsu has logged on ttyp5 from unix:1.0.
hsu has logged on ttyp6 from unix:2.0.
jsn has logged on ttyp7 from katiska.
kesis has logged on ttyp8 from karvinen.
vph has logged on ttypa from mood.
aniti has logged on ttypb from uvapsy.
ollilape has logged on ttypc from karvinen.
tmoh has logged on ttypd from nekku.
jleino has logged on ttype from clinet.
tph has logged on ttypf from zetor.
pedica has logged on ttypg from karvinen.
ken has logged on ttyph from ken.
hsu#katiska.clinet.fi Thu 1: gdb -k kernel.51 vmcore.51
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.13 (i386-unknown-freebsd), 
Copyright 1994 Free Software Foundation, Inc...
IdlePTD 257000
current pcb at 212e50
panic: page fault
#0  boot (howto=256) at ../../i386/i386/machdep.c:931
931					dumppcb.pcb_ptd = rcr3();
(kgdb) bt
#0  boot (howto=256) at ../../i386/i386/machdep.c:931
#1  0xf0115e43 in panic (fmt=0xf01c300e "page fault")
    at ../../kern/subr_prf.c:126
#2  0xf01c3b2a in trap_fatal (frame=0xefbffee4) at ../../i386/i386/trap.c:757
#3  0xf01c369c in trap_pfault (frame=0xefbffee4, usermode=0)
    at ../../i386/i386/trap.c:679
#4  0xf01c333b in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = 0, 
      tf_esi = -235949056, tf_ebp = -272629940, tf_isp = -272630004, 
      tf_ebx = -237227776, tf_edx = 1, tf_ecx = -238216768, tf_eax = 0, 
      tf_trapno = 12, tf_err = 0, tf_eip = -267190841, tf_cs = 8, 
      tf_eflags = 66118, tf_esp = -272629868, tf_ss = -237227776})
    at ../../i386/i386/trap.c:320
#5  0xf01b9211 in calltrap ()
#6  0xf01c3df7 in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 1214276, 
      tf_esi = 1, tf_ebp = -272640208, tf_isp = -272629788, tf_ebx = 19767, 
      tf_edx = 1229324, tf_ecx = 1231300, tf_eax = 95, tf_trapno = 7, 
      tf_err = 518, tf_eip = 136028837, tf_cs = 31, tf_eflags = 518, 
      tf_esp = -272640240, tf_ss = 39}) at ../../i386/i386/trap.c:917
#7  0xf01b925d in Xsyscall ()
#8  0x2bd11 in ?? ()
#9  0x2ab19 in ?? ()
#10 0xefbfe12c in ?? ()
#11 0x416e in ?? ()
---Type <return> to continue, or q <return> to quit---
#12 0x2dcc1 in ?? ()
#13 0x31caf in ?? ()
#14 0x2cdc1 in ?? ()
#15 0x6c128 in ?? ()
#16 0x2c99d in ?? ()
#17 0x6bd8a in ?? ()
#18 0x2c968 in ?? ()
#19 0x2c4d6 in ?? ()
#20 0x2c5a1 in ?? ()
#21 0x2b727 in ?? ()
#22 0x1096 in ?? ()
(kgdb) up
#1  0xf0115e43 in panic (fmt=0xf01c300e "page fault")
    at ../../kern/subr_prf.c:126
126		boot(bootopt);
(kgdb) up
#2  0xf01c3b2a in trap_fatal (frame=0xefbffee4) at ../../i386/i386/trap.c:757
757			panic(trap_msg[type]);
(kgdb) print type
$1 = 12
(kgdb) print trap_msg[type
syntax error
(kgdb) print trap_msg[type][type]
$2 = 0xf01c300e "page fault"
(kgdb) up
#3  0xf01c369c in trap_pfault (frame=0xefbffee4, usermode=0)
    at ../../i386/i386/trap.c:679
679			trap_fatal(frame);
(kgdb) list
674		if (!usermode) {
675			if (curpcb && curpcb->pcb_onfault) {
676				frame->tf_eip = (int)curpcb->pcb_onfault;
677				return (0);
678			}
679			trap_fatal(frame);
680			return (-1);
681		}
682	
683		/* kludge to pass faulting virtual address to sendsig */
(kgdb) up
#4  0xf01c333b in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = 0, 
      tf_esi = -235949056, tf_ebp = -272629940, tf_isp = -272630004, 
      tf_ebx = -237227776, tf_edx = 1, tf_ecx = -238216768, tf_eax = 0, 
      tf_trapno = 12, tf_err = 0, tf_eip = -267190841, tf_cs = 8, 
      tf_eflags = 66118, tf_esp = -272629868, tf_ss = -237227776})
    at ../../i386/i386/trap.c:320
320				(void) trap_pfault(&frame, FALSE);
(kgdb) list
315		} else {
316			/* kernel trap */
317	
318			switch (type) {
319			case T_PAGEFLT:			/* page fault */
320				(void) trap_pfault(&frame, FALSE);
321				return;
322	
323			case T_PROTFLT:		/* general protection fault */
324			case T_SEGNPFLT:	/* segment not present fault */
(kgdb) up
#5  0xf01b9211 in calltrap ()
(kgdb) list
325				/*
326				 * Invalid segment selectors and out of bounds
327				 * %eip's and %esp's can be set up in user mode.
328				 * This causes a fault in kernel mode when the
329				 * kernel tries to return to user mode.  We want
330				 * to get this fault so that we can fix the
331				 * problem here and not have to check all the
332				 * selectors and pointers when the user changes
333				 * them.
334				 */
(kgdb) up
#6  0xf01c3df7 in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 1214276, 
      tf_esi = 1, tf_ebp = -272640208, tf_isp = -272629788, tf_ebx = 19767, 
      tf_edx = 1229324, tf_ecx = 1231300, tf_eax = 95, tf_trapno = 7, 
      tf_err = 518, tf_eip = 136028837, tf_cs = 31, tf_eflags = 518, 
      tf_esp = -272640240, tf_ss = 39}) at ../../i386/i386/trap.c:917
917		error = (*callp->sy_call)(p, args, rval);
(kgdb) list
912			ktrsyscall(p->p_tracep, code, callp->sy_narg, args);
913	#endif
914		rval[0] = 0;
915		rval[1] = frame.tf_edx;
916	
917		error = (*callp->sy_call)(p, args, rval);
918	
919		switch (error) {
920	
921		case 0:
(kgdb) print callp
$3 = (struct sysent *) 0x0
(kgdb) print p
$4 = (struct proc *) 0xf1efb400
(kgdb) print args
$5 = {1, 1220952, 136077408, 1229324, 18, -272629828, 47, 0}
(kgdb) print rval
$6 = {0, 1229324}
(kgdb) print callp
$7 = (struct sysent *) 0x0
(kgdb) up
#7  0xf01b925d in Xsyscall ()
(kgdb) list
922			/*
923			 * Reinitialize proc pointer `p' as it may be different
924			 * if this is a child returning from fork syscall.
925			 */
926			p = curproc;
927			frame.tf_eax = rval[0];
928			frame.tf_edx = rval[1];
929			frame.tf_eflags &= ~PSL_C;
930			break;
931	
(kgdb) print p
No symbol "p" in current context.
(kgdb) exi   down
#6  0xf01c3df7 in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 1214276, 
      tf_esi = 1, tf_ebp = -272640208, tf_isp = -272629788, tf_ebx = 19767, 
      tf_edx = 1229324, tf_ecx = 1231300, tf_eax = 95, tf_trapno = 7, 
      tf_err = 518, tf_eip = 136028837, tf_cs = 31, tf_eflags = 518, 
      tf_esp = -272640240, tf_ss = 39}) at ../../i386/i386/trap.c:917
917		error = (*callp->sy_call)(p, args, rval);
(kgdb) list 900
895	 		code &= p->p_sysent->sv_mask;
896	
897	 	if (code >= p->p_sysent->sv_size)
898	 		callp = &p->p_sysent->sv_table[0];
899	  	else
900	 		callp = &p->p_sysent->sv_table[code];
901	
902		if ((i = callp->sy_narg * sizeof(int)) &&
903		    (error = copyin(params, (caddr_t)args, (u_int)i))) {
904	#ifdef KTRACE
(kgdb) list
905			if (KTRPOINT(p, KTR_SYSCALL))
906				ktrsyscall(p->p_tracep, code, callp->sy_narg, args);
907	#endif
908			goto bad;
909		}
910	#ifdef KTRACE
911		if (KTRPOINT(p, KTR_SYSCALL))
912			ktrsyscall(p->p_tracep, code, callp->sy_narg, args);
913	#endif
914		rval[0] = 0;
(kgdb) 
915		rval[1] = frame.tf_edx;
916	
917		error = (*callp->sy_call)(p, args, rval);
918	
919		switch (error) {
920	
921		case 0:
922			/*
923			 * Reinitialize proc pointer `p' as it may be different
924			 * if this is a child returning from fork syscall.
(kgdb) list 800
795	int trapwrite(addr)
796		unsigned addr;
797	{
798		struct proc *p;
799		vm_offset_t va, v;
800		struct vmspace *vm;
801		int rv;
802	
803		va = trunc_page((vm_offset_t)addr);
804		/*
(kgdb) list
805		 * XXX - MAX is END.  Changed > to >= for temp. fix.
806		 */
807		if (va >= VM_MAXUSER_ADDRESS)
808			return (1);
809	
810		p = curproc;
811		vm = p->p_vmspace;
812	
813		++p->p_lock;
814	
(kgdb) 
815		if ((caddr_t)va >= vm->vm_maxsaddr
816		    && (caddr_t)va < (caddr_t)USRSTACK) {
817			if (!grow(p, va)) {
818				--p->p_lock;
819				return (1);
820			}
821		}
822	
823		v = trunc_page(vtopte(va));
824	
(kgdb) 
825		/*
826		 * wire the pte page
827		 */
828		if (va < USRSTACK) {
829			vm_map_pageable(&vm->vm_map, v, round_page(v+1), FALSE);
830		}
831	
832		/*
833		 * fault the data page
834		 */
(kgdb) 
835		rv = vm_fault(&vm->vm_map, va, VM_PROT_READ|VM_PROT_WRITE, FALSE);
836	
837		/*
838		 * unwire the pte page
839		 */
840		if (va < USRSTACK) {
841			vm_map_pageable(&vm->vm_map, v, round_page(v+1), TRUE);
842		}
843	
844		--p->p_lock;
(kgdb) 
845	
846		if (rv != KERN_SUCCESS)
847			return 1;
848	
849		return (0);
850	}
851	
852	/*
853	 * System call request from POSIX system call gate interface to kernel.
854	 * Like trap(), argument is call by reference.
(kgdb) 
855	 */
856	void
857	syscall(frame)
858		struct trapframe frame;
859	{
860		caddr_t params;
861		int i;
862		struct sysent *callp;
863		struct proc *p = curproc;
864		u_quad_t sticks;
(kgdb) 
865		int error;
866		int args[8], rval[2];
867		u_int code;
868	
869		sticks = p->p_sticks;
870		if (ISPL(frame.tf_cs) != SEL_UPL)
871			panic("syscall");
872	
873		p->p_md.md_regs = (int *)&frame;
874		params = (caddr_t)frame.tf_esp + sizeof(int);
(kgdb) 
875		code = frame.tf_eax;
876		/*
877		 * Need to check if this is a 32 bit or 64 bit syscall.
878		 */
879		if (code == SYS_syscall) {
880			/*
881			 * Code is first argument, followed by actual args.
882			 */
883			code = fuword(params);
884			params += sizeof(int);
(kgdb) 
885		} else if (code == SYS___syscall) {
886			/*
887			 * Like syscall, but code is a quad, so as to maintain
888			 * quad alignment for the rest of the arguments.
889			 */
890			code = fuword(params);
891			params += sizeof(quad_t);
892		}
893	
894	 	if (p->p_sysent->sv_mask)
(kgdb) 
895	 		code &= p->p_sysent->sv_mask;
896	
897	 	if (code >= p->p_sysent->sv_size)
898	 		callp = &p->p_sysent->sv_table[0];
899	  	else
900	 		callp = &p->p_sysent->sv_table[code];
901	
902		if ((i = callp->sy_narg * sizeof(int)) &&
903		    (error = copyin(params, (caddr_t)args, (u_int)i))) {
904	#ifdef KTRACE
(kgdb) 
905			if (KTRPOINT(p, KTR_SYSCALL))
906				ktrsyscall(p->p_tracep, code, callp->sy_narg, args);
907	#endif
908			goto bad;
909		}
910	#ifdef KTRACE
911		if (KTRPOINT(p, KTR_SYSCALL))
912			ktrsyscall(p->p_tracep, code, callp->sy_narg, args);
913	#endif
914		rval[0] = 0;
(kgdb) 
915		rval[1] = frame.tf_edx;
916	
917		error = (*callp->sy_call)(p, args, rval);
918	
919		switch (error) {
920	
921		case 0:
922			/*
923			 * Reinitialize proc pointer `p' as it may be different
924			 * if this is a child returning from fork syscall.
(kgdb) print frame
$8 = {tf_es = 39, tf_ds = 39, tf_edi = 1214276, tf_esi = 1, 
  tf_ebp = -272640208, tf_isp = -272629788, tf_ebx = 19767, tf_edx = 1229324, 
  tf_ecx = 1231300, tf_eax = 95, tf_trapno = 7, tf_err = 518, 
  tf_eip = 136028837, tf_cs = 31, tf_eflags = 518, tf_esp = -272640240, 
  tf_ss = 39}
(kgdb) print       print code
$9 = 95
(kgdb) print p
$10 = (struct proc *) 0xf1efb400
(kgdb) print p->p_sysent
$11 = (struct sysentvec *) 0xf1c69954
(kgdb) print p->p_sysent->sv_table[code][code]
Cannot access memory at address 0x1694637c.
(kgdb) print p->p_sysent->sv_table[code]
$12 = (struct sysent *) 0x16946084
(kgdb) print p->p_sysent->sv_table(kgdb) print [1@*
Cannot access memory at address 0x16946084.
(kgdb) print *p->p_sysent->sv_table               ysent 
$13 = {sv_size = -1856762694, sv_table = 0x16946084, sv_mask = 4059800832, 
  sv_sigsize = 358187, sv_sigtbl = 0x0, sv_errsize = -1292224025, 
  sv_errtbl = 0x974e25d3, sv_fixup = 0x93f21924}
(kgdb) set raix  dix 16
Input and output radices now set to decimal 16, hex 10, octal 20.
(kgdb) set radix 16(kgdb) print *p->p_sysent 
$14 = {sv_size = 0x91540cba, sv_table = 0x16946084, sv_mask = 0xf1fba500, 
  sv_sigsize = 0x5772b, sv_sigtbl = 0x0, sv_errsize = 0xb2fa39e7, 
  sv_errtbl = 0x974e25d3, sv_fixup = 0x93f21924}
(kgdb) quit
hsu#katiska.clinet.fi Thu 2: 

Script done on Thu Jan 18 21:27:42 1996

>How-To-Repeat:

	Put 50 users, a full news server and loaded apache server in the
	same machine.

>Fix:
	
	

>Audit-Trail:
>Unformatted:

home | help

---

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601190939.LAA20615>

Legal Notices | © 1995-2026 The FreeBSD Project. All rights reserved.

Contact