From owner-freebsd-current@freebsd.org Wed Dec 16 13:33:24 2015 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0DC48A4935D for ; Wed, 16 Dec 2015 13:33:24 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 917B11A16 for ; Wed, 16 Dec 2015 13:33:23 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kostik@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id tBGAgR26032652 (version=TLSv1 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 16 Dec 2015 12:42:27 +0200 (EET) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua tBGAgR26032652 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id tBGAgRUO032651; Wed, 16 Dec 2015 12:42:27 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Wed, 16 Dec 2015 12:42:27 +0200 From: Konstantin Belousov To: Fabian Keil Cc: FreeBSD Current Subject: Re: fork_findpid() - Fatal trap 12: page fault while in kernel mode Message-ID: <20151216104227.GS3625@kib.kiev.ua> References: <20151215174238.2d7cc3bb@fabiankeil.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20151215174238.2d7cc3bb@fabiankeil.de> User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on tom.home X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Dec 2015 13:33:24 -0000 On Tue, Dec 15, 2015 at 05:42:38PM +0100, Fabian Keil wrote: > I've seen the following panic a couple of times in the last three > months, usually while poudriere was running and with sh being the > current process. > > This one is from a system based on r290926 running with > kern.randompid=9001 and forking frequently (>1000 forks/second) > due to poudriere and afl-fuzz: > > Fatal trap 12: page fault while in kernel mode > cpuid = 1; apic id = 04 > fault virtual address = 0x618b00a8 > fault code = supervisor read data, page not present > instruction pointer = 0x20:0xffffffff80909158 > stack pointer = 0x28:0xfffffe011e03b940 > frame pointer = 0x28:0xfffffe011e03b960 > code segment = base 0x0, limit 0xfffff, type 0x1b > = DPL 0, pres 1, long 1, def32 0, gran 1 > processor eflags = interrupt enabled, resume, IOPL = 0 > current process = 71325 (sh) > trap number = 12 > panic: page fault > cpuid = 1 > KDB: stack backtrace: > [...] > Uptime: 13d20h43m20s > [...] > (kgdb) where > #0 doadump (textdump=1) at pcpu.h:221 > #1 0xffffffff8094a923 in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:364 > #2 0xffffffff8094ae8b in vpanic (fmt=, ap=) at /usr/src/sys/kern/kern_shutdown.c:757 > #3 0xffffffff8094acc3 in panic (fmt=0x0) at /usr/src/sys/kern/kern_shutdown.c:688 > #4 0xffffffff80c2fbb1 in trap_fatal (frame=, eva=) at /usr/src/sys/amd64/amd64/trap.c:834 > #5 0xffffffff80c2fda4 in trap_pfault (frame=0xfffffe011e03b890, usermode=) at /usr/src/sys/amd64/amd64/trap.c:684 > #6 0xffffffff80c2f55e in trap (frame=0xfffffe011e03b890) at /usr/src/sys/amd64/amd64/trap.c:435 > #7 0xffffffff80c120a7 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:234 > #8 0xffffffff80909158 in fork_findpid (flags=) at /usr/src/sys/kern/kern_fork.c:281 It is the values of *p and *(p->p_pgrp) that are needed, from the frame 8. > #9 0xffffffff80907225 in do_fork (td=0xfffff8009db9a9a0, flags=20, p2=0xfffff8009dbe1a90, td2=0xfffff800aa6884d0, vm2=0xfffff800a9eee000, pdflags=0) at /usr/src/sys/kern/kern_fork.c:385 > #10 0xffffffff80906c08 in fork1 (td=0xfffff8009db9a9a0, flags=20, pages=, procp=0xfffffe011e03bac0, procdescp=0x0, pdflags=99999, fcaps=) > at /usr/src/sys/kern/kern_fork.c:937 > #11 0xffffffff809066ca in sys_fork (td=0xfffff8009db9a9a0, uap=) at /usr/src/sys/kern/kern_fork.c:108 > #12 0xffffffff80c3054b in amd64_syscall (td=0xfffff8009db9a9a0, traced=0) at subr_syscall.c:140 > #13 0xffffffff80c1238b in Xfast_syscall () at /usr/src/sys/amd64/amd64/exception.S:394 > #14 0x00000008009257aa in ?? () > Previous frame inner to this frame (corrupt stack?) > Current language: auto; currently minimal > (kgdb) f 8 > #8 0xffffffff80909158 in fork_findpid (flags=) at /usr/src/sys/kern/kern_fork.c:281 > warning: Source file is more recent than executable. > > 281 (p->p_pgrp != NULL && > (kgdb) l - > 271 * id is kept reserved only while there is a > 272 * non-reaped process in the subtree, so amount of > 273 * reserved pids is limited by process limit times > 274 * two. > 275 */ > 276 p = LIST_FIRST(&allproc); > 277 again: > 278 for (; p != NULL; p = LIST_NEXT(p, p_list)) { > 279 while (p->p_pid == trypid || > 280 p->p_reapsubtree == trypid || > (kgdb) l > 281 (p->p_pgrp != NULL && > 282 (p->p_pgrp->pg_id == trypid || > 283 (p->p_session != NULL && > 284 p->p_session->s_sid == trypid)))) { > 285 trypid++; > 286 if (trypid >= pidchecked) > 287 goto retry; > 288 } > 289 if (p->p_pid > trypid && pidchecked > p->p_pid) > 290 pidchecked = p->p_pid;