Date: Tue, 18 Jan 2000 13:51:43 +0300 (MSK) From: romanp@wuppy.net.ru To: FreeBSD-gnats-submit@freebsd.org Subject: kern/16171: mmap(2) of /dev/kmem cause kernel panic Message-ID: <200001181051.e0IAphX00970@ghost.wuppy.eu.org>
next in thread | raw e-mail | index | archive | help
>Number: 16171
>Category: kern
>Synopsis: mmap(2) of /dev/kmem cause kernel panic
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jan 18 03:00:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: Roman V. Palagin
>Release: FreeBSD 3.3-19991022-INRIA-991118E i386
>Organization:
Speak for myself.
>Environment:
Systems: FreeBSD 3.3-19991022-STABLE with INRIA IPv6 patches, also tested
on 3.4-20000108-STABLE.
Architecture: i386
>Description:
When test code executes, it cause kernel panic in memmmap().
This is kernel panic message with backtrace. If you need more
information feel free to contact me.
IdlePTD 2686976
initial pcb at 216028
panicstr: page fault
panic messages:
---
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0xbfc00000
fault code = supervisor read, page not present
instruction pointer = 0x8:0xc01ca911
stack pointer = 0x10:0xc306cd80
frame pointer = 0x10:0xc306cd80
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 2137 (t_mmap)
interrupt mask =
trap number = 12
panic: page fault
syncing disks... 8 4 2 done
dumping to dev 30011, offset 39296
dump 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
---
#0 boot (howto=256) at ../../kern/kern_shutdown.c:285
285 dumppcb.pcb_cr3 = rcr3();
(kgdb) bt
#0 boot (howto=256) at ../../kern/kern_shutdown.c:285
#1 0xc012773c in at_shutdown (
function=0xc01faab2 <__set_sysinit_set_sym_memdev_sys_init+1050>,
arg=0xc3069e60, queue=-1023928320) at ../../kern/kern_shutdown.c:446
#2 0xc01cef11 in trap_fatal (frame=0xc306cd44, eva=3217031168)
at ../../i386/i386/trap.c:942
#3 0xc01cebef in trap_pfault (frame=0xc306cd44, usermode=0, eva=3217031168)
at ../../i386/i386/trap.c:835
#4 0xc01ce866 in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = -1071863604,
tf_esi = 0, tf_ebp = -1022964352, tf_isp = -1022964372, tf_ebx = 19,
tf_edx = 0, tf_ecx = 0, tf_eax = 0, tf_trapno = 12, tf_err = 0,
tf_eip = -1071863535, tf_cs = 8, tf_eflags = 66134,
tf_esp = -1022964308, tf_ss = -1072000884}) at ../../i386/i386/trap.c:437
#5 0xc01ca911 in memmmap (dev=513, offset=0, nprot=1) at machine/pmap.h:171
#6 0xc01a908c in dev_pager_alloc (handle=0x201, size=81920, prot=1, foff=0)
at ../../vm/device_pager.c:129
#7 0xc01b5bcc in vm_pager_allocate (type=OBJT_DEVICE, handle=0x201,
size=81920, prot=1, off=0) at ../../vm/vm_pager.c:238
#8 0xc01b11c4 in vm_mmap (map=0xc2f81800, addr=0xc306cee8, size=81920,
prot=1 '\001', maxprot=5 '\005', flags=1, handle=0x201, foff=0)
at ../../vm/vm_mmap.c:1002
#9 0xc01b0911 in mmap (p=0xc3069e60, uap=0xc306cf94) at ../../vm/vm_mmap.c:334
#10 0xc01cf153 in syscall (frame={tf_es = 39, tf_ds = 39,
tf_edi = -1077945236, tf_esi = 2, tf_ebp = -1077945324,
tf_isp = -1022963740, tf_ebx = 671963100, tf_edx = 0, tf_ecx = 0,
tf_eax = 198, tf_trapno = 12, tf_err = 2, tf_eip = 671699592,
tf_cs = 31, tf_eflags = 530, tf_esp = -1077945372, tf_ss = 39})
at ../../i386/i386/trap.c:1100
#11 0xc01c529c in Xint0x80_syscall ()
#12 0x80484b2 in ?? ()
#13 0x8048419 in ?? ()
>How-To-Repeat:
Compile and execute this program:
/* t_mmap.c */
#include <sys/types.h>
#include <sys/mman.h>
#include <fcntl.h>
main()
{
int fd = open("/dev/kmem", O_RDONLY);
void *ptr = mmap(0, 20*4096, PROT_READ, MAP_SHARED, fd, 0);
}
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001181051.e0IAphX00970>