From owner-freebsd-bugs Fri Oct 4 16:50:03 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA03977 for bugs-outgoing; Fri, 4 Oct 1996 16:50:03 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA03970; Fri, 4 Oct 1996 16:50:01 -0700 (PDT) Resent-Date: Fri, 4 Oct 1996 16:50:01 -0700 (PDT) Resent-Message-Id: <199610042350.QAA03970@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, hsu@clinet.fi Received: from hauki.clinet.fi (root@hauki.clinet.fi [194.100.0.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA03582 for ; Fri, 4 Oct 1996 16:44:33 -0700 (PDT) Received: from katiska.clinet.fi (root@katiska.clinet.fi [194.100.0.4]) by hauki.clinet.fi (8.7.6/8.6.4) with ESMTP id BAA08278 for ; Sat, 5 Oct 1996 01:43:56 +0200 (EET) Received: (root@localhost) by katiska.clinet.fi (8.7.6/8.6.4) id CAA01171; Sat, 5 Oct 1996 02:43:55 +0300 (EET DST) Message-Id: <199610042343.CAA01171@katiska.clinet.fi> Date: Sat, 5 Oct 1996 02:43:55 +0300 (EET DST) From: Heikki Suonsivu Reply-To: hsu@clinet.fi To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/1726: panic in kmem_malloc (dump available) Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 1726 >Category: kern >Synopsis: panic in kmem_malloc (dump available) >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Oct 4 16:50:00 PDT 1996 >Last-Modified: >Originator: Heikki Suonsivu >Organization: Clinet, Espoo, Finland >Release: FreeBSD 2.2-CURRENT i386 >Environment: terminal/modem server with 32 ports with cyclades boards, kernel ppp, dialup modems. Current from 28th <21:58 sup. I have couple of patches which may or may have meaning (32 port cyclades patches, upping TTYHOG and RS_IBUF_SIZE) >Description: dump and kernel are ftp://ftp.clinet.fi/pub/FreeBSD/crashdumps/ts/*.44.gz Current directory is /usr/local/ftp/pub/FreeBSD/crashdumps/ts/ GDB is free software and you are welcome to distribute copies of it under certain conditions; type "show copying" to see the conditions. There is absolutely no warranty for GDB; type "show warranty" for details. GDB 4.13 (i386-unknown-freebsd), Copyright 1994 Free Software Foundation, Inc... IdlePTD 24b000 current pcb at 1f7e5c panic: page fault #0 boot (howto=256) at ../../kern/kern_shutdown.c:237 (kgdb) bt #0 boot (howto=256) at ../../kern/kern_shutdown.c:237 #1 0xf010ea62 in panic (fmt=0xf01c5631 "page fault") at ../../kern/kern_shutdown.c:361 #2 0xf01c618e in trap_fatal (frame=0xefbffce8) at ../../i386/i386/trap.c:741 #3 0xf01c5c7c in trap_pfault (frame=0xefbffce8, usermode=0) at ../../i386/i386/trap.c:652 #4 0xf01c5963 in trap (frame={tf_es = -266010608, tf_ds = -221052912, tf_edi = -1, tf_esi = 1, tf_ebp = -272630480, tf_isp = -272630512, tf_ebx = 0, tf_edx = 0, tf_ecx = 12, tf_eax = 0, tf_trapno = 12, tf_err = -266665984, tf_eip = -266625792, tf_cs = 8, tf_eflags = 66198, tf_esp = 0, tf_ss = 0}) at ../../i386/i386/trap.c:311 #5 0xf01be5c1 in calltrap () #6 0xf01b4095 in kmem_malloc (map=0xf025c064, size=4096, waitflag=1) at ../../vm/vm_kern.c:333 #7 0xf010b16f in malloc (size=148, type=5, flags=1) at ../../kern/kern_malloc.c:145 #8 0xf0148ade in rtrequest (req=1, dst=0xf2d3615c, gateway=0xf2d3616c, netmask=0xf2d3617c, flags=3, ret_nrt=0xefbffe1c) at ../../net/route.c:515 #9 0xf014957d in route_output (m=0xf19b7580, so=0xf2cb5700) at ../../net/rtsock.c:197 #10 0xf01482ce in raw_usrreq (so=0xf2cb5700, req=9, m=0xf19b7580, nam=0x0, control=0x0) at ../../net/raw_usrreq.c:257 #11 0xf014930a in route_usrreq (so=0xf2cb5700, req=9, m=0xf19b7580, nam=0x0, control=0x0) at ../../net/rtsock.c:115 #12 0xf0122f55 in old_send (so=0xf2cb5700, flags=0, m=0xf19b7580, addr=0x0, control=0x0) at ../../kern/uipc_socket2.c:871 #13 0xf0120e56 in sosend (so=0xf2cb5700, addr=0x0, uio=0xefbfff34, top=0xf19b7580, control=0x0, flags=0) at ../../kern/uipc_socket.c:461 #14 0xf01181b5 in soo_write (fp=0xf2cb9080, uio=0xefbfff34, cred=0xf09b2a80) at ../../kern/sys_socket.c:82 #15 0xf0115c83 in write (p=0xf2c7a600, uap=0xefbfff94, retval=0xefbfff84) at ../../kern/sys_generic.c:263 #16 0xf01c6427 in syscall (frame={tf_es = 720935, tf_ds = 720935, tf_edi = 0, tf_esi = 750408, tf_ebp = -272639908, tf_isp = -272629788, tf_ebx = 677028, tf_edx = 710264, tf_ecx = 750408, tf_eax = 4, tf_trapno = 7, tf_err = 7, tf_eip = 135302529, tf_cs = 31, tf_eflags = 582, tf_esp = -272639936, tf_ss = 39}) at ../../i386/i386/trap.c:891 #17 0xf01be615 in Xsyscall () #18 0xfa39 in ?? () #19 0xfeda in ?? () #20 0xa839 in ?? () #21 0xb0a9 in ?? () #22 0x2760d in ?? () #23 0x300ba in ?? () #24 0x1096 in ?? () (kgdb) up #1 0xf010ea62 in panic (fmt=0xf01c5631 "page fault") at ../../kern/kern_shutdown.c:361 (kgdb) up #2 0xf01c618e in trap_fatal (frame=0xefbffce8) at ../../i386/i386/trap.c:741 (kgdb) print type $1 = 12 (kgdb) up #3 0xf01c5c7c in trap_pfault (frame=0xefbffce8, usermode=0) at ../../i386/i386/trap.c:652 (kgdb) up #4 0xf01c5963 in trap (frame={tf_es = -266010608, tf_ds = -221052912, tf_edi = -1, tf_esi = 1, tf_ebp = -272630480, tf_isp = -272630512, tf_ebx = 0, tf_edx = 0, tf_ecx = 12, tf_eax = 0, tf_trapno = 12, tf_err = -266665984, tf_eip = -266625792, tf_cs = 8, tf_eflags = 66198, tf_esp = 0, tf_ss = 0}) at ../../i386/i386/trap.c:311 (kgdb) up #5 0xf01be5c1 in calltrap () (kgdb) up #6 0xf01b4095 in kmem_malloc (map=0xf025c064, size=4096, waitflag=1) at ../../vm/vm_kern.c:333 (kgdb) print offset $2 = 47677440 (kgdb) set radix 16 Input and output radices now set to decimal 16, hex 10, octal 20. (kgdb) print offset $3 = 0x2d78000 (kgdb) print kmem_object $4 = (struct vm_object *) 0xf0200b34 (kgdb) print *kmem_object $5 = {object_list = {tqe_next = 0xf09b2a00, tqe_prev = 0xf0200ab4}, cached_list = {tqe_next = 0x0, tqe_prev = 0x0}, shadow_head = { tqh_first = 0x0, tqh_last = 0xf0200b44}, shadow_list = {tqe_next = 0x0, tqe_prev = 0x0}, memq = {tqh_first = 0xf025f998, tqh_last = 0xf028cd30}, type = OBJT_DEFAULT, size = 0xfc41, ref_count = 0x6, shadow_count = 0x0, pg_color = 0x5, flags = 0x0, paging_in_progress = 0x0, behavior = 0x0, resident_page_count = 0x38a, paging_offset = 0x0000000000000000, backing_object = 0x0, backing_object_offset = 0x0000000000000000, last_read = 0x0, page_hint = 0xf028cd20, pager_object_list = { tqe_next = 0x0, tqe_prev = 0x0}, handle = 0x0, un_pager = {vnp = { vnp_size = 0x0000000000000000}, devp = {devp_pglist = {tqh_first = 0x0, tqh_last = 0x0}}, swp = {swp_nblocks = 0x0, swp_allocsize = 0x0, swp_blocks = 0x0, swp_poip = 0x0}}} (kgdb) print i $6 = 0x1 (kgdb) print size $7 = 0xffffffff (kgdb) up #7 0xf010b16f in malloc (size=0x94, type=0x5, flags=0x1) at ../../kern/kern_malloc.c:145 (kgdb) print npg $8 = 0x1 (kgdb) down #6 0xf01b4095 in kmem_malloc (map=0xf025c064, size=0x1000, waitflag=0x1) at ../../vm/vm_kern.c:333 (kgdb) print size $9 = 0xffffffff (kgdb) bt #0 boot (howto=0x100) at ../../kern/kern_shutdown.c:237 #1 0xf010ea62 in panic (fmt=0xf01c5631 "page fault") at ../../kern/kern_shutdown.c:361 #2 0xf01c618e in trap_fatal (frame=0xefbffce8) at ../../i386/i386/trap.c:741 #3 0xf01c5c7c in trap_pfault (frame=0xefbffce8, usermode=0x0) at ../../i386/i386/trap.c:652 #4 0xf01c5963 in trap (frame={tf_es = 0xf0250010, tf_ds = 0xf2d30010, tf_edi = 0xffffffff, tf_esi = 0x1, tf_ebp = 0xefbffd30, tf_isp = 0xefbffd10, tf_ebx = 0x0, tf_edx = 0x0, tf_ecx = 0xc, tf_eax = 0x0, tf_trapno = 0xc, tf_err = 0xf01b0000, tf_eip = 0xf01b9d00, tf_cs = 0x8, tf_eflags = 0x10296, tf_esp = 0x0, tf_ss = 0x0}) at ../../i386/i386/trap.c:311 #5 0xf01be5c1 in calltrap () #6 0xf01b4095 in kmem_malloc (map=0xf025c064, size=0x1000, waitflag=0x1) at ../../vm/vm_kern.c:333 #7 0xf010b16f in malloc (size=0x94, type=0x5, flags=0x1) at ../../kern/kern_malloc.c:145 #8 0xf0148ade in rtrequest (req=0x1, dst=0xf2d3615c, gateway=0xf2d3616c, netmask=0xf2d3617c, flags=0x3, ret_nrt=0xefbffe1c) at ../../net/route.c:515 #9 0xf014957d in route_output (m=0xf19b7580, so=0xf2cb5700) at ../../net/rtsock.c:197 #10 0xf01482ce in raw_usrreq (so=0xf2cb5700, req=0x9, m=0xf19b7580, nam=0x0, control=0x0) at ../../net/raw_usrreq.c:257 #11 0xf014930a in route_usrreq (so=0xf2cb5700, req=0x9, m=0xf19b7580, nam=0x0, control=0x0) at ../../net/rtsock.c:115 #12 0xf0122f55 in old_send (so=0xf2cb5700, flags=0x0, m=0xf19b7580, addr=0x0, control=0x0) at ../../kern/uipc_socket2.c:871 #13 0xf0120e56 in sosend (so=0xf2cb5700, addr=0x0, uio=0xefbfff34, top=0xf19b7580, control=0x0, flags=0x0) at ../../kern/uipc_socket.c:461 #14 0xf01181b5 in soo_write (fp=0xf2cb9080, uio=0xefbfff34, cred=0xf09b2a80) at ../../kern/sys_socket.c:82 #15 0xf0115c83 in write (p=0xf2c7a600, uap=0xefbfff94, retval=0xefbfff84) at ../../kern/sys_generic.c:263 #16 0xf01c6427 in syscall (frame={tf_es = 0xb0027, tf_ds = 0xb0027, tf_edi = 0x0, tf_esi = 0xb7348, tf_ebp = 0xefbfd85c, tf_isp = 0xefbfffe4, tf_ebx = 0xa54a4, tf_edx = 0xad678, tf_ecx = 0xb7348, tf_eax = 0x4, tf_trapno = 0x7, tf_err = 0x7, tf_eip = 0x8108d81, tf_cs = 0x1f, tf_eflags = 0x246, tf_esp = 0xefbfd840, tf_ss = 0x27}) at ../../i386/i386/trap.c:891 #17 0xf01be615 in Xsyscall () #18 0xfa39 in ?? () #19 0xfeda in ?? () #20 0xa839 in ?? () #21 0xb0a9 in ?? () #22 0x2760d in ?? () #23 0x300ba in ?? () #24 0x1096 in ?? () (kgdb) This could explain frequent panics we are seeing on these machines and the fact we do not see these with leased line routers, only dialup routers; route changes occur much more frequently on dialup modems. This is timing related, it happens at different frequency with different hardware. Faster machines may crash more often. Using default TTYHOG and RS_IBUF_SIZE values instead of 4-fold values I have been using the frequency of panics increases. I tried experimenting with different values but I could not find a clear pattern. >How-To-Repeat: Build a terminal server with lots of ports. >Fix: It seems that ~16 modems is relatively safe figure; the more ports the more problems. >Audit-Trail: >Unformatted: