From owner-freebsd-bugs Mon Jun 11 19: 0:19 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id E2AE537B405 for ; Mon, 11 Jun 2001 19:00:05 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.3/8.11.3) id f5C205W75781; Mon, 11 Jun 2001 19:00:05 -0700 (PDT) (envelope-from gnats) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 7A75A37B401 for ; Mon, 11 Jun 2001 18:56:22 -0700 (PDT) (envelope-from nobody@FreeBSD.org) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.3/8.11.3) id f5C1uMM75577; Mon, 11 Jun 2001 18:56:22 -0700 (PDT) (envelope-from nobody) Message-Id: <200106120156.f5C1uMM75577@freefall.freebsd.org> Date: Mon, 11 Jun 2001 18:56:22 -0700 (PDT) From: bugs@canyoncountry.net To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: kern/28087: Fatal trap 12: page fault while in kernel mode Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 28087 >Category: kern >Synopsis: Fatal trap 12: page fault while in kernel mode >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jun 11 19:00:05 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Gerry Allen >Release: 4.1 >Organization: Canyon Country Communications >Environment: FreeBSD page3.canyoncountry.net 4.1-RELEASE FreeBSD 4.1-RELEASE #8: Sun Jun 10 00:36:31 MST 2001 root@page3. canyoncountry.net:/usr/src/sys/compile/PAGE3 i386 >Description: (508 / 8) [/sys/compile/PAGE3]$: gdb -k kernel.debug /var/crash/vmcore.13 GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd"... IdlePTD 3506176 initial pcb at 2cdec0 panicstr: page fault panic messages: --- Fatal trap 12: page fault while in kernel mode fault virtual address = 0xc093c000 fault code = supervisor read, page not present instruction pointer = 0x8:0xc01abf5d stack pointer = 0x10:0xc02ab4b4 frame pointer = 0x10:0xc02ab4ec code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = Idle interrupt mask = net tty trap number = 12 panic: page fault syncing disks... 7 7 done Uptime: 1d3h33m21s dumping to dev #ad/0x20001, offset 786432 dump ata0: resetting devices .. done 128 127 126 125 124 123 122 121 120 119 118 117 116 115 114 113 112 111 110 109 108 107 106 105 104 103 102 101 100 99 98 97 96 95 94 93 92 91 90 89 88 87 86 85 84 83 82 81 80 79 78 77 76 75 74 73 72 71 70 69 68 67 66 65 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 2 6 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 --- #0 boot (howto=256) at ../../kern/kern_shutdown.c:302 302 dumppcb.pcb_cr3 = rcr3(); (kgdb) where #0 boot (howto=256) at ../../kern/kern_shutdown.c:302 #1 0xc0144ebc in poweroff_wait (junk=0xc02a346f, howto=0) at ../../kern/kern_shutdown.c:552 #2 0xc026c519 in trap_fatal (frame=0xc02ab474, eva=3230908416) at ../../i386/i386/trap.c:927 #3 0xc026c1f1 in trap_pfault (frame=0xc02ab474, usermode=0, eva=3230908416) at ../../i386/i386/trap.c:820 #4 0xc026bdef in trap (frame={tf_fs = -1050542064, tf_es = 16, tf_ds = -1070989296, tf_edi = -1064058908, tf_esi = 0, tf_ebp = -1070942996, tf_isp = -1070943072, tf_ebx = 0, tf_edx = -1070942948, tf_ecx = -1070942952, tf_eax = 905904131, tf_trapno = 12, tf_err = 0, tf_eip = -1071988899, tf_cs = 8, tf_eflags = 66118, tf_esp = 2461, tf_ss = 3862}) at ../../i386/i386/trap.c:426 #5 0xc01abf5d in fr_makefrip (hlen=20, ip=0xc093bfe4, fin=0xc02ab518) at ../../netinet/fil.c:258 #6 0xc01b1d1c in fr_checkicmpmatchingstate (ip=0xc093bfc8, fin=0xc02ab628) at ../../netinet/ip_state.c:1032 #7 0xc01b20cd in fr_checkstate (ip=0xc093bfc8, fin=0xc02ab628) at ../../netinet/ip_state.c:1194 #8 0xc01acb4c in fr_check (ip=0xc093bfc8, hlen=20, ifp=0xc14f6000, out=1, mp=0xc02ab6e4) at ../../netinet/fil.c:887 #9 0xc01a0c00 in ip_output (m0=0xc093bf00, opt=0x0, ro=0xc02ab724, flags=0, imo=0x0) at ../../netinet/ip_output.c:437 #10 0xc019edc2 in icmp_send (m=0xc093bf00, opts=0x0) at ../../netinet/ip_icmp.c:748 #11 0xc019ed43 in icmp_reflect (m=0xc093bf00) at ../../netinet/ip_icmp.c:710 #12 0xc019e66c in icmp_error (n=0xc0931a00, type=11, code=0, dest=0, destifp=0x0) at ../../netinet/ip_icmp.c:220 #13 0xc01a0429 in ip_forward (m=0xc0931a00, srcrt=0) at ../../netinet/ip_input.c:1508 #14 0xc019f566 in ip_input (m=0xc0931a00) at ../../netinet/ip_input.c:570 #15 0xc0199a46 in transmit_event (pipe=0xc1586e00) at ../../netinet/ip_dummynet.c:399 #16 0xc0199c37 in ready_event (q=0xc16b6500) at ../../netinet/ip_dummynet.c:525 ---Type to continue, or q to quit--- #17 0xc019a96b in dummynet_io (pipe_nr=5, dir=2, m=0xc0931a00, ifp=0x0, ro=0x0, dst=0x0, rule=0xc14f98e0, flags=0) at ../../netinet/ip_dummynet.c:1062 #18 0xc019f361 in ip_input (m=0xc0931a00) at ../../netinet/ip_input.c:413 #19 0xc019f8cf in ipintr () at ../../netinet/ip_input.c:766 #20 0xc0262255 in swi_net_next () (kgdb) up 4 #4 0xc026bdef in trap (frame={tf_fs = -1050542064, tf_es = 16, tf_ds = -1070989296, tf_edi = -1064058908, tf_esi = 0, tf_ebp = -1070942996, tf_isp = -1070943072, tf_ebx = 0, tf_edx = -1070942948, tf_ecx = -1070942952, tf_eax = 905904131, tf_trapno = 12, tf_err = 0, tf_eip = -1071988899, tf_cs = 8, tf_eflags = 66118, tf_esp = 2461, tf_ss = 3862}) at ../../i386/i386/trap.c:426 426 (void) trap_pfault(&frame, FALSE, eva); (kgdb) list 421 kernel_trap: 422 /* kernel trap */ 423 424 switch (type) { 425 case T_PAGEFLT: /* page fault */ 426 (void) trap_pfault(&frame, FALSE, eva); 427 return; 428 429 case T_DNA: 430 #if NNPX > 0 (kgdb) up #5 0xc01abf5d in fr_makefrip (hlen=20, ip=0xc093bfe4, fin=0xc02ab518) at ../../netinet/fil.c:258 258 fi->fi_dst.in6 = ip6->ip6_dst; (kgdb) list 253 p = ip6->ip6_nxt; 254 fi->fi_p = p; 255 fi->fi_ttl = ip6->ip6_hlim; 256 tcp = (tcphdr_t *)(ip6 + 1); 257 fi->fi_src.in6 = ip6->ip6_src; 258 fi->fi_dst.in6 = ip6->ip6_dst; 259 fin->fin_id = (u_short)(ip6->ip6_flow & 0xffff); 260 fi->fi_tos = 0; 261 fi->fi_fl = 0; 262 plen = ntohs(ip6->ip6_plen); (kgdb) up #6 0xc01b1d1c in fr_checkicmpmatchingstate (ip=0xc093bfc8, fin=0xc02ab628) at ../../netinet/ip_state.c:1032 1032 fr_makefrip(oip->ip_hl << 2, oip, &ofin); (kgdb) list 1027 hv += icmp->icmp_id; 1028 hv += icmp->icmp_seq; 1029 hv %= fr_statesize; 1030 1031 oip->ip_len = ntohs(oip->ip_len); 1032 fr_makefrip(oip->ip_hl << 2, oip, &ofin); 1033 oip->ip_len = htons(oip->ip_len); 1034 ofin.fin_ifp = fin->fin_ifp; 1035 ofin.fin_out = !fin->fin_out; 1036 ofin.fin_mp = NULL; /* if dereferenced, panic XXX */ (kgdb) up #7 0xc01b20cd in fr_checkstate (ip=0xc093bfc8, fin=0xc02ab628) at ../../netinet/ip_state.c:1194 1194 fr = fr_checkicmpmatchingstate(ip, fin); (kgdb) list 1189 #ifdef USE_INET6 1190 if (v == 6) 1191 fr = fr_checkicmp6matchingstate((ip6_t *)ip, fin); 1192 else 1193 #endif 1194 fr = fr_checkicmpmatchingstate(ip, fin); 1195 if (fr) 1196 return fr; 1197 break; 1198 case IPPROTO_TCP : (kgdb) up #8 0xc01acb4c in fr_check (ip=0xc093bfc8, hlen=20, ifp=0xc14f6000, out=1, mp=0xc02ab6e4) at ../../netinet/fil.c:887 887 if (apass || (!(fr = ipfr_knownfrag(ip, fin)) && (kgdb) list 882 (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) { 883 ATOMIC_INCL(frstats[0].fr_acct); 884 } 885 } 886 887 if (apass || (!(fr = ipfr_knownfrag(ip, fin)) && 888 !(fr = fr_checkstate(ip, fin)))) { 889 /* 890 * If a packet is found in the auth table, then skip checking 891 * the access lists for permission but we do need to consider (kgdb) up #9 0xc01a0c00 in ip_output (m0=0xc093bf00, opt=0x0, ro=0xc02ab724, flags=0, imo=0x0) at ../../netinet/ip_output.c:437 437 if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1) (kgdb) list 432 * - Encapsulate: put it in another IP and send out. 433 */ 434 if (fr_checkp) { 435 struct mbuf *m1 = m; 436 437 if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1) 438 goto done; 439 ip = mtod(m = m1, struct ip *); 440 } 441 (kgdb) up #10 0xc019edc2 in icmp_send (m=0xc093bf00, opts=0x0) at ../../netinet/ip_icmp.c:748 748 (void) ip_output(m, opts, &ro, 0, NULL); (kgdb) list 743 printf("icmp_send dst %s src %s\n", 744 buf, inet_ntoa(ip->ip_src)); 745 } 746 #endif 747 bzero(&ro, sizeof ro); 748 (void) ip_output(m, opts, &ro, 0, NULL); 749 if (ro.ro_rt) 750 RTFREE(ro.ro_rt); 751 } 752 (kgdb) up #11 0xc019ed43 in icmp_reflect (m=0xc093bf00) at ../../netinet/ip_icmp.c:710 710 icmp_send(m, opts); (kgdb) list 705 optlen += sizeof(struct ip); 706 bcopy((caddr_t)ip + optlen, (caddr_t)(ip + 1), 707 (unsigned)(m->m_len - sizeof(struct ip))); 708 } 709 m->m_flags &= ~(M_BCAST|M_MCAST); 710 icmp_send(m, opts); 711 done: 712 if (opts) 713 (void)m_free(opts); 714 } (kgdb) up #12 0xc019e66c in icmp_error (n=0xc0931a00, type=11, code=0, dest=0, destifp=0x0) at ../../netinet/ip_icmp.c:220 220 icmp_reflect(m); (kgdb) list 215 bcopy((caddr_t)oip, (caddr_t)nip, sizeof(struct ip)); 216 nip->ip_len = m->m_len; 217 nip->ip_vhl = IP_VHL_BORING; 218 nip->ip_p = IPPROTO_ICMP; 219 nip->ip_tos = 0; 220 icmp_reflect(m); 221 222 freeit: 223 m_freem(n); 224 } (kgdb) up #13 0xc01a0429 in ip_forward (m=0xc0931a00, srcrt=0) at ../../netinet/ip_input.c:1508 1508 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, dest, 0); (kgdb) list 1503 sin->sin_len = sizeof(*sin); 1504 sin->sin_addr = ip->ip_dst; 1505 1506 rtalloc_ign(&ipforward_rt, RTF_PRCLONING); 1507 if (ipforward_rt.ro_rt == 0) { 1508 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, dest, 0); 1509 return; 1510 } 1511 rt = ipforward_rt.ro_rt; 1512 } (kgdb) up #14 0xc019f566 in ip_input (m=0xc0931a00) at ../../netinet/ip_input.c:570 570 ip_forward(m, 0); (kgdb) list 565 */ 566 if (ipforwarding == 0) { 567 ipstat.ips_cantforward++; 568 m_freem(m); 569 } else 570 ip_forward(m, 0); 571 #ifdef IPFIREWALL_FORWARD 572 ip_fw_fwd_addr = NULL; 573 #endif 574 return; (kgdb) up #15 0xc0199a46 in transmit_event (pipe=0xc1586e00) at ../../netinet/ip_dummynet.c:399 399 ip_input((struct mbuf *)pkt) ; (kgdb) list 394 (void)ip_output((struct mbuf *)pkt, NULL, NULL, 0, NULL); 395 rt_unref (pkt->ro.ro_rt) ; 396 break ; 397 398 case DN_TO_IP_IN : 399 ip_input((struct mbuf *)pkt) ; 400 break ; 401 402 #ifdef BRIDGE 403 case DN_TO_BDG_FWD : { (kgdb) up #16 0xc0199c37 in ready_event (q=0xc16b6500) at ../../netinet/ip_dummynet.c:525 525 transmit_event(p); (kgdb) list 520 /* 521 * If the delay line was empty call transmit_event(p) now. 522 * Otherwise, the scheduler will take care of it. 523 */ 524 if (p_was_empty) 525 transmit_event(p); 526 } 527 528 /* 529 * Called when we can transmit packets on WF2Q queues. Take pkts out of (kgdb) up #17 0xc019a96b in dummynet_io (pipe_nr=5, dir=2, m=0xc0931a00, ifp=0x0, ro=0x0, dst=0x0, rule=0xc14f98e0, flags=0) at ../../netinet/ip_dummynet.c:1062 1062 ready_event( q ); (kgdb) list 1057 dn_key t = 0 ; 1058 if (pipe->bandwidth) 1059 t = SET_TICKS(pkt, q, pipe); 1060 q->sched_time = curr_time ; 1061 if (t == 0) /* must process it now */ 1062 ready_event( q ); 1063 else 1064 heap_insert(&ready_heap, curr_time + t , q ); 1065 } else { 1066 /* (kgdb) up #18 0xc019f361 in ip_input (m=0xc0931a00) at ../../netinet/ip_input.c:413 413 dummynet_io(i&0xffff,DN_TO_IP_IN,m,NULL,NULL,0, rule, (kgdb) list 408 if (i == 0 && ip_fw_fwd_addr == NULL) /* common case */ 409 goto pass; 410 #ifdef DUMMYNET 411 if ((i & IP_FW_PORT_DYNT_FLAG) != 0) { 412 /* Send packet to the appropriate pipe */ 413 dummynet_io(i&0xffff,DN_TO_IP_IN,m,NULL,NULL,0, rule, 414 0); 415 return; 416 } 417 #endif (kgdb) up #19 0xc019f8cf in ipintr () at ../../netinet/ip_input.c:766 766 ip_input(m); (kgdb) list 761 s = splimp(); 762 IF_DEQUEUE(&ipintrq, m); 763 splx(s); 764 if (m == 0) 765 return; 766 ip_input(m); 767 } 768 } 769 770 /* (kgdb) up #20 0xc0262255 in swi_net_next () (kgdb) list 771 * Take incoming datagram fragment and try to reassemble it into 772 * whole datagram. If a chain for reassembly of this datagram already 773 * exists, then it is given as fp; otherwise have to make a chain. 774 * 775 * When IPDIVERT enabled, keep additional state with each packet that 776 * tells us if we need to divert or tee the packet we're building. 777 */ 778 779 static struct mbuf * 780 #ifdef IPDIVERT (kgdb) up Initial frame selected; you cannot go up. (kgdb) >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message