Date: Thu, 28 Mar 2019 05:26:01 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 236846] FreeBSD 12.0-STABLE-p3 r345567: panic: vm_fault_hold: fault on nofault entry Message-ID: <bug-236846-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D236846 Bug ID: 236846 Summary: FreeBSD 12.0-STABLE-p3 r345567: panic: vm_fault_hold: fault on nofault entry Product: Base System Version: 12.0-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: ietf-dane@dukhovni.org CC: alex@inferiorhumanorgans.com, chernov_victor@list.ru, d8zNeCFG@aon.at, emaste@freebsd.org, girgen@FreeBSD.org, ietf-dane@dukhovni.org, langerruslan@gmail.com, mandrews@bit0.com, markj@FreeBSD.org, pascal.christen@hostpoint.ch, pi@FreeBSD.org, sbruno@FreeBSD.org, sdalu@sdalu.com After recompiling the 11.2 code that led to kevent crashes (<https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D234296#c31>) natively on 12.0-RELEASE-p3, after running for 30 minutes to an hour the code again triggered a kernel panic, but this time not in kevent: panic: vm_fault_hold: fault on nofault entry, addr: 0xfffffe00c9f87000 cpuid =3D 0 time =3D 1553747701 KDB: stack backtrace: #0 0xffffffff80be7977 at kdb_backtrace+0x67 #1 0xffffffff80b9b563 at vpanic+0x1a3 #2 0xffffffff80b9b3b3 at panic+0x43 #3 0xffffffff80edd120 at unlock_and_deallocate+0 #4 0xffffffff80eda970 at vm_fault+0x60 #5 0xffffffff81074ae3 at trap_pfault+0x163 #6 0xffffffff81073fee at trap+0x29e #7 0xffffffff8104f465 at calltrap+0x8 #8 0xffffffff80d26cdd at ip_input+0x45d #9 0xffffffff80cbc576 at netisr_dispatch_src+0xd6 #10 0xffffffff80ca0e63 at ether_demux+0x163 #11 0xffffffff80ca1fc6 at ether_nh_input+0x346 #12 0xffffffff80cbc576 at netisr_dispatch_src+0xd6 #13 0xffffffff80ca1264 at ether_input+0x54 #14 0xffffffff80cb8726 at iflib_rxeof+0xa16 #15 0xffffffff80cb3556 at _task_fn_rx+0x76 #16 0xffffffff80be6204 at gtaskqueue_run_locked+0x144 #17 0xffffffff80be5e68 at gtaskqueue_thread_loop+0x98 This time I have a crash dump. And, FWIW: $ addr2line -afi -e /usr/lib/debug/boot/kernel/kernel.debug 0xffffffff80d26cdd 0xffffffff80d26cdd ip_input /usr/src/sys/netinet/ip_input.c:605 >From kgdb: (kgdb) fr 28=20=20=20=20=20=20=20 #28 0xffffffff80d26cdd in ip_input (m=3D0xfffff80111e4ec00) at /usr/src/sys/netinet/ip_input.c:605 605 if (pfil_run_hooks(&V_inet_pfil_hook, &m, ifp, PFIL_IN, 0, NULL) !=3D 0) (kgdb) p *m $2 =3D {{m_next =3D 0x0, m_slist =3D {sle_next =3D 0x0}, m_stailq =3D {stqe= _next =3D 0x0}}, {m_nextpkt =3D 0x0, m_slistpkt =3D {sle_next =3D 0x0},=20 m_stailqpkt =3D {stqe_next =3D 0x0}}, m_data =3D 0xfffff8051f18900e "E"= , m_len =3D 420, m_type =3D 1, m_flags =3D 3, {{m_pkthdr =3D {{ snd_tag =3D 0xfffff80003d1e000, rcvif =3D 0xfffff80003d1e000}, ta= gs =3D {slh_first =3D 0x0}, len =3D 420, flowid =3D 2776446732,=20 csum_flags =3D 251658240, fibnum =3D 0, cosqos =3D 0 '\000', rsstyp= e =3D 63 '?', {rcv_tstmp =3D 0, {l2hlen =3D 0 '\000',=20 l3hlen =3D 0 '\000', l4hlen =3D 0 '\000', l5hlen =3D 0 '\000', = spare =3D 0}}, PH_per =3D { eight =3D "\000\000\000\000\377\377\000", sixteen =3D {0, 0, 6553= 5, 0}, thirtytwo =3D {0, 65535}, sixtyfour =3D { 281470681743360}, unintptr =3D {281470681743360}, ptr =3D 0xffff00000000}, PH_loc =3D { eight =3D "\000\000\000\000\000\000\000", sixteen =3D {0, 0, 0, 0= }, thirtytwo =3D {0, 0}, sixtyfour =3D {0}, unintptr =3D {0},=20 ptr =3D 0x0}}, {m_ext =3D {{ext_count =3D 1, ext_cnt =3D 0x544345= 4c00000001},=20 ext_buf =3D 0xfffff8051f189000 "\f\304z\340H\250\\E'tD\306\b", ex= t_size =3D 2048, ext_type =3D 1, ext_flags =3D 1,=20 ext_free =3D 0x0, ext_arg1 =3D 0x0, ext_arg2 =3D 0x0}, m_pktdat = =3D 0xfffff80111e4ec58 "\001"}},=20 m_dat =3D 0xfffff80111e4ec20 ""}} (kgdb) p *ifp $3 =3D {if_link =3D {cstqe_next =3D 0xfffff80111e4ec00}, if_clones =3D {le_= next =3D 0x1, le_prev =3D 0x38}, if_groups =3D {cstqh_first =3D 0x1, cstqh_last =3D 0xfffff80003792000}, if_alloctype =3D 0 '\000', if_softc= =3D 0xfffffe0075df26b0, if_llsoftc =3D 0xffffffff80cbc576 <netisr_dispatch_src+214>, if_l2com =3D 0xe74d00, if_dname =3D 0xffffffff80e71134 <mac_ifnet_create_mbuf+292> "\200<%=3D\020\240\201", if_dunit =3D -2113854840, if_index =3D 65535, if_index_reserved =3D -1, if_xname =3D "\000\b\000\000\000\000\000\000\000 y\003", <incomplete sequence \370\377\377>, if_description =3D 0x8 <error: Cannot access memory at address 0x8>, if_f= lags =3D 64086016, if_drv_flags =3D -2048, if_capabilities =3D 64086016, if_capenable =3D -2048, if_linkmib =3D 0xfffffe0075df26e0, if_linkmiblen =3D 18446744071575309923, if_refcount =3D 58269696, if_type =3D 0 '\000', if_addrlen =3D 248 '\370', if_hdrlen =3D 255 '\377', if_link_state =3D 255 '\377', if_mtu =3D 300215296, if_metric =3D 4294965249, if_baudrate =3D 18446735282211712000, if_hwassist =3D 18446735299613069312, if_epoch =3D -2197045696704, if_lastchange =3D {tv_sec =3D -2134237242, t= v_usec =3D 512}, if_snd =3D {ifq_head =3D 0x7, ifq_tail =3D 0xfffffe0075df27c0, ifq_len =3D 50907712, ifq_maxlen =3D -= 2048, ifq_mtx =3D {lock_object =3D { lo_name =3D 0xfffff80111e4ec00 "", lo_flags =3D 5, lo_data =3D 0, l= o_witness =3D 0x118}, mtx_lock =3D 5},=20 ifq_drv_head =3D 0xfffff80003792000, ifq_drv_tail =3D 0x0, ifq_drv_len = =3D 1977558928, ifq_drv_maxlen =3D -512,=20 altq_type =3D -2134129290, altq_flags =3D -1, altq_disc =3D 0xe74d00, a= ltq_ifp =3D 0x0, altq_enqueue =3D 0x175df27c0,=20 altq_dequeue =3D 0xfffff80003792000, altq_request =3D 0x0, altq_clfier = =3D 0xfffff80111e4ec00, altq_classify =3D 0xfffff80003d1e000,=20 altq_tbr =3D 0x0, altq_cdnr =3D 0xfffffe0075df27c0}, if_linktask =3D {t= a_link =3D {stqe_next =3D 0xffffffff80ca1264 <ether_input+84>},=20 ta_pending =3D 0, ta_priority =3D 0, ta_func =3D 0x1b2, ta_context =3D 0xfffff80003d1e000}, if_addr_lock =3D {lock_object =3D { lo_name =3D 0x1 <error: Cannot access memory at address 0x1>, lo_flag= s =3D 1977559200, lo_data =3D 4294966784,=20 lo_witness =3D 0xffffffff80cb8726 <iflib_rxeof+2582>}, mtx_lock =3D 18446741877785532224}, if_addrhead =3D { cstqh_first =3D 0xfffffe00b8ba7740, cstqh_last =3D 0xfffff80003d49800}, if_multiaddrs =3D {cstqh_first =3D 0xffffffffffff00e8,=20 cstqh_last =3D 0xfffff80003d3e140}, if_amcount =3D 64264192, if_addr =3D 0xfffff80003d13000, if_hw_addr =3D 0xe801b200000000,=20 if_broadcastaddr =3D 0xfffff80003d1e000 "", if_afdata_lock =3D {lock_obje= ct =3D {lo_name =3D 0xfffff80003d3e140 "",=20 lo_flags =3D 2776446732, lo_data =3D 251658240, lo_witness =3D 0x3f01000000ffff}, mtx_lock =3D 18446735281926513849}, if_afdata =3D { 0xfffff8017eaaec01, 0xfffff80003d3e030, 0x18ffffffff, 0xfffff80003d3e00= 0, 0xffffffff81a76540 <igb_sctx_init>,=20 0xfffff80003d1e000, 0xfffff801000001b2, 0x0, 0xfffff80003784000, 0xfffff80003d13000, 0xfffffe0075df2908, 0xfffff80003d3e000,=20 0xfffff80003784050, 0xfffffe0075df28e0, 0xffffffff80cb3556 <_task_fn_rx+118>, 0x0, 0xfffff80003784000, 0xfffff80003784000,=20 0xfffff80003d3e090, 0xfffffe0075df2900, 0xfffff80003784050, 0xfffffe0075df2940,=20 0xffffffff80be6204 <gtaskqueue_run_locked+324>, 0xfffffe0075df2940, 0xfffff80003784038, 0xfffff80003d3e090, 0x0, 0xfffff80003784028, 0xfffff80003784038, 0xfffffe00041fd008, 0xffffffff81fe62e0 <proc0>, 0xfffff80003784000, 0xffffffff80be5dd0 <gtaskqueue_thread_loop>, 0xfffffe0075df2970, 0xffffffff80be5e68 <gtaskqueue_thread_loop+152>, 0xfffffe0075df2960, 0x202, 0xfffff80003792000, 0xfffffe0075df29c0, 0xfffffe0075df29b0, 0xffffffff80b5bf33 <fork_exit+131>, 0x0}, if_afdata_initialized =3D 69193736, if_fib =3D 4294966784, if_vne= t =3D 0xffffffff80be5dd0 <gtaskqueue_thread_loop>, if_home_vnet =3D 0x0, if_vlantrunk =3D 0xffffffff81ea6300 <tdq_cpu>, if_b= pf =3D 0xffffffff81fe6820 <thread0_st>, if_pcount =3D 0, if_bridge =3D 0xffffffff8105045e <fork_trampoline+14>, if_lagg =3D 0x0, i= f_pf_kif =3D 0x0, if_carp =3D 0x0, if_label =3D 0x0, if_netmap =3D 0x0, if_output =3D 0x0, if_input =3D 0x0, if_bridge_input = =3D 0x0, if_bridge_output =3D 0x0, if_bridge_linkstate =3D 0x0, if_start =3D 0x0, if_ioctl =3D 0x0, if_init =3D 0x0, if_resolvemulti =3D = 0x0, if_qflush =3D 0x0, if_transmit =3D 0x0, if_reassign =3D 0x0, if_get_counter =3D 0x0, if_requestencap =3D 0x0, if_counters =3D {0x0, 0x= 0, 0x0, 0x0, 0x0, 0xfffff80003792000, 0xffffffff81f74688 <sleepq_chains+4104>, 0x0, 0x0, 0xfffffe0075df2890, 0xfffffe0075df27c8, 0xfffff800036db000}, if_hw_tsomax =3D 2159857853, if_hw_tsomaxsegcount =3D 4294967295, if_hw_tsomaxsegsize =3D 0, if_snd_tag_alloc =3D 0x0, if_snd_tag_modify =3D 0x0, if_snd_tag_query =3D 0x0, if_snd_tag_free =3D = 0x0, if_pcp =3D 0 '\000', if_netdump_methods =3D 0x0, if_epoch_ctx =3D {data =3D {0x0, 0x0}}, if_addr_et =3D {datap =3D {0x0, 0= x0, 0x0}, datai =3D {0}}, if_maddr_et =3D {datap =3D {0x0, 0x0, 0x0}, datai =3D {0}}, if_ispare =3D {1, 0, 0, 0}} --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-236846-227>