Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 28 Mar 2019 05:26:01 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 236846] FreeBSD 12.0-STABLE-p3 r345567: panic: vm_fault_hold: fault on nofault entry
Message-ID:  <bug-236846-227@https.bugs.freebsd.org/bugzilla/>

next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D236846

            Bug ID: 236846
           Summary: FreeBSD 12.0-STABLE-p3 r345567: panic: vm_fault_hold:
                    fault on nofault entry
           Product: Base System
           Version: 12.0-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: ietf-dane@dukhovni.org
                CC: alex@inferiorhumanorgans.com, chernov_victor@list.ru,
                    d8zNeCFG@aon.at, emaste@freebsd.org,
                    girgen@FreeBSD.org, ietf-dane@dukhovni.org,
                    langerruslan@gmail.com, mandrews@bit0.com,
                    markj@FreeBSD.org, pascal.christen@hostpoint.ch,
                    pi@FreeBSD.org, sbruno@FreeBSD.org, sdalu@sdalu.com

After recompiling the 11.2 code that led to kevent crashes
(<https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D234296#c31>)
natively on 12.0-RELEASE-p3, after running for 30 minutes to an
hour the code again triggered a kernel panic, but this time not
in kevent:

panic: vm_fault_hold: fault on nofault entry, addr: 0xfffffe00c9f87000
cpuid =3D 0
time =3D 1553747701
KDB: stack backtrace:
#0 0xffffffff80be7977 at kdb_backtrace+0x67
#1 0xffffffff80b9b563 at vpanic+0x1a3
#2 0xffffffff80b9b3b3 at panic+0x43
#3 0xffffffff80edd120 at unlock_and_deallocate+0
#4 0xffffffff80eda970 at vm_fault+0x60
#5 0xffffffff81074ae3 at trap_pfault+0x163
#6 0xffffffff81073fee at trap+0x29e
#7 0xffffffff8104f465 at calltrap+0x8
#8 0xffffffff80d26cdd at ip_input+0x45d
#9 0xffffffff80cbc576 at netisr_dispatch_src+0xd6
#10 0xffffffff80ca0e63 at ether_demux+0x163
#11 0xffffffff80ca1fc6 at ether_nh_input+0x346
#12 0xffffffff80cbc576 at netisr_dispatch_src+0xd6
#13 0xffffffff80ca1264 at ether_input+0x54
#14 0xffffffff80cb8726 at iflib_rxeof+0xa16
#15 0xffffffff80cb3556 at _task_fn_rx+0x76
#16 0xffffffff80be6204 at gtaskqueue_run_locked+0x144
#17 0xffffffff80be5e68 at gtaskqueue_thread_loop+0x98

This time I have a crash dump.  And, FWIW:

  $ addr2line -afi -e /usr/lib/debug/boot/kernel/kernel.debug
0xffffffff80d26cdd
  0xffffffff80d26cdd
  ip_input
  /usr/src/sys/netinet/ip_input.c:605

>From kgdb:

(kgdb) fr 28=20=20=20=20=20=20=20
#28 0xffffffff80d26cdd in ip_input (m=3D0xfffff80111e4ec00) at
/usr/src/sys/netinet/ip_input.c:605
605             if (pfil_run_hooks(&V_inet_pfil_hook, &m, ifp, PFIL_IN, 0,
NULL) !=3D 0)

(kgdb) p *m
$2 =3D {{m_next =3D 0x0, m_slist =3D {sle_next =3D 0x0}, m_stailq =3D {stqe=
_next =3D 0x0}},
{m_nextpkt =3D 0x0, m_slistpkt =3D {sle_next =3D 0x0},=20
    m_stailqpkt =3D {stqe_next =3D 0x0}}, m_data =3D 0xfffff8051f18900e "E"=
, m_len =3D
420, m_type =3D 1, m_flags =3D 3, {{m_pkthdr =3D {{
          snd_tag =3D 0xfffff80003d1e000, rcvif =3D 0xfffff80003d1e000}, ta=
gs =3D
{slh_first =3D 0x0}, len =3D 420, flowid =3D 2776446732,=20
        csum_flags =3D 251658240, fibnum =3D 0, cosqos =3D 0 '\000', rsstyp=
e =3D 63
'?', {rcv_tstmp =3D 0, {l2hlen =3D 0 '\000',=20
            l3hlen =3D 0 '\000', l4hlen =3D 0 '\000', l5hlen =3D 0 '\000', =
spare =3D
0}}, PH_per =3D {
          eight =3D "\000\000\000\000\377\377\000", sixteen =3D {0, 0, 6553=
5, 0},
thirtytwo =3D {0, 65535}, sixtyfour =3D {
            281470681743360}, unintptr =3D {281470681743360}, ptr =3D
0xffff00000000}, PH_loc =3D {
          eight =3D "\000\000\000\000\000\000\000", sixteen =3D {0, 0, 0, 0=
},
thirtytwo =3D {0, 0}, sixtyfour =3D {0}, unintptr =3D {0},=20
          ptr =3D 0x0}}, {m_ext =3D {{ext_count =3D 1, ext_cnt =3D 0x544345=
4c00000001},=20
          ext_buf =3D 0xfffff8051f189000 "\f\304z\340H\250\\E'tD\306\b", ex=
t_size
=3D 2048, ext_type =3D 1, ext_flags =3D 1,=20
          ext_free =3D 0x0, ext_arg1 =3D 0x0, ext_arg2 =3D 0x0}, m_pktdat =
=3D
0xfffff80111e4ec58 "\001"}},=20
    m_dat =3D 0xfffff80111e4ec20 ""}}

(kgdb) p *ifp
$3 =3D {if_link =3D {cstqe_next =3D 0xfffff80111e4ec00}, if_clones =3D {le_=
next =3D 0x1,
le_prev =3D 0x38}, if_groups =3D {cstqh_first =3D 0x1,
    cstqh_last =3D 0xfffff80003792000}, if_alloctype =3D 0 '\000', if_softc=
 =3D
0xfffffe0075df26b0,
  if_llsoftc =3D 0xffffffff80cbc576 <netisr_dispatch_src+214>, if_l2com =3D
0xe74d00,
  if_dname =3D 0xffffffff80e71134 <mac_ifnet_create_mbuf+292>
"\200<%=3D\020\240\201", if_dunit =3D -2113854840, if_index =3D 65535,
  if_index_reserved =3D -1, if_xname =3D "\000\b\000\000\000\000\000\000\000
y\003", <incomplete sequence \370\377\377>,
  if_description =3D 0x8 <error: Cannot access memory at address 0x8>, if_f=
lags =3D
64086016, if_drv_flags =3D -2048,
  if_capabilities =3D 64086016, if_capenable =3D -2048, if_linkmib =3D
0xfffffe0075df26e0, if_linkmiblen =3D 18446744071575309923,
  if_refcount =3D 58269696, if_type =3D 0 '\000', if_addrlen =3D 248 '\370',
if_hdrlen =3D 255 '\377', if_link_state =3D 255 '\377',
  if_mtu =3D 300215296, if_metric =3D 4294965249, if_baudrate =3D
18446735282211712000, if_hwassist =3D 18446735299613069312,
  if_epoch =3D -2197045696704, if_lastchange =3D {tv_sec =3D -2134237242, t=
v_usec =3D
512}, if_snd =3D {ifq_head =3D 0x7,
    ifq_tail =3D 0xfffffe0075df27c0, ifq_len =3D 50907712, ifq_maxlen =3D -=
2048,
ifq_mtx =3D {lock_object =3D {
        lo_name =3D 0xfffff80111e4ec00 "", lo_flags =3D 5, lo_data =3D 0, l=
o_witness
=3D 0x118}, mtx_lock =3D 5},=20
    ifq_drv_head =3D 0xfffff80003792000, ifq_drv_tail =3D 0x0, ifq_drv_len =
=3D
1977558928, ifq_drv_maxlen =3D -512,=20
    altq_type =3D -2134129290, altq_flags =3D -1, altq_disc =3D 0xe74d00, a=
ltq_ifp =3D
0x0, altq_enqueue =3D 0x175df27c0,=20
    altq_dequeue =3D 0xfffff80003792000, altq_request =3D 0x0, altq_clfier =
=3D
0xfffff80111e4ec00, altq_classify =3D 0xfffff80003d1e000,=20
    altq_tbr =3D 0x0, altq_cdnr =3D 0xfffffe0075df27c0}, if_linktask =3D {t=
a_link =3D
{stqe_next =3D 0xffffffff80ca1264 <ether_input+84>},=20
    ta_pending =3D 0, ta_priority =3D 0, ta_func =3D 0x1b2, ta_context =3D
0xfffff80003d1e000}, if_addr_lock =3D {lock_object =3D {
      lo_name =3D 0x1 <error: Cannot access memory at address 0x1>, lo_flag=
s =3D
1977559200, lo_data =3D 4294966784,=20
      lo_witness =3D 0xffffffff80cb8726 <iflib_rxeof+2582>}, mtx_lock =3D
18446741877785532224}, if_addrhead =3D {
    cstqh_first =3D 0xfffffe00b8ba7740, cstqh_last =3D 0xfffff80003d49800},
if_multiaddrs =3D {cstqh_first =3D 0xffffffffffff00e8,=20
    cstqh_last =3D 0xfffff80003d3e140}, if_amcount =3D 64264192, if_addr =3D
0xfffff80003d13000, if_hw_addr =3D 0xe801b200000000,=20
  if_broadcastaddr =3D 0xfffff80003d1e000 "", if_afdata_lock =3D {lock_obje=
ct =3D
{lo_name =3D 0xfffff80003d3e140 "",=20
      lo_flags =3D 2776446732, lo_data =3D 251658240, lo_witness =3D
0x3f01000000ffff}, mtx_lock =3D 18446735281926513849}, if_afdata =3D {
    0xfffff8017eaaec01, 0xfffff80003d3e030, 0x18ffffffff, 0xfffff80003d3e00=
0,
0xffffffff81a76540 <igb_sctx_init>,=20
    0xfffff80003d1e000, 0xfffff801000001b2, 0x0, 0xfffff80003784000,
0xfffff80003d13000, 0xfffffe0075df2908, 0xfffff80003d3e000,=20
    0xfffff80003784050, 0xfffffe0075df28e0, 0xffffffff80cb3556
<_task_fn_rx+118>, 0x0, 0xfffff80003784000, 0xfffff80003784000,=20
    0xfffff80003d3e090, 0xfffffe0075df2900, 0xfffff80003784050,
0xfffffe0075df2940,=20
    0xffffffff80be6204 <gtaskqueue_run_locked+324>, 0xfffffe0075df2940,
0xfffff80003784038, 0xfffff80003d3e090, 0x0,
    0xfffff80003784028, 0xfffff80003784038, 0xfffffe00041fd008,
0xffffffff81fe62e0 <proc0>, 0xfffff80003784000,
    0xffffffff80be5dd0 <gtaskqueue_thread_loop>, 0xfffffe0075df2970,
0xffffffff80be5e68 <gtaskqueue_thread_loop+152>,
    0xfffffe0075df2960, 0x202, 0xfffff80003792000, 0xfffffe0075df29c0,
0xfffffe0075df29b0, 0xffffffff80b5bf33 <fork_exit+131>,
    0x0}, if_afdata_initialized =3D 69193736, if_fib =3D 4294966784, if_vne=
t =3D
0xffffffff80be5dd0 <gtaskqueue_thread_loop>,
  if_home_vnet =3D 0x0, if_vlantrunk =3D 0xffffffff81ea6300 <tdq_cpu>, if_b=
pf =3D
0xffffffff81fe6820 <thread0_st>, if_pcount =3D 0,
  if_bridge =3D 0xffffffff8105045e <fork_trampoline+14>, if_lagg =3D 0x0, i=
f_pf_kif
=3D 0x0, if_carp =3D 0x0, if_label =3D 0x0,
  if_netmap =3D 0x0, if_output =3D 0x0, if_input =3D 0x0, if_bridge_input =
=3D 0x0,
if_bridge_output =3D 0x0, if_bridge_linkstate =3D 0x0,
  if_start =3D 0x0, if_ioctl =3D 0x0, if_init =3D 0x0, if_resolvemulti =3D =
0x0,
if_qflush =3D 0x0, if_transmit =3D 0x0, if_reassign =3D 0x0,
  if_get_counter =3D 0x0, if_requestencap =3D 0x0, if_counters =3D {0x0, 0x=
0, 0x0,
0x0, 0x0, 0xfffff80003792000,
    0xffffffff81f74688 <sleepq_chains+4104>, 0x0, 0x0, 0xfffffe0075df2890,
0xfffffe0075df27c8, 0xfffff800036db000},
  if_hw_tsomax =3D 2159857853, if_hw_tsomaxsegcount =3D 4294967295,
if_hw_tsomaxsegsize =3D 0, if_snd_tag_alloc =3D 0x0,
  if_snd_tag_modify =3D 0x0, if_snd_tag_query =3D 0x0, if_snd_tag_free =3D =
0x0,
if_pcp =3D 0 '\000', if_netdump_methods =3D 0x0,
  if_epoch_ctx =3D {data =3D {0x0, 0x0}}, if_addr_et =3D {datap =3D {0x0, 0=
x0, 0x0},
datai =3D {0}}, if_maddr_et =3D {datap =3D {0x0, 0x0,
      0x0}, datai =3D {0}}, if_ispare =3D {1, 0, 0, 0}}

--=20
You are receiving this mail because:
You are the assignee for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-236846-227>