From owner-freebsd-current@FreeBSD.ORG  Wed Feb  1 23:56:00 2006
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
X-Original-To: freebsd-current@freebsd.org
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1D21B16A420;
	Wed,  1 Feb 2006 23:56:00 +0000 (GMT)
	(envelope-from sgk@troutmask.apl.washington.edu)
Received: from troutmask.apl.washington.edu (troutmask.apl.washington.edu
	[128.208.78.105])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0935D43D58;
	Wed,  1 Feb 2006 23:55:57 +0000 (GMT)
	(envelope-from sgk@troutmask.apl.washington.edu)
Received: from troutmask.apl.washington.edu (localhost [127.0.0.1])
	by troutmask.apl.washington.edu (8.13.4/8.13.4) with ESMTP id
	k11NtuTL000868; Wed, 1 Feb 2006 15:55:56 -0800 (PST)
	(envelope-from sgk@troutmask.apl.washington.edu)
Received: (from sgk@localhost)
	by troutmask.apl.washington.edu (8.13.4/8.13.1/Submit) id
	k11Ntupg000867; Wed, 1 Feb 2006 15:55:56 -0800 (PST)
	(envelope-from sgk)
Date: Wed, 1 Feb 2006 15:55:56 -0800
From: Steve Kargl <sgk@troutmask.apl.washington.edu>
To: freebsd-current@freebsd.org, freebsd-amd64@freebsd.org
Message-ID: <20060201235556.GA708@troutmask.apl.washington.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
Cc: 
Subject: HEADSUP: New pts code triggers panics on amd64 systems.
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Feb 2006 23:56:00 -0000

After a binary search, I have determined that the new pts code is
triggering kernel panics on an AMD64 system. 

Using this supfile file, I retrieve the src/sys

*default host=cvsup10.freebsd.org
*default base=/usr
*default release=cvs tag=.
*default delete use-rel-suffix
*default prefix=/usr
#*default date=2006.01.26.01.30.00  <-- Good working kernel
*default date=2006.01.26.01.31.00   <-- kernel dies within 5 to 10 minutes.
src-sys

The difference in the src/sys between the above time stamps are
Updating collection src-sys/cvs
 Edit src/sys/conf/files
 Checkout src/sys/kern/tty_pts.c
 Edit src/sys/kern/tty_pty.c
 Edit src/sys/sys/ttycom.h

My kernel is UP on a dual processor Tyan K8S Pro motherboard with 12 GB
of memory.  I have no loaded modules.  I have neither MEMGUARD or REDZONES
compiled into the kernel.  Attempts to use MEMGUARD results in a kernel
that does not even make to single user mode.

With vm.old_contigmalloc=1

Memory modified after free 0xfffffff024e38f200(504) val = deadc0dd @ 0xfffffff024e38f2d0
panic: Most recently used by DEVFS1

KDB: stack backtrace:
panic() at panic+0x1c1
mtrash_ctor() at mtrash_ctor+0x78
uma_zalloc_arg() at uma_zalloc_arg+0x306
malloc() at malloc+0x3a
fdinit() at fdinit+0x24
fdcopy() at fdcopy+0x24
fork1() at fork1+0x6df
vfork() at vfork+0x1c
syscall() at syscall+0x517
Xfast_syscall() at Xfast_syscall+0xa8
--- syscall (66, FreeBSD ELF64, vfork) rip = 0x2006a5b4d, rsp=0xfffffffda50, rbp = 0 ---


With vm.old_contigmalloc=0

Memory modified after free  (sorry forgot to write this down)
panic: Most recently used by DEVFS1

KDB: stack backtrace:
panic() at panic+0x1c1
mtrash_ctor() at mtrash_ctor+0x78
uma_zalloc_arg() at uma_zalloc_arg+0x306
malloc() at malloc+0x3a
devfs_alloc() at devfs_alloc+0x1a
make_dev_credv() at make_dev_credv+0x4b
make_dev_cred() at make_dev_cred+0x8e
ptcopen() at ptcopen+0x111
giant_open() at giant_open+0x5f
devfs_open() at devfs_open+0x23b
VOP_OPEN_APV() at VOP_OPEN_APV+0x74
vn_open_cred() at vn_open_cred+0x38c
kern_open() at kern_open+0xfd
open() at open+0x25
syscall() at syscall+0x517
Xfast_syscall() at Xfast_syscall+0xa8
--- syscall (5, FreeBSD ELF64, open) rip = 0x200aeebcc, rsp=0xfffffff2e58, 
    rbp = 0xffffffff ---

Script started on Wed Feb  1 15:32:43 2006
troutmask:root[201] kgdb /boot/kernel/kernel vmcore.0 
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd".

Unread portion of the kernel message buffer:
Memory modified after free 0xffffff0254d62600(504) val=deadc0dd @ 0xffffff0254d626d0
panic: Most recently used by DEVFS1

KDB: stack backtrace:
panic() at panic+0x1c1
mtrash_ctor() at mtrash_ctor+0x78
uma_zalloc_arg() at uma_zalloc_arg+0x306
malloc() at malloc+0xa3
devfs_alloc() at devfs_alloc+0x1a
make_dev_credv() at make_dev_credv+0x4b
make_dev_cred() at make_dev_cred+0x8e
ptcopen() at ptcopen+0x111
giant_open() at giant_open+0x5f
devfs_open() at devfs_open+0x23b
VOP_OPEN_APV() at VOP_OPEN_APV+0x74
vn_open_cred() at vn_open_cred+0x38c
kern_open() at kern_open+0xfd
open() at open+0x25
syscall() at syscall+0x517
Xfast_syscall() at Xfast_syscall+0xa8
--- syscall (5, FreeBSD ELF64, open), rip = 0x200aeebcc, rsp = 0x7fffffff2e58, rbp = 0xffffffff ---

KDB: enter: panic
Uptime: 6m10s
Dumping 12223 MB (3 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 4031MB (1031920 pages) ... ok
  chunk 2: 8192MB (2097152 pages) 

#0  doadump () at pcpu.h:172
172	pcpu.h: No such file or directory.
	in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:172
#1  0xffffffff8027f809 in boot (howto=260)
    at /usr/src/sys/kern/kern_shutdown.c:399
#2  0xffffffff8027f2da in panic (
    fmt=0xffffffff80476e34 "Most recently used by %s\n")
    at /usr/src/sys/kern/kern_shutdown.c:555
#3  0xffffffff803b9ad8 in mtrash_ctor (mem=0x0, size=0, arg=0x0, flags=0)
    at /usr/src/sys/vm/uma_dbg.c:137
#4  0xffffffff803b8046 in uma_zalloc_arg (zone=0xffffff02fffeae40, udata=0x0, 
    flags=1282) at /usr/src/sys/vm/uma_core.c:1846
#5  0xffffffff80273d93 in malloc (size=15, mtp=0xffffffff805aac60, flags=1282)
    at uma.h:275
#6  0xffffffff80228dca in devfs_alloc ()
    at /usr/src/sys/fs/devfs/devfs_devs.c:121
#7  0xffffffff80254d1b in make_dev_credv (devsw=0xffffffff805c0e40, 
    minornr=0, cr=0xffffff0250378380, uid=0, gid=0, mode=438, 
    fmt=0xffffffff80462900 "tty%c%r", ap=0xffffffffbd5e2530)
    at /usr/src/sys/kern/kern_conf.c:523
#8  0xffffffff80254ebe in make_dev_cred (devsw=0x0, minornr=0, cr=0x0, uid=0, 
    gid=0, mode=0, fmt=0x0) at /usr/src/sys/kern/kern_conf.c:581
#9  0xffffffff802c0ce1 in ptcopen (dev=0x0, flag=0, devtype=0, 
    td=0xffffff0250378380) at /usr/src/sys/kern/tty_pty.c:163
#10 0xffffffff80253caf in giant_open (dev=0xffffff024d8fc400, oflags=32771, 
    devtype=8192, td=0xffffff024fcc5000) at /usr/src/sys/kern/kern_conf.c:242
#11 0xffffffff8022bcdb in devfs_open (ap=0xffffffffbd5e2770)
    at /usr/src/sys/fs/devfs/devfs_vnops.c:680
#12 0xffffffff8042b3f4 in VOP_OPEN_APV (vop=0x0, a=0xffffffffbd5e2770)
    at vnode_if.c:365
#13 0xffffffff802f855c in vn_open_cred (ndp=0xffffffffbd5e2990, 
    flagp=0xffffffffbd5e28dc, cmode=8, cred=0xffffff0250378380, fdidx=6)
    at vnode_if.h:198
#14 0xffffffff802ee83d in kern_open (td=0xffffff024fcc5000, 
    path=0x519fab <Address 0x519fab out of bounds>, pathseg=UIO_USERSPACE, 
    flags=32771, mode=-1117902448) at /usr/src/sys/kern/vfs_syscalls.c:977
#15 0xffffffff802eef35 in open (td=0x0, uap=0xffffffffbd5e2c00)
    at /usr/src/sys/kern/vfs_syscalls.c:943
#16 0xffffffff803ea0e7 in syscall (frame=
      {tf_rdi = 5349291, tf_rsi = 32770, tf_rdx = 10, tf_rcx = 8601451180, tf_r8 = -2142762872, tf_r9 = 140737488301656, tf_rax = 5, tf_rbx = 0, tf_rbp = 4294967295, tf_r10 = 1, tf_r11 = 514, tf_r12 = 6, tf_r13 = 5349291, tf_r14 = 5349280, tf_r15 = 1, tf_trapno = 22, tf_addr = 0, tf_flags = 0, tf_err = 2, tf_rip = 8601398220, tf_cs = 43, tf_rflags = 582, tf_rsp = 140737488301656, tf_ss = 35}) at /usr/src/sys/amd64/amd64/trap.c:821
#17 0xffffffff803d8048 in Xfast_syscall ()
    at /usr/src/sys/amd64/amd64/exception.S:270
#18 0x0000000200aeebcc in ?? ()
 
--
Steve