From owner-freebsd-current@FreeBSD.ORG  Fri Aug  7 12:53:17 2009
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C3B581065673;
	Fri,  7 Aug 2009 12:53:17 +0000 (UTC)
	(envelope-from lstewart@freebsd.org)
Received: from lauren.room52.net (lauren.room52.net [210.50.193.198])
	by mx1.freebsd.org (Postfix) with ESMTP id 6929C8FC1F;
	Fri,  7 Aug 2009 12:53:17 +0000 (UTC)
Received: from lstewart-laptop.caia.swin.edu.au
	(host86-144-70-159.range86-144.btcentralplus.com [86.144.70.159])
	(authenticated bits=0)
	by lauren.room52.net (8.14.3/8.14.3) with ESMTP id n77CqsKT009390
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Fri, 7 Aug 2009 22:53:01 +1000 (EST)
	(envelope-from lstewart@freebsd.org)
Message-ID: <4A7C2395.6020600@freebsd.org>
Date: Fri, 07 Aug 2009 13:52:37 +0100
From: Lawrence Stewart <lstewart@freebsd.org>
User-Agent: Thunderbird 2.0.0.22 (X11/20090722)
MIME-Version: 1.0
To: Fabian Keil <freebsd-listen@fabiankeil.de>
References: <20090807142027.1a30e8ba@fabiankeil.de>
In-Reply-To: <20090807142027.1a30e8ba@fabiankeil.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-0.0 required=5.0 tests=AWL,BAYES_00,RCVD_IN_PBL,
	RCVD_IN_SORBS_DUL, RDNS_DYNAMIC,
	SPF_SOFTFAIL autolearn=disabled version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on lauren.room52.net
Cc: freebsd-current@freebsd.org, kmacy@freebsd.org
Subject: Re: Fatal trap 12: page fault while in kernel mode - current
 process: flowcleaner
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Aug 2009 12:53:18 -0000

Fabian Keil wrote:
> Using:
> 
> FreeBSD TP51.local 8.0-BETA2 FreeBSD 8.0-BETA2 #36: Sat Aug  1 00:07:09 CEST 2009
> fk@TP51.local:/usr/obj/usr/src/sys/THINKPAD  i386
> 
> I got the following panic:
> 
> fk@TP51 /usr/crash $kgdb /boot/kernel/kernel.symbols vmcore.6
> GNU gdb 6.1.1 [FreeBSD]
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i386-marcel-freebsd"...
> 
> Unread portion of the kernel message buffer:
> 
> 
> Fatal trap 12: page fault while in kernel mode
> cpuid = 0; apic id = 00
> fault virtual address   = 0x0
> fault code              = supervisor read, page not present
> instruction pointer     = 0x20:0x0
> stack pointer           = 0x28:0xf1a2fc94
> frame pointer           = 0x28:0xf1a2fcd8
> code segment            = base 0x0, limit 0xfffff, type 0x1b
>                         = DPL 0, pres 1, def32 1, gran 1
> processor eflags        = interrupt enabled, resume, IOPL = 0
> current process         = 40 (flowcleaner)
> panic: from debugger
> cpuid = 0
> Uptime: 2m1s
> Physical memory: 998 MB
> Dumping 144 MB: 129 113 97 81 65 49 33 17 1
> 
> Reading symbols from /boot/kernel/unionfs.ko...Reading symbols from /boot/kernel/unionfs.ko.symbols...done.
> done.
> [...]
> Loaded symbols for /boot/kernel/fdescfs.ko
> #0  doadump () at pcpu.h:246
> 246     pcpu.h: No such file or directory.
>         in pcpu.h
> (kgdb) where
> #0  doadump () at pcpu.h:246
> #1  0xc0678e66 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:419
> #2  0xc06790a2 in panic (fmt=Variable "fmt" is not available.
> ) at /usr/src/sys/kern/kern_shutdown.c:575
> #3  0xc04f2e57 in db_panic (addr=Could not find the frame base for "db_panic".
> ) at /usr/src/sys/ddb/db_command.c:478
> #4  0xc04f33e1 in db_command (last_cmdp=0xc0a1f31c, cmd_table=0x0, dopager=1) at /usr/src/sys/ddb/db_command.c:445
> #5  0xc04f353a in db_command_loop () at /usr/src/sys/ddb/db_command.c:498
> #6  0xc04f532d in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_main.c:229
> #7  0xc06a33c6 in kdb_trap (type=12, code=0, tf=0xf1a2fc54) at /usr/src/sys/kern/subr_kdb.c:534
> #8  0xc0913a8f in trap_fatal (frame=0xf1a2fc54, eva=0) at /usr/src/sys/i386/i386/trap.c:924
> #9  0xc0913cc3 in trap_pfault (frame=0xf1a2fc54, usermode=0, eva=0) at /usr/src/sys/i386/i386/trap.c:846
> #10 0xc091469a in trap (frame=0xf1a2fc54) at /usr/src/sys/i386/i386/trap.c:528
> #11 0xc08f83bb in calltrap () at /usr/src/sys/i386/i386/exception.s:165
> #12 0x00000000 in ?? ()
> Previous frame inner to this frame (corrupt stack?)
> 
> The backtrace in ddb mentioned several flow* functions,
> but unfortunately it doesn't seem to have survived the
> dump.
> 
> The problem occurred after booting the system with the rc.conf line:
>   ifconfig_wlan0="inet 192.168.178.49 -wme"
> changing it to:
>   ifconfig_wlan0="inet 192.168.178.49 ssid [...] wepkey 1:[0x...] deftxkey 1 wepmode on chanlist 7 -wme"
> running:
>   /etc/rc.d/netif restart
> followed by:
>   ifconfig wlan0
> which showed that wlan0 got associated.
> The panic happened less than a second later.
> 
> The system is an IBM ThinkPad R51 with iwi0 as wlandev.
> em0 was configured and up but unconnected.


I can reliably trigger a flowcleaner panic as well on my Toshiba R600 
laptop with a rum based WIFI dongle (D-Link DWA-110). I only get it on 
teardown/detach though. Kip is aware of the issue and will hopefully 
have a patch for us at some point.

Panic details:

Fatal trap 9: general protection fault while in kernel mode
cpuid = 1; apic id = 01
instruction pointer     = 0x20:0xffffffff80628998
stack pointer           = 0x28:0xffffff80568ebba0
frame pointer           = 0x28:0xffffff80568ebc00
code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 51 (flowcleaner)


Relevant part of backtrace:

#8  0xffffffff80849083 in calltrap () at 
/usr/src/sys/amd64/amd64/exception.S:224
#9  0xffffffff80628998 in flowtable_free_stale (ft=Variable "ft" is not 
available.
) at /usr/src/sys/net/flowtable.c:835
#10 0xffffffff80628b17 in flowtable_cleaner () at 
/usr/src/sys/net/flowtable.c:944
#11 0xffffffff8055a37a in fork_exit (callout=0xffffffff80628a60 
<flowtable_cleaner>, arg=0x0,
     frame=0xffffff80568ebc80) at /usr/src/sys/kern/kern_fork.c:838
#12 0xffffffff8084955e in fork_trampoline () at 
/usr/src/sys/amd64/amd64/exception.S:561



Cheers,
Lawrence