From owner-freebsd-bugs@FreeBSD.ORG Wed May 10 15:30:44 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB0BE16A640 for ; Wed, 10 May 2006 15:30:44 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B7E443D77 for ; Wed, 10 May 2006 15:30:22 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k4AFUJFN048181 for ; Wed, 10 May 2006 15:30:19 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k4AFUJ22048179; Wed, 10 May 2006 15:30:19 GMT (envelope-from gnats) Date: Wed, 10 May 2006 15:30:19 GMT Message-Id: <200605101530.k4AFUJ22048179@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Andrew Kolchoogin Cc: Subject: Re: kern/96413: FreeBSD 6.1-RC Kernel Panic X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Andrew Kolchoogin List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 15:30:48 -0000 The following reply was made to PR kern/96413; it has been noted by GNATS. From: Andrew Kolchoogin To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/96413: FreeBSD 6.1-RC Kernel Panic Date: Wed, 10 May 2006 19:22:50 +0400 6.1-RELEASE also affected with this bug: === (kgdb) bt #0 doadump () at pcpu.h:165 #1 0xc06a24f5 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:402 #2 0xc06a27ff in panic (fmt=0xc092e22e "%s") at /usr/src/sys/kern/kern_shutdown.c:558 #3 0xc08e0b8d in trap_fatal (frame=0xe3599ac8, eva=0) at /usr/src/sys/i386/i386/trap.c:836 #4 0xc08e08ad in trap_pfault (frame=0xe3599ac8, usermode=0, eva=172) at /usr/src/sys/i386/i386/trap.c:744 #5 0xc08e0477 in trap (frame= {tf_fs = 8, tf_es = 40, tf_ds = -985595864, tf_edi = -990918620, tf_esi = -977145856, tf_ebp = -480666832, tf_isp = -480666892, tf_ebx = 4, tf_edx = 0, tf_ecx = -995464960, tf_eax = -995464960, tf_trapno = 12, tf_err = 2, tf_eip = -1066003983, tf_cs = 32, tf_eflags = 66194, tf_esp = -977145856, tf_ss = 16}) at /usr/src/sys/i386/i386/trap.c:434 #6 0xc08cdbda in calltrap () at /usr/src/sys/i386/i386/exception.s:139 #7 0xc07611f1 in tcp_timewait (tw=0xc5c1f000, to=0xe3599bf8, th=0xc4efc824, m=0xc4aa6900, tlen=0) at atomic.h:149 #8 0xc075def8 in tcp_input (m=0xc4ed1900, off0=20) at /usr/src/sys/netinet/tcp_input.c:762 #9 0xc0755cf7 in ip_input (m=0xc4ed1900) at /usr/src/sys/netinet/ip_input.c:786 #10 0xc072ce87 in netisr_processqueue (ni=0xc0a23758) at /usr/src/sys/net/netisr.c:236 #11 0xc072d0d4 in swi_net (dummy=0x0) at /usr/src/sys/net/netisr.c:349 #12 0xc0689ac0 in ithread_execute_handlers (p=0xc4aa5830, ie=0xc4aa4580) at /usr/src/sys/kern/kern_intr.c:684 #13 0xc0689c0a in ithread_loop (arg=0xc4a896a0) at /usr/src/sys/kern/kern_intr.c:767 #14 0xc06886e4 in fork_exit (callout=0xc0689ba7 , arg=0xc4aa6900, frame=0xc4aa6900) at /usr/src/sys/kern/kern_fork.c:805 #15 0xc08cdc3c in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:208 (kgdb) x/a 0xc5c1f000 0xc5c1f000: 0x0 (kgdb) === The first element of struct tcptw is a pointer to struct inpcb. As we could see, it is NULL in our case. Null pointer dereference => kernel panic. -- Yours Andrew Kolchoogin. [DREW-RIPE, AKOL-RIPN] GOD#killall -KILL lifed && dd if=/dev/zero of=/dev/world; cd /src/world && make deinstall && make distclean && cat /patches/world0.01-0.59.patch | patch -p0 && make world && make installworld && /etc/rc.d/lifed start (C) someoneelse