Site Navigation

Date:      Mon, 21 Aug 2006 23:54:22 +0200
From:      "Pawel Worach" <pawel.worach@gmail.com>
To:        net@freebsd.org
Subject:   Re: [panic] page fault in tcp_timer_2msl_tw
Message-ID:  <d227e09e0608211454ofc4c5e7j1ff2aa63b2bcfa57@mail.gmail.com>
In-Reply-To: <4331F3A3.1060707@gmail.com>
References:  <4330711A.4040808@gmail.com> <4331F3A3.1060707@gmail.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On 9/22/05, Pawel Worach <pawel.worach@gmail.com> wrote:
> Pawel Worach wrote:
>
> > (kgdb) print *tw
> > $1 = {tw_inpcb = 0x0, snd_nxt = 438603527, rcv_nxt = 3383864561,
> >   iss = 438603320, irs = 3383863898, cc_recv = 0, cc_send = 0,
> >   last_win = 65534, tw_so_options = 4, tw_cred = 0x0, t_recent = 0,
> >   t_starttime = 4294952294, tw_time = 0, tw_2msl = {le_next = 0xc24680a8,
> >     le_prev = 0xc06a827c}}
>
> I poked a bit more and it looks like the dereference happens here in
> tcp_timer_2msl_tw().
>
> tcp_timer.c:294         INP_LOCK(tw->tw_inpcb);
>
> INP_LOCK macro tries to reference tw->tw_inpcb->inp_mtx while
> tw->tw_inpcb is null. However I have no idea how it got to this point.
>

Bumped into this one again on 6.1, almost a year ago since last time.
So far my conclusion is that it is hard to reproduce :) Anyone has an
idea what might be going on ?

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0xac
fault code              = supervisor write, page not present
instruction pointer     = 0x20:0xc059291a
stack pointer           = 0x28:0xe3474bf4
frame pointer           = 0x28:0xe3474c20
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 15 (swi4: clock sio)
trap number             = 12
panic: page fault
cpuid = 2
KDB: stack backtrace:
kdb_backtrace(c068eecd,2,c06718cd,e3474af8,a) at kdb_backtrace+0x2e
panic(c06718cd,c068fa6f,c46c8394,1,1) at panic+0x139
trap_fatal(e3474bb4,ac,2,8,0) at trap_fatal+0x36e
trap_pfault(e3474bb4,0,ac,c0c471e0,ac) at trap_pfault+0x242
trap(8,28,c0c40028,0,4) at trap+0x350
calltrap() at calltrap+0x5
--- trap 0xc, eip = 0xc059291a, esp = 0xe3474bf4, ebp = 0xe3474c20 ---
tcp_timer_2msl_tw(0,c04f462a,c06ad420,c06ad880,16) at tcp_timer_2msl_tw+0x5a
tcp_slowtimo(e3474c5c,c46c9d80,4,e3474c5c,0) at tcp_slowtimo+0x6c
pfslowtimo(0,c4826300,c06a5320,ca76356b,c46c82b4) at pfslowtimo+0x39
softclock(0,e3474cd0,831264,61432328,c46c9d80) at softclock+0x366
ithread_execute_handlers(c46c820c,c4725c00,0,0,0) at
ithread_execute_handlers+0x178
ithread_loop(c46af8c0,e3474d38,0,0,0) at ithread_loop+0x77
fork_exit(c04c2180,c46af8c0,e3474d38) at fork_exit+0x80
fork_trampoline() at fork_trampoline+0x8
--- trap 0x1, eip = 0, esp = 0xe3474d6c, ebp = 0 ---
Uptime: 99d10h5m26s
Dumping 1023 MB (2 chunks)
  chunk 0: 1MB (157 pages) ... ok
  chunk 1: 1023MB (261851 pages) 1007 991 975 959 943 927 911 895 879
863 847 831 815 799 783 767 751 735 719 703 687 671 655 639 623 607
591 575 559 543 527 511 495 479 463 447 431 415 399 383 367 351 335
319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31
15

#0  doadump () at pcpu.h:165
165     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:165
#1  0xc04dde2c in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:402
#2  0xc04de253 in panic (fmt=0xc06718cd "%s")
    at /usr/src/sys/kern/kern_shutdown.c:558
#3  0xc065481e in trap_fatal (frame=0xe3474bb4, eva=0)
    at /usr/src/sys/i386/i386/trap.c:836
#4  0xc0654482 in trap_pfault (frame=0xe3474bb4, usermode=0, eva=172)
    at /usr/src/sys/i386/i386/trap.c:744
#5  0xc0653ff0 in trap (frame=
      {tf_fs = 8, tf_es = 40, tf_ds = -1060896728, tf_edi = 0, tf_esi
= 4, tf_ebp = -481866720, tf_isp = -481866784, tf_ebx = -966999536,
tf_edx = -1060867608, tf_ecx = -999514752, tf_eax = 4, tf_trapno = 12,
tf_err = 2, tf_eip = -1067898598, tf_cs = 32, tf_eflags = 66195,
tf_esp = -966999536, tf_ss = 0})
    at /usr/src/sys/i386/i386/trap.c:434
#6  0xc063e18a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#7  0xc059291a in tcp_timer_2msl_tw (reuse=0) at atomic.h:149
#8  0xc05922ac in tcp_slowtimo () at /usr/src/sys/netinet/tcp_timer.c:116
#9  0xc0522879 in pfslowtimo (arg=0x0) at /usr/src/sys/kern/uipc_domain.c:477
#10 0xc04edce6 in softclock (dummy=0x0) at /usr/src/sys/kern/kern_timeout.c:290
#11 0xc04c2088 in ithread_execute_handlers (p=0xc46c820c, ie=0xc4725c00)
    at /usr/src/sys/kern/kern_intr.c:684
#12 0xc04c21f7 in ithread_loop (arg=0xc46af8c0)
---Type <return> to continue, or q <return> to quit---
    at /usr/src/sys/kern/kern_intr.c:767
#13 0xc04c0840 in fork_exit (callout=0xc04c2180 <ithread_loop>, arg=0x4,
    frame=0x4) at /usr/src/sys/kern/kern_fork.c:805
#14 0xc063e1ec in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:208
(kgdb) f 7
#7  0xc059291a in tcp_timer_2msl_tw (reuse=0) at atomic.h:149
149     atomic.h: No such file or directory.
        in atomic.h
(kgdb) p *tw
$1 = {tw_inpcb = 0x0, snd_nxt = 842737231, rcv_nxt = 17758516,
  iss = 842735507, irs = 17758065, last_win = 65534, tw_so_options = 4,
  tw_cred = 0x0, t_recent = 0, t_starttime = 4294952294, tw_time = 0,
  tw_2msl = {le_next = 0xc65ccd50, le_prev = 0xc06cf294}}
(kgdb)

-- 
Pawel

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d227e09e0608211454ofc4c5e7j1ff2aa63b2bcfa57>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact