Date: Thu, 2 Aug 2007 23:39:48 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: ytriffy <ytriffy@gmail.com> Cc: freebsd-hackers@freebsd.org Subject: Re: [panic]Fatal trap 12: page fault while in kernel mode Message-ID: <20070802233804.G18327@fledge.watson.org> In-Reply-To: <46AF826E.8000209@gmail.com> References: <46AF826E.8000209@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 31 Jul 2007, ytriffy wrote: > Trap 12 occured when I rebooted PC. Sending you backtrace. My system: amd64 > 3200+ Venice, MB ECS nForce4 A939,Samsung 250GB and WD 250 GB, 2 memory > banks 512MB each, videocard: Geforce 6600gt 128MB, NIC on realtek chip, > sound card cirrus logic cs4281. It's very unstable, crashes happen every > day, so I'm hoping you would say why(any hints what hardware may cause it). > How to repeat it? I don't know. It happened once during reboot process. In general, you want to report this sort of bug using the send-pr interface, or the gnats web submission form. In the past, I've quite a few bug reports sent to hackers@ get lost because many FreeBSD developers don't subscribe to the list. You could also consider sending it to stable@, since that's the mailing list for discussing 6-STABLE development. FYI, this looks like a NULL-pointer dereference in the VFS shutdown code. Robert N M Watson Computer Laboratory University of Cambridge > > [root@freelanc /var]# uname -a > FreeBSD freelanc.dubki.ru <http://freelanc.dubki.ru>; 6.2-STABLE-200706 > FreeBSD 6.2-STABLE-200706 > #1: Mon Jul 23 13:34:27 MSD 2007 > root@freelanc.dubki.ru:/usr/obj/usr/src/sys/DEBUGGER > KERN i386 > > [root@freelanc /usr/obj/usr/src/sys/DEBUGGERKERN]# kgdb kernel.debug > /var/crash/vmcore.3 > kgdb: kvm_nlist(_stopped_cpus): > kgdb: kvm_nlist(_stoppcbs): > [GDB will not be able to debug user-mode threads: > /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"] > GNU gdb 6.1.1 [FreeBSD] > Copyright 2004 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and you > are > welcome to change it and/or distribute copies of it under certain > conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for details. > This GDB was configured as "i386-marcel-freebsd". > > Unread portion of the kernel message buffer: > <118>Jul 25 14:06:32 freelanc syslogd: exiting on signal 15 > Waiting (max 60 seconds) for system process `vnlru' to stop...done > Waiting (max 60 seconds) for system process `syncer' to stop... > Syncing disks, vnodes remaining...6 5 3 1 0 0 done > Waiting (max 60 seconds) for system process `bufdaemon' to stop...done > All buffers synced. > > > Fatal trap 12: page fault while in kernel mode > fault virtual address = 0x4 > fault code = supervisor read, page not present > instruction pointer = 0x20:0xc058a4e0 > stack pointer = 0x28:0xe9455c48 > frame pointer = 0x28:0xe9455c58 > code segment = base 0x0, limit 0xfffff, type 0x1b > = DPL 0, pres 1, def32 1, gran 1 > processor eflags = interrupt enabled, resume, IOPL = 0 > current process = 44922 (reboot) > panic: from debugger > Uptime: 2h45m36s > Dumping 1022 MB (2 chunks) > chunk 0: 1MB (159 pages) ... ok > chunk 1: 1022MB (261600 pages) 1006 990 974 958 942 926 910 894 878 862 > 846 830 814 798 782 766 750 734 718 702 686 670 654 638 622 606 590 574 > 558 542 526 510 494 478 462 446 430 414 398 382 366 350 334 318 302 286 > 270 254 238 222 206 190 174 158 142 126 110 94 78 62 46 30 14 > > #0 doadump () at pcpu.h:165 > 165 __asm __volatile("movl %%fs:0,%0" : "=r" (td)); > (kgdb) bt > #0 doadump () at pcpu.h:165 > #1 0xc053d916 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409 > #2 0xc053dbdc in panic (fmt=0xc06f5278 "from debugger") > at /usr/src/sys/kern/kern_shutdown.c:565 > #3 0xc045361d in db_panic (addr=-1067932448, have_addr=0, count=-1, > modif=0xe9455a74 "") at /usr/src/sys/ddb/db_command.c:438 > #4 0xc04535b4 in db_command (last_cmdp=0xc0766784, cmd_table=0x0, > aux_cmd_tablep=0xc0728e90, aux_cmd_tablep_end=0xc0728e94) > at /usr/src/sys/ddb/db_command.c:350 > #5 0xc045367c in db_command_loop () at /usr/src/sys/ddb/db_command.c:458 > #6 0xc0455291 in db_trap (type=12, code=0) at > /usr/src/sys/ddb/db_main.c:222 > #7 0xc0556a2b in kdb_trap (type=12, code=0, tf=0xe9455c08) > at /usr/src/sys/kern/subr_kdb.c:473 > #8 0xc06cba6c in trap_fatal (frame=0xe9455c08, eva=4) > at /usr/src/sys/i386/i386/trap.c:828 > #9 0xc06cb7d7 in trap_pfault (frame=0xe9455c08, usermode=0, eva=4) > at /usr/src/sys/i386/i386/trap.c:745 > #10 0xc06cb3f1 in trap (frame= > {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = -381330360, tf_esi = > -993547624, tf_ebp = -381330344, tf_isp = -381330380, tf_ebx = 0, tf_edx > = -992513384, tf_ecx = 4, tf_eax = -950651024, tf_trapno = 12, tf_err = > 0, tf_eip = -1067932448, tf_cs = 32, tf_eflags = 590338, tf_esp = 0, > tf_ss = -992305712}) > at /usr/src/sys/i386/i386/trap.c:435 > #11 0xc06b8b1a in calltrap () at /usr/src/sys/i386/i386/exception.s:139 > #12 0xc058a4e0 in cache_purgevfs (mp=0xc4d77298) > at /usr/src/sys/kern/vfs_cache.c:622 > #13 0xc0591f29 in dounmount (mp=0xc4d77298, flags=524288, td=0xc62ce300) > at /usr/src/sys/kern/vfs_mount.c:1214 > #14 0xc0597d0a in vfs_unmountall () at /usr/src/sys/kern/vfs_subr.c:2837 > #15 0xc053d807 in boot (howto=0) at /usr/src/sys/kern/kern_shutdown.c:391 > #16 0xc053d2a2 in reboot (td=0xc62ce300, uap=0xc7563770) > at /usr/src/sys/kern/kern_shutdown.c:169 > #17 0xc06cbdbb in syscall (frame= > {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 2, tf_esi = 18, tf_ebp = > -1077941304, tf_isp = -381330076, tf_ebx = 0, tf_edx = -1, tf_ecx = > 672491264, tf_eax = 55, tf_trapno = 12, tf_err = 2, tf_eip = 671802263, > tf_cs = 51, tf_eflags = 662, tf_esp = -1077941380, tf_ss = 59}) at > /usr/src/sys/i386/i386/trap.c:983 > #18 0xc06b8b6f in Xint0x80_syscall () at > /usr/src/sys/i386/i386/exception.s:200 > #19 0x00000033 in ?? () > Previous frame inner to this frame (corrupt stack?) > (kgdb) up 19 > #19 0x00000033 in ?? () > (kgdb) down 1 > #18 0xc06b8b6f in Xint0x80_syscall () at > /usr/src/sys/i386/i386/exception.s:200 > 200 call syscall > Current language: auto; currently asm > (kgdb) down 1 > #17 0xc06cbdbb in syscall (frame= > {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 2, tf_esi = 18, tf_ebp = > -1077941304, tf_isp = -381330076, tf_ebx = 0, tf_edx = -1, tf_ecx = > 672491264, tf_eax = 55, tf_trapno = 12, tf_err = 2, tf_eip = 671802263, > tf_cs = 51, tf_eflags = 662, tf_esp = -1077941380, tf_ss = 59}) at > /usr/src/sys/i386/i386/trap.c:983 > 983 error = (*callp->sy_call)(td, args); > Current language: auto; currently c > (kgdb) p *callp > $1 = {sy_narg = 65537, sy_call = 0xc053d258 <reboot>, sy_auevent = 20} > (kgdb) p *callp->sy_call > $2 = {int (struct thread *, void *)} 0xc053d258 <reboot> > (kgdb) p td > $3 = (struct thread *) 0xc62ce300 > (kgdb) p args > $4 = {0, 9, -994250272, -1077941388, 0, 0, 3, 0} > (kgdb) down 1 > #16 0xc053d2a2 in reboot (td=0xc62ce300, uap=0xc7563770) > at /usr/src/sys/kern/kern_shutdown.c:169 > 169 boot(uap->opt); > (kgdb) p uap > $5 = (struct reboot_args *) 0xc7563770 > (kgdb) p uap->opt > $6 = 2 > (kgdb) down 1 > #15 0xc053d807 in boot (howto=0) at /usr/src/sys/kern/kern_shutdown.c:391 > 391 vfs_unmountall(); > (kgdb) down 1 > #14 0xc0597d0a in vfs_unmountall () at /usr/src/sys/kern/vfs_subr.c:2837 > 2837 error = dounmount(mp, MNT_FORCE, td); > (kgdb) p mp > $7 = (struct mount *) 0xc4d77298 > (kgdb) p td > $8 = (struct thread *) 0xc62ce300 > (kgdb) down 1 > #13 0xc0591f29 in dounmount (mp=0xc4d77298, flags=524288, td=0xc62ce300) > at /usr/src/sys/kern/vfs_mount.c:1214 > 1214 cache_purgevfs(mp); /* remove cache entries for this file sys */ > (kgdb) down 1 > #12 0xc058a4e0 in cache_purgevfs (mp=0xc4d77298) > at /usr/src/sys/kern/vfs_cache.c:622 > 622 for (ncp = LIST_FIRST(ncpp); ncp != 0; ncp = nnp) { > (kgdb) p ncp > $9 = (struct namecache *) 0x4 > (kgdb) p ncpp > $10 = (struct nchashhead *) 0xc4c7aa98 > (kgdb) down 1 > #11 0xc06b8b1a in calltrap () at /usr/src/sys/i386/i386/exception.s:139 > 139 call trap > Current language: auto; currently asm > (kgdb) down 1 > #10 0xc06cb3f1 in trap (frame= > {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = -381330360, tf_esi = > -993547624, tf_ebp = -381330344, tf_isp = -381330380, tf_ebx = 0, tf_edx > = -992513384, tf_ecx = 4, tf_eax = -950651024, tf_trapno = 12, tf_err = > 0, tf_eip = -1067932448, tf_cs = 32, tf_eflags = 590338, tf_esp = 0, > tf_ss = -992305712}) > at /usr/src/sys/i386/i386/trap.c:435 > 435 (void) trap_pfault(&frame, FALSE, eva); > Current language: auto; currently c > (kgdb) p frame > $11 = {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = -381330360, > tf_esi = -993547624, tf_ebp = -381330344, tf_isp = -381330380, tf_ebx = 0, > tf_edx = -992513384, tf_ecx = 4, tf_eax = -950651024, tf_trapno = 12, > tf_err = 0, tf_eip = -1067932448, tf_cs = 32, tf_eflags = 590338, > tf_esp = 0, tf_ss = -992305712} > (kgdb) p eva > $12 = 4 > (kgdb) down 1 > #9 0xc06cb7d7 in trap_pfault (frame=0xe9455c08, usermode=0, eva=4) > at /usr/src/sys/i386/i386/trap.c:745 > 745 trap_fatal(frame, eva); > (kgdb) down 1 > #8 0xc06cba6c in trap_fatal (frame=0xe9455c08, eva=4) > at /usr/src/sys/i386/i386/trap.c:828 > 828 if (kdb_trap(type, 0, frame)) { > (kgdb) p type > $13 = 12 > (kgdb) down 1 > #7 0xc0556a2b in kdb_trap (type=12, code=0, tf=0xe9455c08) > at /usr/src/sys/kern/subr_kdb.c:473 > 473 handled = kdb_dbbe->dbbe_trap(type, code); > (kgdb) p kdb_dbbe > $14 = (struct kdb_dbbe *) 0xc072f0e0 > (kgdb) p kdb_dbbe->dbbe_trap > $15 = (dbbe_trap_f *) 0xc04551ac <db_trap> > (kgdb) p type > $16 = 12 > (kgdb) p code > $17 = 0 > (kgdb) down 1 > #6 0xc0455291 in db_trap (type=12, code=0) at > /usr/src/sys/ddb/db_main.c:222 > 222 db_command_loop(); > (kgdb) down 1 > #5 0xc045367c in db_command_loop () at /usr/src/sys/ddb/db_command.c:458 > 458 db_command(&db_last_command, db_command_table, > (kgdb) p &db_last_command > $18 = (struct command **) 0xc0766784 > (kgdb) p db_command_table > $19 = {{name = 0xc0726d8d "print", fcn = 0xc0453e44 <db_print_cmd>, flag > = 0, > more = 0x0}, {name = 0xc0707446 "p", fcn = 0xc0453e44 <db_print_cmd>, > flag = 0, more = 0x0}, {name = 0xc06f521d "examine", > fcn = 0xc0453b74 <db_examine_cmd>, flag = 256, more = 0x0}, { > name = 0xc06f3248 "x", fcn = 0xc0453b74 <db_examine_cmd>, flag = 256, > more = 0x0}, {name = 0xc06f5225 "search", > fcn = 0xc0453f44 <db_search_cmd>, flag = 257, more = 0x0}, { > name = 0xc06fc7c7 "set", fcn = 0xc0456d98 <db_set_cmd>, flag = 1, > more = 0x0}, {name = 0xc071c1dc "write", fcn = 0xc045714c <db_write_cmd>, > flag = 258, more = 0x0}, {name = 0xc070470c "w", > fcn = 0xc045714c <db_write_cmd>, flag = 258, more = 0x0}, { > name = 0xc0711df9 "delete", fcn = 0xc045312c <db_delete_cmd>, flag = 0, > more = 0x0}, {name = 0xc06f3296 "d", fcn = 0xc045312c <db_delete_cmd>, > flag = 0, more = 0x0}, {name = 0xc06f522c "break", > fcn = 0xc0453144 <db_breakpoint_cmd>, flag = 0, more = 0x0}, { > name = 0xc06f5232 "dwatch", fcn = 0xc0457014 <db_deletewatch_cmd>, > flag = 0, more = 0x0}, {name = 0xc06f5233 "watch", > fcn = 0xc045702c <db_watchpoint_cmd>, flag = 2, more = 0x0}, { > name = 0xc06f5239 "dhwatch", fcn = 0xc04570e4 <db_deletehwatch_cmd>, > flag = 0, more = 0x0}, {name = 0xc06f523a "hwatch", > fcn = 0xc0457118 <db_hwatchpoint_cmd>, flag = 0, more = 0x0}, { > name = 0xc0721ca0 "step", fcn = 0xc0456438 <db_single_step_cmd>, flag = 0, > more = 0x0}, {name = 0xc06f55e4 "s", > fcn = 0xc0456438 <db_single_step_cmd>, flag = 0, more = 0x0}, { > name = 0xc06f5241 "continue", fcn = 0xc045653c <db_continue_cmd>, > flag = 0, more = 0x0}, {name = 0xc0713305 "c", > fcn = 0xc045653c <db_continue_cmd>, flag = 0, more = 0x0}, { > name = 0xc06f524a "until", fcn = 0xc04564a0 <db_trace_until_call_cmd>, > flag = 0, more = 0x0}, {name = 0xc06f5250 "next", > fcn = 0xc04564e8 <db_trace_until_matching_cmd>, flag = 0, more = 0x0}, { > name = 0xc070d7da "match", fcn = 0xc04564e8 <db_trace_until_matching_cmd>, > flag = 0, more = 0x0}, {name = 0xc070882b "trace", > fcn = 0xc0453a4c <db_stack_trace>, flag = 1, more = 0x0}, { > name = 0xc06f5255 "alltrace", fcn = 0xc0453b20 <db_stack_trace_all>, > flag = 0, more = 0x0}, {name = 0xc07249cf "where", > fcn = 0xc0453a4c <db_stack_trace>, flag = 1, more = 0x0}, { > name = 0xc06f525e "bt", fcn = 0xc0453a4c <db_stack_trace>, flag = 1, > more = 0x0}, {name = 0xc071aa99 "call", fcn = 0xc04536b0 <db_fncall>, > flag = 1, more = 0x0}, {name = 0xc06f5261 "show", fcn = 0, flag = 0, > more = 0xc072edc0}, {name = 0xc07126a2 "ps", fcn = 0xc0455784 <db_ps>, > flag = 0, more = 0x0}, {name = 0xc06f5266 "gdb", > fcn = 0xc0453a18 <db_gdb>, flag = 0, more = 0x0}, { > name = 0xc06fc600 "reset", fcn = 0xc0453920 <db_reset>, flag = 0, > more = 0x0}, {name = 0xc06f526a "kill", fcn = 0xc04537d8 <db_kill>, > flag = 1, more = 0x0}, {name = 0xc06f526f "watchdog", > fcn = 0xc045392c <db_watchdog>, flag = 0, more = 0x0}, { > name = 0xc070887d "thread", fcn = 0xc0456a10 <db_set_thread>, flag = 1, > more = 0x0}, {name = 0x0, fcn = 0, flag = 0, more = 0x0}} > (kgdb) down 1 > #4 0xc04535b4 in db_command (last_cmdp=0xc0766784, cmd_table=0x0, > aux_cmd_tablep=0xc0728e90, aux_cmd_tablep_end=0xc0728e94) > at /usr/src/sys/ddb/db_command.c:350 > 350 (*cmd->fcn)(addr, have_addr, count, modif); > (kgdb) p addr > $20 = -1067932448 > (kgdb) p have_addr > $21 = 0 > (kgdb) p count > $22 = -1 > (kgdb) p modif > $23 = > "\000ZEDj\214ZE\220ZE\211\a\000\000ZE\"LJ\000\000\000\000\000¤\2005y\r\000\000\000\2005y\r\000\000\000\001\000\000\000»ZE\213j»ZEj\000@@\036wx\000\000\000\200pv\f\000\000\000ZE<VE§p,SE\f\000\000\000\200pvJE" > > (kgdb) down 1 > #3 0xc045361d in db_panic (addr=-1067932448, have_addr=0, count=-1, > modif=0xe9455a74 "") at /usr/src/sys/ddb/db_command.c:438 > 438 panic("from debugger"); > (kgdb) down 1 > #2 0xc053dbdc in panic (fmt=0xc06f5278 "from debugger") > at /usr/src/sys/kern/kern_shutdown.c:565 > 565 boot(bootopt); > (kgdb) p bootopt > $24 = 260 > (kgdb) down 1 > #1 0xc053d916 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409 > 409 doadump(); > (kgdb) down 1 > #0 doadump () at pcpu.h:165 > 165 __asm __volatile("movl %%fs:0,%0" : "=r" (td)); > (kgdb) > > Some other info orequired - feel free to email me:) > Best regards, Slava. > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070802233804.G18327>