Date: Mon, 21 Aug 2006 15:01:35 -0700 (PDT) From: Mohan Srinivasan <mohan_srinivasan@yahoo.com> To: Pawel Worach <pawel.worach@gmail.com>, net@freebsd.org Subject: Re: [panic] page fault in tcp_timer_2msl_tw Message-ID: <20060821220135.82739.qmail@web30807.mail.mud.yahoo.com> In-Reply-To: <d227e09e0608211454ofc4c5e7j1ff2aa63b2bcfa57@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I checked in a fix for this into -current a few days ago. Haven't MFC'ed
it to releng 6.
mohan
--- Pawel Worach <pawel.worach@gmail.com> wrote:
> On 9/22/05, Pawel Worach <pawel.worach@gmail.com> wrote:
> > Pawel Worach wrote:
> >
> > > (kgdb) print *tw
> > > $1 = {tw_inpcb = 0x0, snd_nxt = 438603527, rcv_nxt = 3383864561,
> > > iss = 438603320, irs = 3383863898, cc_recv = 0, cc_send = 0,
> > > last_win = 65534, tw_so_options = 4, tw_cred = 0x0, t_recent = 0,
> > > t_starttime = 4294952294, tw_time = 0, tw_2msl = {le_next = 0xc24680a8,
> > > le_prev = 0xc06a827c}}
> >
> > I poked a bit more and it looks like the dereference happens here in
> > tcp_timer_2msl_tw().
> >
> > tcp_timer.c:294 INP_LOCK(tw->tw_inpcb);
> >
> > INP_LOCK macro tries to reference tw->tw_inpcb->inp_mtx while
> > tw->tw_inpcb is null. However I have no idea how it got to this point.
> >
>
> Bumped into this one again on 6.1, almost a year ago since last time.
> So far my conclusion is that it is hard to reproduce :) Anyone has an
> idea what might be going on ?
>
> Fatal trap 12: page fault while in kernel mode
> cpuid = 0; apic id = 00
> fault virtual address = 0xac
> fault code = supervisor write, page not present
> instruction pointer = 0x20:0xc059291a
> stack pointer = 0x28:0xe3474bf4
> frame pointer = 0x28:0xe3474c20
> code segment = base 0x0, limit 0xfffff, type 0x1b
> = DPL 0, pres 1, def32 1, gran 1
> processor eflags = interrupt enabled, resume, IOPL = 0
> current process = 15 (swi4: clock sio)
> trap number = 12
> panic: page fault
> cpuid = 2
> KDB: stack backtrace:
> kdb_backtrace(c068eecd,2,c06718cd,e3474af8,a) at kdb_backtrace+0x2e
> panic(c06718cd,c068fa6f,c46c8394,1,1) at panic+0x139
> trap_fatal(e3474bb4,ac,2,8,0) at trap_fatal+0x36e
> trap_pfault(e3474bb4,0,ac,c0c471e0,ac) at trap_pfault+0x242
> trap(8,28,c0c40028,0,4) at trap+0x350
> calltrap() at calltrap+0x5
> --- trap 0xc, eip = 0xc059291a, esp = 0xe3474bf4, ebp = 0xe3474c20 ---
> tcp_timer_2msl_tw(0,c04f462a,c06ad420,c06ad880,16) at tcp_timer_2msl_tw+0x5a
> tcp_slowtimo(e3474c5c,c46c9d80,4,e3474c5c,0) at tcp_slowtimo+0x6c
> pfslowtimo(0,c4826300,c06a5320,ca76356b,c46c82b4) at pfslowtimo+0x39
> softclock(0,e3474cd0,831264,61432328,c46c9d80) at softclock+0x366
> ithread_execute_handlers(c46c820c,c4725c00,0,0,0) at
> ithread_execute_handlers+0x178
> ithread_loop(c46af8c0,e3474d38,0,0,0) at ithread_loop+0x77
> fork_exit(c04c2180,c46af8c0,e3474d38) at fork_exit+0x80
> fork_trampoline() at fork_trampoline+0x8
> --- trap 0x1, eip = 0, esp = 0xe3474d6c, ebp = 0 ---
> Uptime: 99d10h5m26s
> Dumping 1023 MB (2 chunks)
> chunk 0: 1MB (157 pages) ... ok
> chunk 1: 1023MB (261851 pages) 1007 991 975 959 943 927 911 895 879
> 863 847 831 815 799 783 767 751 735 719 703 687 671 655 639 623 607
> 591 575 559 543 527 511 495 479 463 447 431 415 399 383 367 351 335
> 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31
> 15
>
> #0 doadump () at pcpu.h:165
> 165 pcpu.h: No such file or directory.
> in pcpu.h
> (kgdb) bt
> #0 doadump () at pcpu.h:165
> #1 0xc04dde2c in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:402
> #2 0xc04de253 in panic (fmt=0xc06718cd "%s")
> at /usr/src/sys/kern/kern_shutdown.c:558
> #3 0xc065481e in trap_fatal (frame=0xe3474bb4, eva=0)
> at /usr/src/sys/i386/i386/trap.c:836
> #4 0xc0654482 in trap_pfault (frame=0xe3474bb4, usermode=0, eva=172)
> at /usr/src/sys/i386/i386/trap.c:744
> #5 0xc0653ff0 in trap (frame=
> {tf_fs = 8, tf_es = 40, tf_ds = -1060896728, tf_edi = 0, tf_esi
> = 4, tf_ebp = -481866720, tf_isp = -481866784, tf_ebx = -966999536,
> tf_edx = -1060867608, tf_ecx = -999514752, tf_eax = 4, tf_trapno = 12,
> tf_err = 2, tf_eip = -1067898598, tf_cs = 32, tf_eflags = 66195,
> tf_esp = -966999536, tf_ss = 0})
> at /usr/src/sys/i386/i386/trap.c:434
> #6 0xc063e18a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
> #7 0xc059291a in tcp_timer_2msl_tw (reuse=0) at atomic.h:149
> #8 0xc05922ac in tcp_slowtimo () at /usr/src/sys/netinet/tcp_timer.c:116
> #9 0xc0522879 in pfslowtimo (arg=0x0) at /usr/src/sys/kern/uipc_domain.c:477
> #10 0xc04edce6 in softclock (dummy=0x0) at /usr/src/sys/kern/kern_timeout.c:290
> #11 0xc04c2088 in ithread_execute_handlers (p=0xc46c820c, ie=0xc4725c00)
> at /usr/src/sys/kern/kern_intr.c:684
> #12 0xc04c21f7 in ithread_loop (arg=0xc46af8c0)
> ---Type <return> to continue, or q <return> to quit---
> at /usr/src/sys/kern/kern_intr.c:767
> #13 0xc04c0840 in fork_exit (callout=0xc04c2180 <ithread_loop>, arg=0x4,
> frame=0x4) at /usr/src/sys/kern/kern_fork.c:805
> #14 0xc063e1ec in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:208
> (kgdb) f 7
> #7 0xc059291a in tcp_timer_2msl_tw (reuse=0) at atomic.h:149
> 149 atomic.h: No such file or directory.
> in atomic.h
> (kgdb) p *tw
> $1 = {tw_inpcb = 0x0, snd_nxt = 842737231, rcv_nxt = 17758516,
> iss = 842735507, irs = 17758065, last_win = 65534, tw_so_options = 4,
> tw_cred = 0x0, t_recent = 0, t_starttime = 4294952294, tw_time = 0,
> tw_2msl = {le_next = 0xc65ccd50, le_prev = 0xc06cf294}}
> (kgdb)
>
> --
> Pawel
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060821220135.82739.qmail>