From owner-freebsd-hackers Wed Mar 22 21:15:34 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id 7E21737B653 for ; Wed, 22 Mar 2000 21:15:30 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id VAA96507; Wed, 22 Mar 2000 21:15:27 -0800 (PST) (envelope-from dillon) Date: Wed, 22 Mar 2000 21:15:27 -0800 (PST) From: Matthew Dillon Message-Id: <200003230515.VAA96507@apollo.backplane.com> To: Jim Mercer Cc: hackers@FreeBSD.ORG Subject: Re: possible bug in kernel/if_ether.c References: <20000322225639.T983@reptiles.org> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG :SMP 2 cpus :IdlePTD 3100672 :initial pcb at 281960 :panicstr: page fault :panic messages: :--- :Fatal trap 12: page fault while in kernel mode :mp_lock = 00000002; cpuid = 0; lapic.id = 00000000 :fault virtual address = 0x8 :fault code = supervisor read, page not present :instruction pointer = 0x8:0xc01997c8 :stack pointer = 0x10:0xff806fa4 :frame pointer = 0x10:0xff806fac :code segment = base 0x0, limit 0xfffff, type 0x1b : = DPL 0, pres 1, def32 1, gran 1 :processor eflags = interrupt enabled, resume, IOPL = 0 :current process = Idle :interrupt mask = <- SMP: XXX :trap number = 12 :panic: page fault :mp_lock = 00000002; cpuid = 0; lapic.id = 00000000 :boot() called on cpu#0 : :syncing disks... 11 11 :... :#0 boot (howto=256) at ../../kern/kern_shutdown.c:304 :304 dumppcb.pcb_cr3 = rcr3(); :(kgdb) bt :#0 boot (howto=256) at ../../kern/kern_shutdown.c:304 :#1 0xc01549fc in poweroff_wait (junk=0xc0259c2f, howto=0) : at ../../kern/kern_shutdown.c:554 :#2 0xc022983b in trap_fatal (frame=0xff806f64, eva=8) : at ../../i386/i386/trap.c:924 :#3 0xc02294d1 in trap_pfault (frame=0xff806f64, usermode=0, eva=8) : at ../../i386/i386/trap.c:817 :#4 0xc02290a3 in trap (frame={tf_fs = 1107296280, tf_es = 16, : tf_ds = -1056178160, tf_edi = -1, tf_esi = 0, tf_ebp = -8360020, : tf_isp = -8360048, tf_ebx = 0, tf_edx = -1071016096, tf_ecx = 1, : tf_eax = -1056143360, tf_trapno = 12, tf_err = 0, tf_eip = -1072064568, : tf_cs = 8, tf_eflags = 66118, tf_esp = 0, tf_ss = 0}) : at ../../i386/i386/trap.c:423 :#5 0xc01997c8 in arpintr () at ../../netinet/if_ether.c:447 : : :--2oS5YaxWCcQjTEyO :Content-Type: text/plain; charset=us-ascii :Content-Description: kgdb crash1 :Content-Disposition: attachment; filename=snuffy2 : : :SMP 2 cpus Very, very weird. Can you disassemble the 'arpintr' function from your kernel binary? gdb -k /kernel (or kernel.debug if you have it) disassemble arpintr :Fatal trap 12: page fault while in kernel mode :mp_lock = 01000002; cpuid = 1; lapic.id = 01000000 :fault virtual address = 0x8 :fault code = supervisor read, page not present :instruction pointer = 0x8:0xc01997c8 :stack pointer = 0x10:0xff80dfa4 I can't pinpoint the fault point since my kernel is compiled up differently, but I suspect it's at the line I've indicated below. Unfortunately, it makes no sense whatsoever because %ebx would have to be NULL and that case already checked. I suspect the actual fault address is somewhere else if you do the dissassembly it should help. splx(s); if (m == 0 || (m->m_flags & M_PKTHDR) == 0) panic("arpintr"); if (m->m_len < sizeof(struct arphdr) && (m = m_pullup(m, sizeof(struct arphdr)) == NULL)) { log(LOG_ERR, "arp: runt packet -- m_pullup failed."); continue; 0xc01aa6b5 : testl %ebx,%ebx ---Type to continue, or q to quit--- 0xc01aa6b7 : je 0xc01aa6bf 0xc01aa6b9 : testb $0x2,0x12(%ebx) 0xc01aa6bd : jne 0xc01aa6cc 0xc01aa6bf : pushl $0xc0281c0e 0xc01aa6c4 : call 0xc015f700 0xc01aa6c9 : leal 0x0(%esi),%esi 0xc01aa6cc : cmpl $0x7,0xc(%ebx) 0xc01aa6d0 : jbe 0xc01aa71c 0xc01aa6d2 : movl 0x8(%ebx),%ecx <---- 0xc01aa6d5 : testl %ecx,%ecx ???? 0xc01aa6d7 : je 0xc01aa71c 0xc01aa6d9 : movzwl (%ecx),%eax -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message