From owner-freebsd-stable@FreeBSD.ORG  Thu Jan 21 19:05:42 2010
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8CE8B106568D
	for <freebsd-stable@freebsd.org>; Thu, 21 Jan 2010 19:05:42 +0000 (UTC)
	(envelope-from jhb@freebsd.org)
Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42])
	by mx1.freebsd.org (Postfix) with ESMTP id 34F378FC1A
	for <freebsd-stable@freebsd.org>; Thu, 21 Jan 2010 19:05:42 +0000 (UTC)
Received: from bigwig.baldwin.cx (66.111.2.69.static.nyinternet.net
	[66.111.2.69])
	by cyrus.watson.org (Postfix) with ESMTPSA id D916046B37;
	Thu, 21 Jan 2010 14:05:41 -0500 (EST)
Received: from jhbbsd.localnet (smtp.hudson-trading.com [209.249.190.9])
	by bigwig.baldwin.cx (Postfix) with ESMTPA id 0869E8A025;
	Thu, 21 Jan 2010 14:05:41 -0500 (EST)
From: John Baldwin <jhb@freebsd.org>
To: Florian Smeets <flo@smeets.im>
Date: Thu, 21 Jan 2010 14:05:35 -0500
User-Agent: KMail/1.12.1 (FreeBSD/7.2-CBSD-20091231; KDE/4.3.1; amd64; ; )
References: <4B58280C.50602@smeets.im> <201001211258.40316.jhb@freebsd.org>
	<4B589DFF.3030901@smeets.im>
In-Reply-To: <4B589DFF.3030901@smeets.im>
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <201001211405.35615.jhb@freebsd.org>
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1
	(bigwig.baldwin.cx); Thu, 21 Jan 2010 14:05:41 -0500 (EST)
X-Virus-Scanned: clamav-milter 0.95.1 at bigwig.baldwin.cx
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.6 required=4.2 tests=AWL,BAYES_00 autolearn=ham
	version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on bigwig.baldwin.cx
Cc: freebsd-stable@freebsd.org
Subject: Re: 7.2-STABLE page fault with kernel from 12.01.2010 / crashinfo
	available
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jan 2010 19:05:42 -0000

On Thursday 21 January 2010 1:33:35 pm Florian Smeets wrote:
> On 1/21/10 6:58 PM, John Baldwin wrote:
> > On Thursday 21 January 2010 8:25:22 am Florian Smeets wrote:
> >> On 1/21/10 2:01 PM, John Baldwin wrote:
> >>> On Thursday 21 January 2010 5:10:20 am Florian Smeets wrote:
> >>>> (kgdb) where
> >>>> #0  doadump () at pcpu.h:196
> >>>> #1  0xc0525703 in boot (howto=3D260) at
> > /usr/src/sys/kern/kern_shutdown.c:418
> >>>> #2  0xc052590e in panic (fmt=3DVariable "fmt" is not available.
> >>>> ) at /usr/src/sys/kern/kern_shutdown.c:574
> >>>> #3  0xc06f110c in trap_fatal (frame=3D0xc1f15ae4, eva=3D12) at
> >>>> /usr/src/sys/i386/i386/trap.c:950
> >>>> #4  0xc06f1390 in trap_pfault (frame=3D0xc1f15ae4, usermode=3D0, eva=
=3D12) at
> >>>> /usr/src/sys/i386/i386/trap.c:863
> >>>> #5  0xc06f1d65 in trap (frame=3D0xc1f15ae4) at
> >>>> /usr/src/sys/i386/i386/trap.c:541
> >>>> #6  0xc06d910b in calltrap () at /usr/src/sys/i386/i386/exception.s:=
166
> >>>> #7  0xc0572e48 in m_copydata (m=3D0x0, off=3D0, len=3D40, cp=3D0xc23=
cced8
> >>>> "\203??b??\237\f)h?M\220\224?\023?\205K(e??s?\"???k?oQ?~\223\020g\03=
0")
> >>>>        at /usr/src/sys/kern/uipc_mbuf.c:815
> >>>> #8  0xc05f8b28 in ip_forward (m=3D0xc23dc900, srcrt=3D0) at
> >>>> /usr/src/sys/netinet/ip_input.c:1307
> >>>> #9  0xc05fa30c in ip_input (m=3D0xc23dc900) at
> >>>> /usr/src/sys/netinet/ip_input.c:609
> >>>> #10 0xc05c83d5 in netisr_dispatch (num=3D2, m=3D0xc23dc900) at
> >>>> /usr/src/sys/net/netisr.c:185
> >>>> #11 0xc05bf581 in ether_demux (ifp=3D0xc20a4800, m=3D0xc23dc900) at
> >>>> /usr/src/sys/net/if_ethersubr.c:834
> >>>> #12 0xc05bf973 in ether_input (ifp=3D0xc20a4800, m=3D0xc23dc900) at
> >>>> /usr/src/sys/net/if_ethersubr.c:692
> >>>> #13 0xc04b8749 in sis_rxeof (sc=3D0xc2093800) at
> >>>> /usr/src/sys/dev/sis/if_sis.c:1476
> >>>> #14 0xc04b8973 in sis_intr (arg=3D0xc2093800) at
> >>>> /usr/src/sys/dev/sis/if_sis.c:1667
> >>>> #15 0xc050344b in ithread_loop (arg=3D0xc20ab410) at
> >>>> /usr/src/sys/kern/kern_intr.c:1126
> >>>> #16 0xc04ffe36 in fork_exit (callout=3D0xc05032a0<ithread_loop>,
> >>>> arg=3D0xc20ab410, frame=3D0xc1f15d38) at /usr/src/sys/kern/kern_fork=
=2Ec:811
> >>>> #17 0xc06d9180 in fork_trampoline () at
> >>>> /usr/src/sys/i386/i386/exception.s:271
> >>>> (kgdb) list *0xc0572e48
> >>>> 0xc0572e48 is in m_copydata (libkern.h:61).
> >>>> 56	static __inline int imax(int a, int b) { return (a>   b ? a : b);=
 }
> >>>> 57	static __inline int imin(int a, int b) { return (a<   b ? a : b);=
 }
> >>>> 58	static __inline long lmax(long a, long b) { return (a>   b ? a : =
b);=20
}
> >>>> 59	static __inline long lmin(long a, long b) { return (a<   b ? a : =
b);=20
}
> >>>> 60	static __inline u_int max(u_int a, u_int b) { return (a>   b ? a =
:=20
b);
> > }
> >>>> 61	static __inline u_int min(u_int a, u_int b) { return (a<   b ? a =
:=20
b);
> > }
> >>>> 62	static __inline quad_t qmax(quad_t a, quad_t b) { return (a>   b =
? a=20
:
> >>>> b); }
> >>>> 63	static __inline quad_t qmin(quad_t a, quad_t b) { return (a<   b =
? a=20
:
> >>>> b); }
> >>>> 64	static __inline u_long ulmax(u_long a, u_long b) { return (a>   b=
 ?=20
a
> >>>> : b); }
> >>>> 65	static __inline u_long ulmin(u_long a, u_long b) { return (a<   b=
 ?=20
a
> >>>> : b); }
> >>>> (kgdb) frame 7
> >>>> #7  0xc0572e48 in m_copydata (m=3D0x0, off=3D0, len=3D40, cp=3D0xc23=
cced8
> >>>> "\203??b??\237\f)h?M\220\224?\023?\205K(e??s?\"???k?oQ?~\223\020g\03=
0")
> >>>> at /usr/src/sys/kern/uipc_mbuf.c:815
> >>>> 815			count =3D min(m->m_len - off, len);
> >>>> (kgdb) l
> >>>> 810			off -=3D m->m_len;
> >>>> 811			m =3D m->m_next;
> >>>> 812		}
> >>>> 813		while (len>   0) {
> >>>> 814			KASSERT(m !=3D NULL, ("m_copydata, length>   size of mbuf chai=
n"));
> >>>
> >>> I think you would have hit this assertion if INVARIANTS were enabled.=
 =20
Can
> > you
> >>> go up to frame 8 and do an 'l'?  Maybe 'p *m' as well?
> >>>
> >>
> >> Sure, thanks for taking a look John!
> >>
> >> (kgdb) frame 8
> >> #8  0xc05f8b28 in ip_forward (m=3D0xc23dc900, srcrt=3D0) at
> >> /usr/src/sys/netinet/ip_input.c:1307
> >> 1307			m_copydata(m, 0, mcopy->m_len, mtod(mcopy, caddr_t));
> >> (kgdb) l
> >> 1302			mcopy =3D NULL;
> >> 1303		}
> >> 1304		if (mcopy !=3D NULL) {
> >> 1305			mcopy->m_len =3D min(ip->ip_len, M_TRAILINGSPACE(mcopy));
> >> 1306			mcopy->m_pkthdr.len =3D mcopy->m_len;
> >> 1307			m_copydata(m, 0, mcopy->m_len, mtod(mcopy, caddr_t));
> >> 1308		}
> >> 1309=09
> >> 1310	#ifdef IPSTEALTH
> >> 1311		if (!ipstealth) {
> >> (kgdb) p *m
> >> $1 =3D {m_hdr =3D {mh_next =3D 0x0, mh_nextpkt =3D 0x0, mh_data =3D 0x=
c271e80e
> >> "E\020", mh_len =3D 164, mh_flags =3D 3, mh_type =3D 1, pad =3D "\000"=
}, M_dat =3D
> >> {MH =3D {MH_pkthdr =3D {rcvif =3D 0xc20a4800, header =3D 0x0, len =3D =
164,
> >> csum_flags =3D 3072,
> >>           csum_data =3D 65535, tso_segsz =3D 0, ether_vtag =3D 0, tags=
 =3D
> >> {slh_first =3D 0xc35bc380}}, MH_dat =3D {MH_ext =3D {ext_buf =3D 0xc27=
1e800 "",
> >> ext_free =3D 0, ext_args =3D 0x0, ext_size =3D 2048, ref_cnt =3D 0xc27=
03ab4,
> >> ext_type =3D 6},
> >>           MH_databuf =3D
> >> "\000?q?\000\000\000\000\000\000\000\000\000\b\000\000?:p?
> > \006\000\000\000dL?\t<+?\202\200\020
> >> O/\207\000\000\001\001\b\n-?b\230qms?\000\000\004\001?l?\000\000\001%r=
???
> > \200\000????\034?Ot?\b?{sr\000\034org.jboss.mq.ConnectionToken?\b=DF=BC=
&?
> >=20
\237N\002\000\005I\000\004hashZ\000\asameJVML\000\bclientIDt\000\022Ljava/l=
\000\220\032Ae\207\000\002?
> > 36@\210d\021\000\001?
\001B\000!E\000\001@bV\000\000@2\032$W\213\n\034"...}},
> >>
> >>       M_databuf =3D
> >> "\000H\n?\000\000\000\000?\000\000\000\000\f\000\000??
> > \000\000\000\000\000\000\200?[?\000?q?
> > \000\000\000\000\000\000\000\000\000\b\000\000?:p?\006\000\000\000dL?\t=
<+?
> > \202\200\020
> >> O/\207\000\000\001\001\b\n-?b\230qms?\000\000\004\001?l?\000\000\001%r=
???
> > \200\000????\034?Ot?\b?{sr\000\034org.jboss.mq.ConnectionToken?\b=DF=BC=
&?
> >=20
\237N\002\000\005I\000\004hashZ\000\asameJVML\000\bclientIDt\000\022Ljava/l=
\000\220\032Ae\207\000\002?
> > 3"...}}
> >
> > Ok, can you do 'p *m_copy'?
> >
>=20
> What ever you want :-)
>=20
> (kgdb) p *m_copy
> No symbol "m_copy" in current context.
> (kgdb) p *m_copydata
> $2 =3D {void (const struct mbuf *, int, int, caddr_t)} 0xc0572e10 <m_copy=
data>
> (kgdb) p *mcopy
> $1 =3D {m_hdr =3D {mh_next =3D 0x0, mh_nextpkt =3D 0x0, mh_data =3D 0xc23=
cce34=20
> "E\020", mh_len =3D 204, mh_flags =3D 2, mh_type =3D 1, pad =3D "\000"}, =
M_dat =3D=20
> {MH =3D {MH_pkthdr =3D {rcvif =3D 0xc20a4800, header =3D 0x0,
>          len =3D 204, csum_flags =3D 3072, csum_data =3D 65535, tso_segsz=
 =3D 0,=20
> ether_vtag =3D 0, tags =3D {slh_first =3D 0xc23c3e00}}, MH_dat =3D {MH_ex=
t =3D=20
> {ext_buf =3D 0x84001045 <Address 0x84001045 out of bounds>,

Hmm, ok.  Can you do 'p *ip'?  mcopy->m_len (204) is larger than m->m_len=20
(164).  That shouldn't be the case unless ip->ip_len is somehow larger than=
 m-
>m_len.

=2D-=20
John Baldwin