From owner-freebsd-current@FreeBSD.ORG  Sun Jul 23 12:08:00 2006
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
X-Original-To: freebsd-current@freebsd.org
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4615116A4DA
	for <freebsd-current@freebsd.org>; Sun, 23 Jul 2006 12:08:00 +0000 (UTC)
	(envelope-from pawel.worach@gmail.com)
Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 98E9843D6E
	for <freebsd-current@freebsd.org>; Sun, 23 Jul 2006 12:07:52 +0000 (GMT)
	(envelope-from pawel.worach@gmail.com)
Received: by ug-out-1314.google.com with SMTP id m2so1973591uge
	for <freebsd-current@freebsd.org>; Sun, 23 Jul 2006 05:07:50 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding;
	b=sAcCJu3i7HceFQU71VY5nKWr4yxbamNlYDx9IxT9J9El1YGJMhGUrDyji5+Ok3YOuLahhhTm4u/dqL9R6n1aSG9Hkrs3RPq/jpy4xUoIR6z+rNbHWlWR7M2YY1RCymRuOQ1DwipXJGqTl4ZVYYmrF8PCdULVBLrtZcagCZCO+JQ=
Received: by 10.78.185.7 with SMTP id i7mr1108661huf;
	Sun, 23 Jul 2006 05:07:49 -0700 (PDT)
Received: from ?192.168.1.200? ( [80.217.194.157])
	by mx.gmail.com with ESMTP id 39sm1598350hug.2006.07.23.05.07.48;
	Sun, 23 Jul 2006 05:07:48 -0700 (PDT)
Message-ID: <44C36691.5030501@gmail.com>
Date: Sun, 23 Jul 2006 14:07:45 +0200
From: Pawel Worach <pawel.worach@gmail.com>
User-Agent: Thunderbird 1.5.0.4 (X11/20060715)
MIME-Version: 1.0
To: freebsd-current@FreeBSD.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: 
Subject: page fault panic in kern_access/crcopy
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Jul 2006 12:08:00 -0000

Hi,

While testing SCTP with NetPIPE I found a reproducible panic, I'm not 
sure if this one is SCTP's fault. This is using:
FreeBSD 7.0-CURRENT #0: Sun Jul 23 13:23:06 CEST 2006 + SCTP patches 
from today.

Procedure:
NPsctp &
NPsctp -h 127.0.0.1
this ends with a "write error" after a while, likely out of resources
try again.
NPsctp

and this happens:

Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x1c
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc05342f6
stack pointer           = 0x28:0xd4880ba8
frame pointer           = 0x28:0xd4880bc4
code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 1047 (NPsctp)
trap number             = 12
panic: page fault
KDB: stack backtrace:
kdb_backtrace(c076731d,c07c8660,c075bc1f,d4880a5c,100,...) at 
kdb_backtrace+0x2e
panic(c075bc1f,c0784dbc,c257483c,1,1,...) at panic+0xb7
trap_fatal(d4880b68,1c,1,0,c276faa4,...) at trap_fatal+0x342
trap_pfault(d4880b68,0,1c,c07bf820,1c,...) at trap_pfault+0x245
trap(c2760008,c1030028,c1040028,c25706c0,c257469c,...) at trap+0x3e3
calltrap() at calltrap+0x5
--- trap 0xc, eip = 0xc05342f6, esp = 0xd4880ba8, ebp = 0xd4880bc4 ---
uihold(0,c28f4804,64,c28f4800,d4880bf0,...) at uihold+0x16
crcopy(c28f4800,c28f4800,0,d4880c6c,c05b1f73,...) at crcopy+0x32
crdup(c28f4800,0,0,0,c25706c0,...) at crdup+0x1d
kern_access(c25706c0,28083000,0,0,d4880d30,...) at kern_access+0x23
access(c25706c0,d4880d04,8,c25706c0,d4880d30,...) at access+0x29
syscall(3b,3b,3b,4,28083000,...) at syscall+0x3d3
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (33, FreeBSD ELF32, access), eip = 0x28058b4f, esp = 
0xbfbbf65c, ebp = 0xbfbbf678 ---
Uptime: 11m13s
Physical memory: 502 MB
Dumping 83 MB: 68 52 36 20 4

#0  doadump () at pcpu.h:166
166     pcpu.h: No such file or directory.
         in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:166
#1  0xc0535dd4 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
#2  0xc053614d in panic (fmt=0xc075bc1f "%s")
     at /usr/src/sys/kern/kern_shutdown.c:565
#3  0xc072d7c2 in trap_fatal (frame=0xd4880b68, eva=28)
     at /usr/src/sys/i386/i386/trap.c:869
#4  0xc072d455 in trap_pfault (frame=0xd4880b68, usermode=0, eva=28)
     at /usr/src/sys/i386/i386/trap.c:778
#5  0xc072cfa3 in trap (frame=
       {tf_fs = -1032454136, tf_es = -1056767960, tf_ds = -1056702424, 
tf_edi = -1034484032, tf_esi = -1034467684, tf_ebp = -729281596, tf_isp 
= -729281644, tf_ebx = 0, tf_edx = 0, tf_ecx = -1034484032, tf_eax = 0, 
tf_trapno = 12, tf_err = 0, tf_eip = -1068285194, tf_cs = 32, tf_eflags 
= 66194, tf_esp = -1068339599, tf_ss = -1065760352}) at 
/usr/src/sys/i386/i386/trap.c:463
#6  0xc071c1ea in calltrap () at /usr/src/sys/i386/i386/exception.s:138
#7  0xc05342f6 in uihold (uip=0x0) at pcpu.h:166
#8  0xc0531b92 in crcopy (dest=0xc28f4800, src=0xc28f4800)
     at /usr/src/sys/kern/kern_prot.c:1954
#9  0xc0531bed in crdup (cr=0x0) at /usr/src/sys/kern/kern_prot.c:1973
#10 0xc05b1f73 in kern_access (td=0xc25706c0, path=0x0, 
pathseg=UIO_USERSPACE,
     flags=0) at /usr/src/sys/kern/vfs_syscalls.c:1895
#11 0xc05b1f49 in access (td=0x0, uap=0x0)
     at /usr/src/sys/kern/vfs_syscalls.c:1877
---Type <return> to continue, or q <return> to quit---
#12 0xc072dc03 in syscall (frame=
       {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 4, tf_esi = 
671625216, tf_ebp = -1078200712, tf_isp = -729281180, tf_ebx = 
671568152, tf_edx = -1078199800, tf_ecx = 671625229, tf_eax = 33, 
tf_trapno = 12, tf_err = 2, tf_eip = 671451983, tf_cs = 51, tf_eflags = 
582, tf_esp = -1078200740, tf_ss = 59})
     at /usr/src/sys/i386/i386/trap.c:1015
#13 0xc071c23f in Xint0x80_syscall () at 
/usr/src/sys/i386/i386/exception.s:191
#14 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) f 8
#8  0xc0531b92 in crcopy (dest=0xc28f4800, src=0xc28f4800)
     at /usr/src/sys/kern/kern_prot.c:1954
1954            uihold(dest->cr_uidinfo);
(kgdb) p *dest
$1 = {cr_ref = 1, cr_uid = 0, cr_ruid = 0, cr_svuid = 0, cr_ngroups = 0,
   cr_groups = {0 <repeats 16 times>}, cr_rgid = 0, cr_svgid = 0,
   cr_uidinfo = 0x0, cr_ruidinfo = 0x0, cr_prison = 0x0, cr_label = 0x0}
(kgdb) p *src
$2 = {cr_ref = 1, cr_uid = 0, cr_ruid = 0, cr_svuid = 0, cr_ngroups = 0,
   cr_groups = {0 <repeats 16 times>}, cr_rgid = 0, cr_svgid = 0,
   cr_uidinfo = 0x0, cr_ruidinfo = 0x0, cr_prison = 0x0, cr_label = 0x0}
(kgdb) list
1949
1950            KASSERT(crshared(dest) == 0, ("crcopy of shared ucred"));
1951            bcopy(&src->cr_startcopy, &dest->cr_startcopy,
1952                (unsigned)((caddr_t)&src->cr_endcopy -
1953                    (caddr_t)&src->cr_startcopy));
1954            uihold(dest->cr_uidinfo);
1955            uihold(dest->cr_ruidinfo);
1956            if (jailed(dest))
1957                    prison_hold(dest->cr_prison);
1958    #ifdef MAC

Regards
-- 
Pawel