Date: Fri, 2 Dec 2005 19:35:11 GMT From: Travis Mikalson <bofh@terranova.net> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/89864: [if_vr] [panic] if_vr panic under FreeBSD 6 Message-ID: <200512021935.jB2JZBuK029386@www.freebsd.org> Resent-Message-ID: <200512021940.jB2Je2Kc078144@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 89864 >Category: kern >Synopsis: [if_vr] [panic] if_vr panic under FreeBSD 6 >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Dec 02 19:40:02 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Travis Mikalson >Release: 6.0-RELEASE >Organization: TerraNovaNet, Inc. >Environment: FreeBSD tnn1.wlb.terranova.net 6.0-RELEASE FreeBSD 6.0-RELEASE #3: Sun Nov 27 00 :04:47 EST 2005 root@freebsd6.tog.net:/usr/cfobj/usr/src/sys/cfbsd-desktop-debug i386 >Description: I am using 6.0-RELEASE on this system, BUT I am using if_vr.c and if_vrreg.h from RELENG_6, if_vr.c revision 1.104.2.5 and if_vrreg.h revision 1.22.2.1. I am using it in an if_bridge bridge: $ ifconfig bridge0 bridge0: flags=8041<UP,RUNNING,MULTICAST> mtu 1500 ether ac:de:48:e8:b9:99 priority 32768 hellotime 2 fwddelay 15 maxage 20 member: ath0 flags=3<LEARNING,DISCOVER> member: vr0 flags=3<LEARNING,DISCOVER> I have two different crashdumps from the last 12 hours exactly like this so I figured it was worth reporting. The backtrace doesn't look like much to go on, but I'm not very good at reading them. The hardware is a VIA EPIA 5000 (the first VIA EPIA board made, the 533MHz one) using the on-board NIC: vr0: <VIA VT6102 Rhine II 10/100BaseTX> port 0xec00-0xecff mem 0xd3410000-0xd34100ff irq 10 at device 18.0 on pci0 $ pciconf -l hostb0@pci0:0:0: class=0x060000 card=0x60101106 chip=0x06011106 rev=0x05 hdr=0x00 pcib1@pci0:1:0: class=0x060400 card=0x00000080 chip=0x86011106 rev=0x00 hdr=0x01 isab0@pci0:17:0: class=0x060100 card=0x60101106 chip=0x82311106 rev=0x10 hdr=0x00 atapci0@pci0:17:1: class=0x01018a card=0x60101106 chip=0x05711106 rev=0x06 hdr=0x00 none0@pci0:17:4: class=0x068000 card=0x60101106 chip=0x82351106 rev=0x10 hdr=0x00 vr0@pci0:18:0: class=0x020000 card=0x01021106 chip=0x30651106 rev=0x51 hdr=0x00 ath0@pci0:20:0: class=0x020000 card=0x1012185f chip=0x0013168c rev=0x01 hdr=0x00 none1@pci1:0:0: class=0x030000 card=0x85001023 chip=0x85001023 rev=0x6a hdr=0x00 GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd". Unread portion of the kernel message buffer: Fatal trap 12: page fault while in kernel mode fault virtual address = 0x1 fault code = supervisor write, page not present instruction pointer = 0x20:0xc06a5aaa stack pointer = 0x28:0xc7895c50 frame pointer = 0x28:0xc7895c9c code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 20 (irq10: vr0) trap number = 12 panic: page fault Uptime: 10h29m27s Dumping 125 MB (2 chunks) chunk 0: 1MB (160 pages) ... ok chunk 1: 125MB (31984 pages) 109 93 77 61 45 29 13 #0 doadump () at pcpu.h:165 165 __asm __volatile("movl %%fs:0,%0" : "=r" (td)); (kgdb) bt full #0 doadump () at pcpu.h:165 No locals. #1 0xc0503b36 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:399 first_buf_printf = 1 #2 0xc0503dcc in panic (fmt=0xc06d1966 "%s") at /usr/src/sys/kern/kern_shutdown.c:555 td = (struct thread *) 0xc0ecb000 bootopt = 260 newpanic = 0 ap = 0xc0ecb000 "H¬ìÀ \212ìÀ" buf = "page fault", '\0' <repeats 245 times> #3 0xc06a7de4 in trap_fatal (frame=0xc7895c10, eva=1) at /usr/src/sys/i386/i386/trap.c:831 code = 40 type = 12 ss = 40 esp = 0 softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27, ssd_dpl = 0, ssd_p = 1, ssd_xx = 12, ssd_xx1 = 2, ssd_def32 = 1, ssd_gran = 1} #4 0xc06a7b4f in trap_pfault (frame=0xc7895c10, usermode=0, eva=1) at /usr/src/sys/i386/i386/trap.c:742 va = 0 vm = (struct vmspace *) 0x0 map = 0xc0760920 rv = 1 ftype = 1 '\001' td = (struct thread *) 0xc0ecb000 p = (struct proc *) 0xc0ecac48 #5 0xc06a778d in trap (frame= {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = 1, tf_esi = -1056147448, tf_ebp = -947299172, tf_isp = -947299268, tf_ebx = -1054614016, tf_edx = 2, tf_ecx = 378, tf_eax = 1056147449, tf_trapno = 12, tf_err = 2, tf_eip = -1066771798, tf_cs = 32, tf_eflags = 66067, tf_esp = 1514, tf_ss = 1514}) at /usr/src/sys/i386/i386/trap.c:432 td = (struct thread *) 0xc0ecb000 p = (struct proc *) 0xc0ecac48 sticks = 477372156 i = 0 ucode = 0 type = 12 code = 2 eva = 1 #6 0xc06974ba in calltrap () at /usr/src/sys/i386/i386/exception.s:139 No locals. #7 0xc06a5aaa in generic_bcopy () at /usr/src/sys/i386/i386/support.s:489 No locals. Previous frame inner to this frame (corrupt stack?) (kgdb) up #1 0xc0503b36 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:399 399 doadump(); (kgdb) up #2 0xc0503dcc in panic (fmt=0xc06d1966 "%s") at /usr/src/sys/kern/kern_shutdown.c:555 555 boot(bootopt); (kgdb) up #3 0xc06a7de4 in trap_fatal (frame=0xc7895c10, eva=1) at /usr/src/sys/i386/i386/trap.c:831 831 panic("%s", trap_msg[type]); (kgdb) up #4 0xc06a7b4f in trap_pfault (frame=0xc7895c10, usermode=0, eva=1) at /usr/src/sys/i386/i386/trap.c:742 742 trap_fatal(frame, eva); (kgdb) up #5 0xc06a778d in trap (frame= {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = 1, tf_esi = -1056147448, tf_ebp = -947299172, tf_isp = -947299268, tf_ebx = -1054614016, tf_edx = 2, tf_ecx = 378, tf_eax = 1056147449, tf_trapno = 12, tf_err = 2, tf_eip = -1066771798, tf_cs = 32, tf_eflags = 66067, tf_esp = 1514, tf_ss = 1514}) at /usr/src/sys/i386/i386/trap.c:432 432 (void) trap_pfault(&frame, FALSE, eva); (kgdb) up #6 0xc06974ba in calltrap () at /usr/src/sys/i386/i386/exception.s:139 139 call trap Current language: auto; currently asm (kgdb) up #7 0xc06a5aaa in generic_bcopy () at /usr/src/sys/i386/i386/support.s:489 489 cld /* nope, copy forwards */ (kgdb) up Initial frame selected; you cannot go up. (kgdb) list 484 subl %esi,%eax 485 cmpl %ecx,%eax /* overlapping && src < dst? */ 486 jb 1f 487 488 shrl $2,%ecx /* copy by 32-bit words */ 489 cld /* nope, copy forwards */ 490 rep 491 movsl 492 movl 20(%esp),%ecx 493 andl $3,%ecx /* any bytes left? */ (kgdb) down #6 0xc06974ba in calltrap () at /usr/src/sys/i386/i386/exception.s:139 139 call trap (kgdb) list 134 movl %eax,%es 135 movl $KPSEL,%eax 136 movl %eax,%fs 137 FAKE_MCOUNT(TF_EIP(%esp)) 138 calltrap: 139 call trap 140 141 /* 142 * Return via doreti to handle ASTs. 143 */ (kgdb) down #5 0xc06a778d in trap (frame= {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = 1, tf_esi = -1056147448, tf_ebp = -947299172, tf_isp = -947299268, tf_ebx = -1054614016, tf_edx = 2, tf_ecx = 378, tf_eax = 1056147449, tf_trapno = 12, tf_err = 2, tf_eip = -1066771798, tf_cs = 32, tf_eflags = 66067, tf_esp = 1514, tf_ss = 1514}) at /usr/src/sys/i386/i386/trap.c:432 432 (void) trap_pfault(&frame, FALSE, eva); Current language: auto; currently c (kgdb) list 427 428 KASSERT(cold || td->td_ucred != NULL, 429 ("kernel trap doesn't have ucred")); 430 switch (type) { 431 case T_PAGEFLT: /* page fault */ 432 (void) trap_pfault(&frame, FALSE, eva); 433 goto out; 434 435 case T_DNA: 436 #ifdef DEV_NPX (kgdb) down #4 0xc06a7b4f in trap_pfault (frame=0xc7895c10, usermode=0, eva=1) at /usr/src/sys/i386/i386/trap.c:742 742 trap_fatal(frame, eva); (kgdb) list 737 if (td->td_intr_nesting_level == 0 && 738 PCPU_GET(curpcb)->pcb_onfault != NULL) { 739 frame->tf_eip = (int)PCPU_GET(curpcb)->pcb_onfault; 740 return (0); 741 } 742 trap_fatal(frame, eva); 743 return (-1); 744 } 745 746 /* kludge to pass faulting virtual address to sendsig */ (kgdb) down #3 0xc06a7de4 in trap_fatal (frame=0xc7895c10, eva=1) at /usr/src/sys/i386/i386/trap.c:831 831 panic("%s", trap_msg[type]); (kgdb) list 826 intr_restore(eflags); 827 } 828 #endif 829 printf("trap number = %d\n", type); 830 if (type <= MAX_TRAP_MSG) 831 panic("%s", trap_msg[type]); 832 else 833 panic("unknown/reserved trap"); 834 } 835 (kgdb) down #2 0xc0503dcc in panic (fmt=0xc06d1966 "%s") at /usr/src/sys/kern/kern_shutdown.c:555 555 boot(bootopt); (kgdb) list 550 mtx_lock_spin(&sched_lock); 551 td->td_flags |= TDF_INPANIC; 552 mtx_unlock_spin(&sched_lock); 553 if (!sync_on_panic) 554 bootopt |= RB_NOSYNC; 555 boot(bootopt); 556 } 557 558 /* 559 * Support for poweroff delay. (kgdb) down #1 0xc0503b36 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:399 399 doadump(); (kgdb) list 394 395 /* XXX This doesn't disable interrupts any more. Reconsider? */ 396 splhigh(); 397 398 if ((howto & (RB_HALT|RB_DUMP)) == RB_DUMP && !cold && !dumping) 399 doadump(); 400 401 /* Now that we're going to really halt the system... */ 402 EVENTHANDLER_INVOKE(shutdown_final, howto); 403 (kgdb) >How-To-Repeat: Run if_vr with steady load for a while with if_bridge, at least that's how I'm reproducing it. >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200512021935.jB2JZBuK029386>