From owner-freebsd-current  Sat Mar  8 13:35:40 2003
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 1879B37B401; Sat,  8 Mar 2003 13:35:37 -0800 (PST)
Received: from obsecurity.dyndns.org (adsl-63-207-60-52.dsl.lsan03.pacbell.net [63.207.60.52])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 2EAA943FAF; Sat,  8 Mar 2003 13:35:36 -0800 (PST)
	(envelope-from kris@obsecurity.org)
Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5])
	by obsecurity.dyndns.org (Postfix) with ESMTP
	id D7F7E66CFB; Sat,  8 Mar 2003 13:35:35 -0800 (PST)
Received: by rot13.obsecurity.org (Postfix, from userid 1000)
	id B5121493; Sat,  8 Mar 2003 13:35:35 -0800 (PST)
Date: Sat, 8 Mar 2003 13:35:35 -0800
From: Kris Kennaway <kris@obsecurity.org>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: current@FreeBSD.ORG, alfred@FreeBSD.org
Subject: Re: NULL pointer problem in pid selection ?
Message-ID: <20030308213535.GE56020@rot13.obsecurity.org>
References: <54592.1047120394@critter.freebsd.dk>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="dFWYt1i2NyOo1oI9"
Content-Disposition: inline
In-Reply-To: <54592.1047120394@critter.freebsd.dk>
User-Agent: Mutt/1.4i
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG


--dFWYt1i2NyOo1oI9
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Mar 08, 2003 at 11:46:34AM +0100, Poul-Henning Kamp wrote:
>=20
> Just got this crash on -current, and I belive I have seen similar
> before.  addr2line(1) reports the faulting address to be
> 	../../../kern/kern_fork.c:395
> which is in the inner loop of pid collision avoidance.

I've been running this patch from Alfred for the past month or so on
bento, which has fixed a similar panic I was seeing regularly.

Kris

Index: kern/kern_fork.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/src/sys/kern/kern_fork.c,v
retrieving revision 1.186
diff -u -r1.186 kern_fork.c
--- kern/kern_fork.c	27 Feb 2003 02:05:17 -0000	1.186
+++ kern/kern_fork.c	4 Mar 2003 00:28:09 -0000
@@ -325,6 +325,7 @@
 	 * exceed the limit. The variable nprocs is the current number of
 	 * processes, maxproc is the limit.
 	 */
+	sx_xlock(&proctree_lock);
 	sx_xlock(&allproc_lock);
 	uid =3D td->td_ucred->cr_ruid;
 	if ((nprocs >=3D maxproc - 10 && uid !=3D 0) || nprocs >=3D maxproc) {
@@ -432,6 +433,7 @@
 	LIST_INSERT_HEAD(&allproc, p2, p_list);
 	LIST_INSERT_HEAD(PIDHASH(p2->p_pid), p2, p_hash);
 	sx_xunlock(&allproc_lock);
+	sx_xunlock(&proctree_lock);
=20
 	/*
 	 * Malloc things while we don't hold any locks.
@@ -757,6 +759,7 @@
 	return (0);
 fail:
 	sx_xunlock(&allproc_lock);
+	sx_xunlock(&proctree_lock);
 	uma_zfree(proc_zone, newproc);
 	if (p1->p_flag & P_THREADED) {
 		PROC_LOCK(p1);


>=20
> Poul-Henning
>=20
> Fatal trap 12: page fault while in kernel mode
> cpuid =3D 0; lapic.id =3D 00000000
> fault virtual address   =3D 0x14
> fault code              =3D supervisor read, page not present
> instruction pointer     =3D 0x8:0xc01c3eec
> stack pointer           =3D 0x10:0xe74e3c74
> frame pointer           =3D 0x10:0xe74e3cbc
> code segment            =3D base 0x0, limit 0xfffff, type 0x1b
>                         =3D DPL 0, pres 1, def32 1, gran 1
> processor eflags        =3D interrupt enabled, resume, IOPL =3D 0
> current process         =3D 99777 (sh)
> trap number             =3D 12
> panic: page fault
> cpuid =3D 0; lapic.id =3D 00000000
> Stack backtrace:
> backtrace(c032ff8e,0,c03394ce,e74e3b68,1) at 0xc01d86a7 =3D backtrace+0x17
> panic(c03394ce,c0342131,cfe5496c,1,1) at 0xc01d87ba =3D panic+0x10a
> trap_fatal(e74e3c34,14,c03422ba,2e3,cfe4fa50) at 0xc02fa672 =3D trap_fata=
l+0x322
> trap_pfault(e74e3c34,0,14,c035a038,14) at 0xc02fa322 =3D trap_pfault+0x1c2
> trap(18,10,10,cf19c3f8,cf76b9ec) at 0xc02f9e9d =3D trap+0x3cd
> calltrap() at 0xc02e2cd8 =3D calltrap+0x5
> --- trap 0xc, eip =3D 0xc01c3eec, esp =3D 0xe74e3c74, ebp =3D 0xe74e3cbc =
---
> fork1(cfe4fa50,14,0,e74e3cd4,cfe54858) at 0xc01c3eec =3D fork1+0x3fc
> fork(cfe4fa50,e74e3d10,c03422ba,404,0) at 0xc01c3852 =3D fork+0x52
> syscall(2f,2f,2f,0,80ff000) at 0xc02fa98e =3D syscall+0x26e
> Xint0x80_syscall() at 0xc02e2d2d =3D Xint0x80_syscall+0x1d
> --- syscall (2), eip =3D 0x807ba9f, esp =3D 0xbfbff6bc, ebp =3D 0xbfbff6e=
8 ---
> boot() called on cpu#0
>=20
> --=20
> Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
> phk@FreeBSD.ORG         | TCP/IP since RFC 956
> FreeBSD committer       | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by incompetenc=
e.
>=20
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-current" in the body of the message

--dFWYt1i2NyOo1oI9
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+amInWry0BWjoQKURAlRGAJwOAAQ/CA5t+U0OMdYGHVaWdOyhYgCgkffG
SrGZFoCS/TPBBaD4AuUP0+c=
=2l59
-----END PGP SIGNATURE-----

--dFWYt1i2NyOo1oI9--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message