Date: Sun, 27 Aug 2017 14:39:29 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 221849] Kernel panic, kqueue related NULL pointer dereference sys/kern/kern_event.c Message-ID: <bug-221849-8-UyD9tBm7Ip@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-221849-8@https.bugs.freebsd.org/bugzilla/> References: <bug-221849-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D221849 --- Comment #1 from Aragon Gouveia <aragon@phat.za.net> --- After more tests, I think the kqueue related backtrace from earlier might j= ust be a symptom of something much stranger. Is it possible the IPSec stack is overwriting kernel memory? The kernel panic consistently happens shortly after the Android VPN client = and racoon finish establishing ISAKMP and IPSec SAs, but before MPD sees any L2= TP requests. What is inconsistent is the contents of the backtrace. I have rebuilt a GENERIC kernel with -O0 to try make debugging easier, and below are a few k= gdb sessions of separate panics that were triggered under the same condition of= an Android VPN client trying to connect. Fatal trap 12: page fault while in kernel mode cpuid =3D 1; apic id =3D 01 fault virtual address =3D 0x1100000094 fault code =3D supervisor write data, page not present instruction pointer =3D 0x20:0xffffffff814c43b6 stack pointer =3D 0x28:0xfffffe00003b3af0 frame pointer =3D 0x28:0xfffffe00003b3b00 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 814 (sshd) trap number =3D 12 panic: page fault cpuid =3D 1 KDB: stack backtrace: #0 0xffffffff810e9be7 at kdb_backtrace+0xa7 #1 0xffffffff8107a129 at vpanic+0x249 #2 0xffffffff81079ee0 at vpanic+0 #3 0xffffffff817cb38a at trap_fatal+0x60a #4 0xffffffff817cb538 at trap_pfault+0x188 #5 0xffffffff817ca6e1 at trap+0x751 #6 0xffffffff817cb9ba at trap_check+0x4a #7 0xffffffff817a07e1 at calltrap+0x8 #8 0xffffffff814bfc42 at refcount_release+0x22 #9 0xffffffff814bfbae at key_freesp+0x2e #10 0xffffffff814b7744 at ipsec_invalidate_cache+0xc4 #11 0xffffffff814b622a at ipsec_getpcbpolicy+0x16a #12 0xffffffff814b6005 at ipsec_hdrsiz_inpcb+0x25 #13 0xffffffff8141e57d at tcp_output+0x9dd #14 0xffffffff81439c80 at tcp_usr_send+0x350 #15 0xffffffff8116a051 at sosend_generic+0xeb1 #16 0xffffffff8116a31d at sosend+0x5d #17 0xffffffff8112e7c7 at soo_write+0x87 Uptime: 6m9s Dumping 123 out of 981 MB:..13%..26%..39%..52%..65%..78%..91% Reading symbols from /boot/kernel/ng_socket.ko...Reading symbols from /usr/lib/debug//boot/kernel/ng_socket.ko.debug...done. done.=20=20 Loaded symbols for /boot/kernel/ng_socket.ko Reading symbols from /boot/kernel/netgraph.ko...Reading symbols from /usr/lib/debug//boot/kernel/netgraph.ko.debug...done. done.=20=20 Loaded symbols for /boot/kernel/netgraph.ko Reading symbols from /boot/kernel/ng_mppc.ko...Reading symbols from /usr/lib/debug//boot/kernel/ng_mppc.ko.debug...done. done.=20=20 Loaded symbols for /boot/kernel/ng_mppc.ko Reading symbols from /boot/kernel/rc4.ko...Reading symbols from /usr/lib/debug//boot/kernel/rc4.ko.debug...done. done.=20=20 Loaded symbols for /boot/kernel/rc4.ko #0 doadump (textdump=3D1) at /usr/src/sys/kern/kern_shutdown.c:298 298 dumptid =3D curthread->td_tid; (kgdb) list *0xffffffff814c43b6 0xffffffff814c43b6 is in atomic_fetchadd_int (atomic.h:245). 240 */ 241 static __inline u_int 242 atomic_fetchadd_int(volatile u_int *p, u_int v) 243 { 244 245 __asm __volatile( 246 " " MPLOCKED " " 247 " xaddl %0,%1 ; " 248 "# atomic_fetchadd_int" 249 : "+r" (v), /* 0 */ Current language: auto; currently minimal (kgdb) backtrace #0 doadump (textdump=3D1) at /usr/src/sys/kern/kern_shutdown.c:298 #1 0xffffffff81079668 in kern_reboot (howto=3D260) at /usr/src/sys/kern/kern_shutdown.c:366 #2 0xffffffff8107a17f in vpanic (fmt=3D0xffffffff81b40308 "%s", ap=3D0xfffffe00003b34a0) at /usr/src/sys/kern/kern_shutdown.c:759 #3 0xffffffff81079ee0 in panic (fmt=3D0xffffffff81b40308 "%s") at /usr/src/sys/kern/kern_shutdown.c:690 #4 0xffffffff817cb38a in trap_fatal (frame=3D0xfffffe00003b3a30, eva=3D73014444180) at /usr/src/sys/amd64/amd64/trap.c:801 #5 0xffffffff817cb538 in trap_pfault (frame=3D0xfffffe00003b3a30, usermode= =3D0) at /usr/src/sys/amd64/amd64/trap.c:683 #6 0xffffffff817ca6e1 in trap (frame=3D0xfffffe00003b3a30) at /usr/src/sys/amd64/amd64/trap.c:421 #7 0xffffffff817cb9ba in trap_check (frame=3D0xfffffe00003b3a30) at /usr/src/sys/amd64/amd64/trap.c:602 #8 0xffffffff817a07e1 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:236 #9 0xffffffff814c43b6 in atomic_fetchadd_int (p=3D0x1100000094, v=3D429496= 7295) at atomic.h:250 #10 0xffffffff814bfc42 in refcount_release (count=3D0x1100000094) at refcount.h:62 #11 0xffffffff814bfbae in key_freesp (spp=3D0xfffffe00003b3b58) at /usr/src/sys/netipsec/key.c:1076 #12 0xffffffff814b7744 in ipsec_invalidate_cache (inp=3D0xfffff80003f2fae0, dir=3D2) at /usr/src/sys/netipsec/ipsec.c:317 #13 0xffffffff814b622a in ipsec_getpcbpolicy (inp=3D0xfffff80003f2fae0, dir= =3D2) at /usr/src/sys/netipsec/ipsec.c:463 #14 0xffffffff814b6005 in ipsec_hdrsiz_inpcb (inp=3D0xfffff80003f2fae0) at /usr/src/sys/netipsec/ipsec.c:1151 #15 0xffffffff8141e57d in tcp_output (tp=3D0xfffff80003e58820) at /usr/src/sys/netinet/tcp_output.c:560 #16 0xffffffff81439c80 in tcp_usr_send (so=3D0xfffff80013035000, flags=3D0, m=3D0xfffff80013538400, nam=3D0x0, control=3D0x0, td=3D0xfffff80003cbd000) at /usr/src/sys/netinet/tcp_usrreq.c:967 #17 0xffffffff8116a051 in sosend_generic (so=3D0xfffff80013035000, addr=3D0= x0, uio=3D0xfffffe00003b47a8, top=3D0xfffff80013538400, control=3D0x0, flags=3D0, td=3D0xfffff80003cbd000) at /usr/src/sys/kern/uipc_socket.c:1360 #18 0xffffffff8116a31d in sosend (so=3D0xfffff80013035000, addr=3D0x0, uio=3D0xfffffe00003b47a8, top=3D0x0, control=3D0x0, flags=3D0, td=3D0xfffff80003cbd000) at /usr/src/sys/kern/uipc_socket.c:1405 #19 0xffffffff8112e7c7 in soo_write (fp=3D0xfffff80003869b90, uio=3D0xfffffe00003b47a8, active_cred=3D0xfffff80003d5a600, flags=3D0, td=3D0xfffff80003cbd000) at /usr/src/sys/kern/sys_socket.c:146 #20 0xffffffff81121e1a in fo_write (fp=3D0xfffff80003869b90, uio=3D0xfffffe00003b47a8, active_cred=3D0xfffff80003d5a600, flags=3D0, td=3D0xfffff80003cbd000) at file.h:307 #21 0xffffffff8111dc36 in dofilewrite (td=3D0xfffff80003cbd000, fd=3D3, fp=3D0xfffff80003869b90, auio=3D0xfffffe00003b47a8, offset=3D-1, flags=3D0) at /usr/src/sys/kern/sys_generic.c:592 #22 0xffffffff8111d786 in kern_writev (td=3D0xfffff80003cbd000, fd=3D3, auio=3D0xfffffe00003b47a8) at /usr/src/sys/kern/sys_generic.c:506 #23 0xffffffff8111d65f in sys_write (td=3D0xfffff80003cbd000, uap=3D0xfffffe00003b4a58) at /usr/src/sys/kern/sys_generic.c:420 #24 0xffffffff817cc7b1 in syscallenter (td=3D0xfffff80003cbd000, sa=3D0xfffffe00003b4a48) at subr_syscall.c:135 #25 0xffffffff817cbd0a in amd64_syscall (td=3D0xfffff80003cbd000, traced=3D= 0) at /usr/src/sys/amd64/amd64/trap.c:902 #26 0xffffffff817a0acb in Xfast_syscall () at /usr/src/sys/amd64/amd64/exception.S:396 #27 0x00000008021c34aa in ?? () Previous frame inner to this frame (corrupt stack?) (kgdb) frame 11 #11 0xffffffff814bfbae in key_freesp (spp=3D0xfffffe00003b3b58) at /usr/src/sys/netipsec/key.c:1076 1076 if (SP_DELREF(sp) =3D=3D 0) (kgdb) list 1071 key_freesp(struct secpolicy **spp) 1072 { 1073 struct secpolicy *sp =3D *spp; 1074=20=20=20 1075 IPSEC_ASSERT(sp !=3D NULL, ("null sp")); 1076 if (SP_DELREF(sp) =3D=3D 0) 1077 return; 1078=20=20=20 1079 KEYDBG(IPSEC_STAMP, 1080 printf("%s: last reference to SP(%p)\n", __func__, sp)); (kgdb) print sp $1 =3D (struct secpolicy *) 0x1100000000 (kgdb) print *sp Cannot access memory at address 0x1100000000 Below panic seemed to occur just as a tried to perform a "racoonctl show-sa ipsec", while the VPN client was busy trying to connect. Fatal trap 12: page fault while in kernel mode cpuid =3D 0; apic id =3D 00 fault virtual address =3D 0x4c fault code =3D supervisor read data, page not present instruction pointer =3D 0x20:0xffffffff814c43fe stack pointer =3D 0x28:0xfffffe0000336b70 frame pointer =3D 0x28:0xfffffe0000336bd0 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 688 (racoon) trap number =3D 12 panic: page fault cpuid =3D 0 KDB: stack backtrace: #0 0xffffffff810e9be7 at kdb_backtrace+0xa7 #1 0xffffffff8107a129 at vpanic+0x249 #2 0xffffffff81079ee0 at vpanic+0 #3 0xffffffff817cb38a at trap_fatal+0x60a #4 0xffffffff817cb538 at trap_pfault+0x188 #5 0xffffffff817ca6e1 at trap+0x751 #6 0xffffffff817cb9ba at trap_check+0x4a #7 0xffffffff817a07e1 at calltrap+0x8 #8 0xffffffff814d297a at key_setdumpsa+0x40a #9 0xffffffff814cb182 at key_dump+0x412 #10 0xffffffff814c31e4 at key_parse+0xce4 #11 0xffffffff814d86ac at key_output+0x1ac #12 0xffffffff8125af8c at raw_usend+0x8c #13 0xffffffff814d9bb1 at key_send+0x51 #14 0xffffffff8116a051 at sosend_generic+0xeb1 #15 0xffffffff8116a31d at sosend+0x5d #16 0xffffffff811769bc at kern_sendit+0x42c #17 0xffffffff81176e86 at sendit+0x146 Uptime: 5m22s Dumping 124 out of 981 MB:..13%..26%..39%..52%..65%..78%..91% Reading symbols from /boot/kernel/ng_socket.ko...Reading symbols from /usr/lib/debug//boot/kernel/ng_socket.ko.debug...done. done. Loaded symbols for /boot/kernel/ng_socket.ko Reading symbols from /boot/kernel/netgraph.ko...Reading symbols from /usr/lib/debug//boot/kernel/netgraph.ko.debug...done. done. Loaded symbols for /boot/kernel/netgraph.ko Reading symbols from /boot/kernel/ng_mppc.ko...Reading symbols from /usr/lib/debug//boot/kernel/ng_mppc.ko.debug...done. done. Loaded symbols for /boot/kernel/ng_mppc.ko Reading symbols from /boot/kernel/rc4.ko...Reading symbols from /usr/lib/debug//boot/kernel/rc4.ko.debug...done. done. Loaded symbols for /boot/kernel/rc4.ko #0 doadump (textdump=3D1) at /usr/src/sys/kern/kern_shutdown.c:298 298 dumptid =3D curthread->td_tid; (kgdb) list *0xffffffff814c43fe 0xffffffff814c43fe is in key_setsadbaddr (/usr/src/sys/netipsec/key.c:3693). 3688 struct mbuf *m; 3689 struct sadb_address *p; 3690 size_t len; 3691 3692 len =3D PFKEY_ALIGN8(sizeof(struct sadb_address)) + 3693 PFKEY_ALIGN8(saddr->sa_len); 3694 m =3D m_get2(len, M_NOWAIT, MT_DATA, 0); 3695 if (m =3D=3D NULL) 3696 return (NULL); 3697 m_align(m, len); Current language: auto; currently minimal (kgdb) backtrace #0 doadump (textdump=3D1) at /usr/src/sys/kern/kern_shutdown.c:298 #1 0xffffffff81079668 in kern_reboot (howto=3D260) at /usr/src/sys/kern/kern_shutdown.c:366 #2 0xffffffff8107a17f in vpanic (fmt=3D0xffffffff81b40308 "%s", ap=3D0xfffffe0000336520) at /usr/src/sys/kern/kern_shutdown.c:759 #3 0xffffffff81079ee0 in panic (fmt=3D0xffffffff81b40308 "%s") at /usr/src/sys/kern/kern_shutdown.c:690 #4 0xffffffff817cb38a in trap_fatal (frame=3D0xfffffe0000336ab0, eva=3D76)= at /usr/src/sys/amd64/amd64/trap.c:801 #5 0xffffffff817cb538 in trap_pfault (frame=3D0xfffffe0000336ab0, usermode= =3D0) at /usr/src/sys/amd64/amd64/trap.c:683 #6 0xffffffff817ca6e1 in trap (frame=3D0xfffffe0000336ab0) at /usr/src/sys/amd64/amd64/trap.c:421 #7 0xffffffff817cb9ba in trap_check (frame=3D0xfffffe0000336ab0) at /usr/src/sys/amd64/amd64/trap.c:602 #8 0xffffffff817a07e1 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:236 #9 0xffffffff814c43fe in key_setsadbaddr (exttype=3D6, saddr=3D0x4c, prefi= xlen=3D255 '?', ul_proto=3D255) at /usr/src/sys/netipsec/key.c:3693 #10 0xffffffff814d297a in key_setdumpsa (sav=3D0xfffff8000381b700, type=3D1= 0 '\n', satype=3D3 '\003', seq=3D0, pid=3D688) at /usr/src/sys/netipsec/key.c:3469 #11 0xffffffff814cb182 in key_dump (so=3D0xfffff800039a8360, m=3D0xfffff8003d4fab00, mhp=3D0xfffffe0000336fd8) at /usr/src/sys/netipsec/key.c:7509 #12 0xffffffff814c31e4 in key_parse (m=3D0xfffff8003d4fab00, so=3D0xfffff800039a8360) at /usr/src/sys/netipsec/key.c:7861 #13 0xffffffff814d86ac in key_output (m=3D0xfffff8003d4fab00, so=3D0xfffff800039a8360) at /usr/src/sys/netipsec/keysock.c:128 #14 0xffffffff8125af8c in raw_usend (so=3D0xfffff800039a8360, flags=3D0, m=3D0xfffff8003d4fab00, nam=3D0x0, control=3D0x0, td=3D0xfffff800039f5560) at /usr/src/sys/net/raw_usrreq.c:238 #15 0xffffffff814d9bb1 in key_send (so=3D0xfffff800039a8360, flags=3D0, m=3D0xfffff8003d4fab00, nam=3D0x0, control=3D0x0, td=3D0xfffff800039f5560) at /usr/src/sys/netipsec/keysock.c:492 #16 0xffffffff8116a051 in sosend_generic (so=3D0xfffff800039a8360, addr=3D0= x0, uio=3D0xfffffe00003376a0, top=3D0xfffff8003d4fab00, control=3D0x0, flags=3D0, td=3D0xfffff800039f5560) at /usr/src/sys/kern/uipc_socket.c:1360 #17 0xffffffff8116a31d in sosend (so=3D0xfffff800039a8360, addr=3D0x0, uio=3D0xfffffe00003376a0, top=3D0x0, control=3D0x0, flags=3D0, td=3D0xfffff800039f5560) at /usr/src/sys/kern/uipc_socket.c:1405 #18 0xffffffff811769bc in kern_sendit (td=3D0xfffff800039f5560, s=3D12, mp=3D0xfffffe00003377b0, flags=3D0, control=3D0x0, segflg=3DUIO_USERSPACE) at /usr/src/sys/kern/uipc_syscalls.c:873 #19 0xffffffff81176e86 in sendit (td=3D0xfffff800039f5560, s=3D12, mp=3D0xfffffe00003377b0, flags=3D0) at /usr/src/sys/kern/uipc_syscalls.c:793 #20 0xffffffff81176d37 in sys_sendto (td=3D0xfffff800039f5560, uap=3D0xfffffe0000337a58) at /usr/src/sys/kern/uipc_syscalls.c:924 #21 0xffffffff817cc7b1 in syscallenter (td=3D0xfffff800039f5560, sa=3D0xfffffe0000337a48) at subr_syscall.c:135 #22 0xffffffff817cbd0a in amd64_syscall (td=3D0xfffff800039f5560, traced=3D= 0) at /usr/src/sys/amd64/amd64/trap.c:902 #23 0xffffffff817a0acb in Xfast_syscall () at /usr/src/sys/amd64/amd64/exception.S:396 #24 0x00000008013c9dfa in ?? () Previous frame inner to this frame (corrupt stack?) (kgdb) frame 10 #10 0xffffffff814d297a in key_setdumpsa (sav=3D0xfffff8000381b700, type=3D1= 0 '\n', satype=3D3 '\003', seq=3D0, pid=3D688) at /usr/src/sys/netipsec/key.c:3469 3469 m =3D key_setsadbaddr(SADB_EXT_ADDRESS_DST, (kgdb) list 3464 if (!m) 3465 goto fail; 3466 break; 3467 3468 case SADB_EXT_ADDRESS_DST: 3469 m =3D key_setsadbaddr(SADB_EXT_ADDRESS_DST, 3470 &sav->sah->saidx.dst.sa, 3471 FULLMASK, IPSEC_ULPROTO_ANY); 3472 if (!m) 3473 goto fail; (kgdb) print sav $1 =3D (struct secasvar *) 0xfffff8000381b700 (kgdb) print *sav $2 =3D {spi =3D 778989686, flags =3D 779777128, seq =3D 1819047270, pid =3D= 1768120678, ivlen =3D 1663985518, sah =3D 0x0, key_auth =3D 0x0, key_enc =3D 0x0, replay =3D 0x0, natt =3D 0x0, lock =3D 0x0, tdb_xform = =3D 0x0, tdb_encalgxform =3D 0x0, tdb_authalgxform =3D 0x0, tdb_compalgxform =3D 0x0, tdb_cryptoid =3D 0, alg_auth =3D 0 '\0', alg_en= c =3D 0 '\0', alg_comp =3D 0 '\0', state =3D 0 '\0', lft_c =3D 0x0, lft_h =3D 0x0, lft_s =3D 0x0, created =3D 0, firstused =3D 0, chain =3D {= tqe_next =3D 0x0, tqe_prev =3D 0x0}, spihash =3D {le_next =3D 0x0, le_prev =3D 0x0}, drainq =3D {le_next =3D 0x0, le_prev =3D 0x0}, cntr = =3D 0, refcnt =3D 0} (kgdb) print sav->sah $3 =3D (struct secashead *) 0x0 Fatal trap 12: page fault while in kernel mode=20=20 cpuid =3D 1; apic id =3D 01 fault virtual address =3D 0x50 fault code =3D supervisor write data, page not present instruction pointer =3D 0x20:0xffffffff8106e168 stack pointer =3D 0x28:0xfffffe00002bf620 frame pointer =3D 0x28:0xfffffe00002bf630 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 948 (sshd) trap number =3D 12 panic: page fault cpuid =3D 1 KDB: stack backtrace: #0 0xffffffff810e9be7 at kdb_backtrace+0xa7 #1 0xffffffff8107a129 at vpanic+0x249 #2 0xffffffff81079ee0 at vpanic+0 #3 0xffffffff817cb38a at trap_fatal+0x60a #4 0xffffffff817cb538 at trap_pfault+0x188 #5 0xffffffff817ca6e1 at trap+0x751 #6 0xffffffff817cb9ba at trap_check+0x4a #7 0xffffffff817a07e1 at calltrap+0x8 #8 0xffffffff8106defd at chglimit+0x3d #9 0xffffffff8106e09b at chgkqcnt+0x3b #10 0xffffffff80fefe55 at kern_kqueue+0x75 #11 0xffffffff80fefdd7 at sys_kqueue+0x37 #12 0xffffffff817cc7b1 at syscallenter+0x961 #13 0xffffffff817cbd0a at amd64_syscall+0x2a #14 0xffffffff817a0acb at Xfast_syscall+0xfb Uptime: 45m34s Dumping 123 out of 981 MB:..13%..26%..39%..52%..65%..78%..91% Reading symbols from /boot/kernel/ng_socket.ko...Reading symbols from /usr/lib/debug//boot/kernel/ng_socket.ko.debug...done. done. Loaded symbols for /boot/kernel/ng_socket.ko Reading symbols from /boot/kernel/netgraph.ko...Reading symbols from /usr/lib/debug//boot/kernel/netgraph.ko.debug...done. done. Loaded symbols for /boot/kernel/netgraph.ko Reading symbols from /boot/kernel/ng_mppc.ko...Reading symbols from /usr/lib/debug//boot/kernel/ng_mppc.ko.debug...done. done. Loaded symbols for /boot/kernel/ng_mppc.ko Reading symbols from /boot/kernel/rc4.ko...Reading symbols from /usr/lib/debug//boot/kernel/rc4.ko.debug...done. done. Loaded symbols for /boot/kernel/rc4.ko #0 doadump (textdump=3D1) at /usr/src/sys/kern/kern_shutdown.c:298 298 dumptid =3D curthread->td_tid; (kgdb) list *0xffffffff8106e168 0xffffffff8106e168 is in atomic_fetchadd_long (atomic.h:263). 258 */ 259 static __inline u_long 260 atomic_fetchadd_long(volatile u_long *p, u_long v) 261 { 262 263 __asm __volatile( 264 " " MPLOCKED " " 265 " xaddq %0,%1 ; " 266 "# atomic_fetchadd_long" 267 : "+r" (v), /* 0 */ Current language: auto; currently minimal (kgdb) backtrace #0 doadump (textdump=3D1) at /usr/src/sys/kern/kern_shutdown.c:298 #1 0xffffffff81079668 in kern_reboot (howto=3D260) at /usr/src/sys/kern/kern_shutdown.c:366 #2 0xffffffff8107a17f in vpanic (fmt=3D0xffffffff81b40308 "%s", ap=3D0xfffffe00002befd0) at /usr/src/sys/kern/kern_shutdown.c:759 #3 0xffffffff81079ee0 in panic (fmt=3D0xffffffff81b40308 "%s") at /usr/src/sys/kern/kern_shutdown.c:690 #4 0xffffffff817cb38a in trap_fatal (frame=3D0xfffffe00002bf560, eva=3D80)= at /usr/src/sys/amd64/amd64/trap.c:801 #5 0xffffffff817cb538 in trap_pfault (frame=3D0xfffffe00002bf560, usermode= =3D0) at /usr/src/sys/amd64/amd64/trap.c:683 #6 0xffffffff817ca6e1 in trap (frame=3D0xfffffe00002bf560) at /usr/src/sys/amd64/amd64/trap.c:421 #7 0xffffffff817cb9ba in trap_check (frame=3D0xfffffe00002bf560) at /usr/src/sys/amd64/amd64/trap.c:602 #8 0xffffffff817a07e1 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:236 #9 0xffffffff8106e168 in atomic_fetchadd_long (p=3D0x50, v=3D1) at atomic.= h:268 #10 0xffffffff8106defd in chglimit (uip=3D0x0, limit=3D0x50, diff=3D1, max=3D9223372036854775807, name=3D0xffffffff81e06486 "kqcnt") at /usr/src/sys/kern/kern_resource.c:1376 #11 0xffffffff8106e09b in chgkqcnt (uip=3D0x0, diff=3D1, max=3D922337203685= 4775807) at /usr/src/sys/kern/kern_resource.c:1433 #12 0xffffffff80fefe55 in kern_kqueue (td=3D0xfffff8000364e000, flags=3D0, fcaps=3D0x0) at /usr/src/sys/kern/kern_event.c:837 #13 0xffffffff80fefdd7 in sys_kqueue (td=3D0xfffff8000364e000, uap=3D0xfffffe00002bfa58) at /usr/src/sys/kern/kern_event.c:813 #14 0xffffffff817cc7b1 in syscallenter (td=3D0xfffff8000364e000, sa=3D0xfffffe00002bfa48) at subr_syscall.c:135 #15 0xffffffff817cbd0a in amd64_syscall (td=3D0xfffff8000364e000, traced=3D= 0) at /usr/src/sys/amd64/amd64/trap.c:902 #16 0xffffffff817a0acb in Xfast_syscall () at /usr/src/sys/amd64/amd64/exception.S:396 #17 0x00000008021aae9a in ?? () Previous frame inner to this frame (corrupt stack?) (kgdb) frame 12 #12 0xffffffff80fefe55 in kern_kqueue (td=3D0xfffff8000364e000, flags=3D0, fcaps=3D0x0) at /usr/src/sys/kern/kern_event.c:837 837 if (!chgkqcnt(cred->cr_ruidinfo, 1, lim_cur(td, RLIMIT_KQUEUES))) (kgdb) list 832 struct ucred *cred; 833 int fd, error; 834 835 fdp =3D td->td_proc->p_fd; 836 cred =3D td->td_ucred; 837 if (!chgkqcnt(cred->cr_ruidinfo, 1, lim_cur(td, RLIMIT_KQUEUES))) 838 return (ENOMEM); 839 840 error =3D falloc_caps(td, &fp, &fd, flags, fcaps); 841 if (error !=3D 0) { (kgdb) print *td $1 =3D {td_lock =3D 0xffffffff825e8d00, td_proc =3D 0xfffff8000333f000, td_= plist =3D {tqe_next =3D 0x0, tqe_prev =3D 0xfffff8000333f010}, td_runq =3D {tqe_next =3D 0xfffff80003e80560, tqe_prev =3D 0xffffffff825e= 8f88}, td_slpq =3D {tqe_next =3D 0x0, tqe_prev =3D 0xfffff80003323480}, td_lockq =3D {tqe_next =3D 0x0, tqe_p= rev =3D 0x0}, td_hash =3D {le_next =3D 0x0, le_prev =3D 0xfffffe0000d4c7b8}, td_cpuset =3D 0xfffff800032ce000, td_s= el =3D 0xfffff800032d8680, td_sleepqueue =3D 0xfffff80003323480, td_turnstile =3D 0xfffff8000320f540, td_rlqe =3D 0xfffff80003874820, td_u= mtxq =3D 0xfffff80003642c80, td_vm_dom_policy =3D {seq =3D 0, p =3D { policy =3D VM_POLICY_NONE, domain =3D -1}}, td_tid =3D 100087, paddin= g1 =3D 0xfffff8000364e0a0, padding2 =3D 0xfffff8000364e0c0, td_lend_user_pri =3D 255 '?', td_flags =3D 67174406, td_inhibitors =3D 0,= td_pflags =3D 0, td_dupfd =3D 0, td_sqqueue =3D 0, td_wchan =3D 0x0, td_wmesg =3D 0x0, td_owepreempt =3D 0 '\0', td_tsqueue =3D 0 '\0', td_loc= ks =3D 0, td_rw_rlocks =3D 0, td_lk_slocks =3D 0, td_stopsched =3D 1, td_blocked =3D 0x0, td_lockname =3D 0x0, td_contested =3D {lh_first =3D 0= x0}, td_sleeplocks =3D 0x0, td_intr_nesting_level =3D 0, td_pinned =3D 0, td_ucred =3D 0xfffff8000390f700, td_limit =3D 0xfffff800= 0381b400, td_slptick =3D 0, td_blktick =3D 0, td_swvoltick =3D -2145350148, td_swinvoltick =3D -2145350138, td_cow =3D = 127, td_ru =3D {ru_utime =3D {tv_sec =3D 0, tv_usec =3D 0}, ru_stime =3D { tv_sec =3D 0, tv_usec =3D 0}, ru_maxrss =3D 7268, ru_ixrss =3D 592, r= u_idrss =3D 80, ru_isrss =3D 256, ru_minflt =3D 274, ru_majflt =3D 0, ru_nswap =3D 0, ru_inblock =3D 0, ru_oublock =3D 0, ru_msgsnd =3D 0, ru= _msgrcv =3D 2, ru_nsignals =3D 0, ru_nvcsw =3D 1, ru_nivcsw =3D 1}, td_rux =3D {rux_runtime =3D 0, rux_uticks =3D 0, rux_sticks =3D 0, rux_it= icks =3D 0, rux_uu =3D 0, rux_su =3D 0, rux_tu =3D 0}, td_incruntime =3D 44205853, td_runtime =3D 44205853, td_pticks =3D 1, td_= sticks =3D 1, td_iticks =3D 0, td_uticks =3D 1, td_intrval =3D 0, td_oldsigmask =3D {__bits =3D 0xfffff8000364e254}, td_generation =3D 2, t= d_sigstk =3D {ss_sp =3D 0x0, ss_size =3D 0, ss_flags =3D 4}, td_xsig =3D 0, td_profil_addr =3D 0, td_profil_ticks =3D 0, td_name =3D 0xfffff8000364e294 "sshd", td_fpop =3D 0x0, td_dbgflags =3D 0, td_dbgksi =3D {ksi_link =3D {tqe_next =3D 0x0, tqe_prev =3D 0x0}, ksi_inf= o =3D {si_signo =3D 0, si_errno =3D 0, si_code =3D 0, si_pid =3D 0, si_uid =3D 0, si_status =3D 0, si_addr =3D 0x0, si_value =3D {sival_i= nt =3D 0, sival_ptr =3D 0x0, sigval_int =3D 0, sigval_ptr =3D 0x0}, _reason =3D {_fault =3D {_trapno =3D 0}, _timer =3D {_timerid =3D 0, = _overrun =3D 0}, _mesgq =3D {_mqd =3D 0}, _poll =3D {_band =3D 0}, __spare__ =3D {__spare1__ =3D 0, __spare2__ =3D 0xfffff8000364e2f8}= }}, ksi_flags =3D 0, ksi_sigq =3D 0x0}, td_ng_outbound =3D 0, td_osd =3D {osd_nslots =3D 0, osd_slots =3D 0x0, osd_next =3D {le_next = =3D 0x0, le_prev =3D 0x0}}, td_map_def_user =3D 0x0, td_dbg_forked =3D 0, td_vp_reserv =3D 0, td_no_sleeping =3D 0, td_dom_rr_idx =3D 0, td_su =3D = 0x0, td_rtcgen =3D 0, td_sigmask =3D {__bits =3D 0xfffff8000364e374}, td_rqindex =3D 30 '\036', td_base_pri =3D 120 'x', td_priority =3D 120 'x= ', td_pri_class =3D 3 '\003', td_user_pri =3D 121 'y', td_base_user_pri =3D 121 'y', td_dbg_sc_code =3D 0, td_dbg_sc_narg =3D 0, td_rb_list =3D 0, td_rbp_list =3D 0, td_rb_inact =3D 0, td_pcb =3D 0xfffffe00002bfb80, td_state =3D TDS_RUNNING, td_uretoff =3D {= tdu_retval =3D 0xfffff8000364e3c0, tdu_off =3D 0}, td_cowgen =3D 1, td_slpcallout =3D {c_links =3D {le =3D {le_next =3D 0x0, le_prev =3D 0xfffff8001317d3d8}, sle =3D {sle_next =3D 0x0}, tqe =3D {tqe_next =3D 0x0, tqe_prev =3D 0xfffff8001317d3d8}}, c_time =3D 8284352236906, c_prec= ision =3D 16106127360, c_arg =3D 0xfffff8000364e000, c_func =3D 0xffffffff811018e0 <sleepq_timeout>, c_lock =3D 0x0, c_flags= =3D 0, c_iflags =3D 272, c_cpu =3D 0}, td_frame =3D 0xfffffe00002bfac0, td_kstack_obj =3D 0xfffff800037b8a50, td= _kstack =3D 18446741874689163264, td_kstack_pages =3D 4, td_critnest =3D 1, td_md =3D {md_spinlock_count =3D 1, md_saved_flags =3D= 646, md_spurflt_addr =3D 34427155648, md_invl_gen =3D {gen =3D 0, link =3D {le_next =3D 0x0, le_prev =3D 0xffffffff826df868}}}, td_ar = =3D 0x0, td_lprof =3D 0xfffff8000364e470, td_dtrace =3D 0xfffff80003e35600, td_errno =3D 0, td_vnet =3D 0x0, td_vne= t_lpush =3D 0x0, td_intr_frame =3D 0x0, td_rfppwait_p =3D 0xfffff8000396d588, td_ma =3D 0x0, td_ma_cnt =3D 0, td_= emuldata =3D 0x0, td_lastcpu =3D 1, td_oncpu =3D 1, td_sleeptimo =3D 0, ---Type <return> to continue, or q <return> to quit--- td_sigqueue =3D {sq_signals =3D {__bits =3D 0xfffff8000364e4d8}, sq_kill = =3D {__bits =3D 0xfffff8000364e4e8}, sq_ptrace =3D { __bits =3D 0xfffff8000364e4f8}, sq_list =3D {tqh_first =3D 0x0, tqh_l= ast =3D 0xfffff8000364e508}, sq_proc =3D 0xfffff8000333f000, sq_flags =3D 1}} (kgdb) print *cred $2 =3D {cr_ref =3D 2178945375, cr_uid =3D 4294967295, cr_ruid =3D 21168128,= cr_svuid =3D 0, cr_ngroups =3D 0, cr_rgid =3D 0, cr_svgid =3D 4, cr_uidinfo =3D 0x0, cr_ruidinfo =3D 0x0, cr_prison =3D 0xfffff800130f3060, cr_loginclass =3D 0xfffff80013032d80, cr_flags =3D 318975384, cr_pspare2 =3D 0xfffff8000390f748, cr_label =3D 0x0, cr_audit =3D {ai_aui= d =3D 0, ai_mask =3D {am_success =3D 0, am_failure =3D 2164206432}, ai_termid =3D {at_port =3D 4294967295, at_type =3D 2164206608, at_addr = =3D 0xfffff8000390f774}, ai_asid =3D -1, ai_flags =3D 18446735277676361472}, cr_groups =3D 0x0, cr_agroups =3D 0, cr_smallgroups =3D 0xfffff8000390f79c} Thank you for looking at this!! --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-221849-8-UyD9tBm7Ip>