Date: Sat, 21 Jan 2006 17:56:51 +0200 (EET) From: "Dmitry A. Yanko" <fm@cross-road.org.ua> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/92183: kernel panic near readlink syscall Message-ID: <200601211556.k0LFupcm015455@xeon.hvosting.kiev.ua> Resent-Message-ID: <200601230520.k0N5K59R063962@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 92183
>Category: kern
>Synopsis: kernel panic near readlink syscall
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Jan 23 05:20:03 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Dmitry A. Yanko
>Release: FreeBSD 6.0-STABLE i386
>Organization:
>Environment:
System: FreeBSD xeon 6.0-STABLE FreeBSD 6.0-STABLE #0: Thu Jan 19 23:19:48 MSK 2006 root@xeon:/usr/obj/usr/src/sys/SMP.xeon i386
Dual XEON, SMP+HT
>Description:
Kernel config:
#
# SMP -- Generic kernel configuration file for FreeBSD/i386 SMP
# Use this for multi-processor machines
#
# $FreeBSD: src/sys/i386/conf/SMP,v 1.5.6.1 2005/09/18 03:37:58 scottl Exp $
include GENERIC
ident SMP-GENERIC
# To make an SMP kernel, the next line is needed
options SMP # Symmetric MultiProcessor Kernel
#options COMPAT_IA32 # Compatible with i386 binaries
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5
options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!]
#options COMPAT_LINUX32 # Compatible with i386 linux binaries
options SYSVSHM
options SYSVSEM
options SYSVMSG
options SHMMAXPGS=65536
options SEMMNI=40
options SEMMNS=240
options SEMUME=40
options SEMMNU=120
===
dmesg.boot
Copyright (c) 1992-2005 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 6.0-STABLE #0: Thu Jan 19 23:19:48 MSK 2006
root@xeon:/usr/obj/usr/src/sys/SMP.xeon
WARNING: MPSAFE network stack disabled, expect reduced performance.
ACPI APIC Table: <A M I OEMAPIC >
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Xeon(TM) CPU 2.80GHz (2793.01-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0xf41 Stepping = 1
Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
Features2=0x641d<SSE3,RSVD2,MON,DS_CPL,CNTX-ID,CX16,<b14>>
AMD Features=0x20100000<NX,LM>
Hyperthreading: 2 logical CPUs
real memory = 2147352576 (2047 MB)
avail memory = 2096332800 (1999 MB)
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
cpu0 (BSP): APIC ID: 0
cpu1 (AP): APIC ID: 1
cpu2 (AP): APIC ID: 6
cpu3 (AP): APIC ID: 7
ioapic0 <Version 2.0> irqs 0-23 on motherboard
ioapic1 <Version 2.0> irqs 24-47 on motherboard
ioapic2 <Version 2.0> irqs 48-71 on motherboard
npx0: [FAST]
npx0: <math processor> on motherboard
npx0: INT 16 interface
acpi0: <A M I OEMRSDT> on motherboard
acpi0: Power Button (fixed)
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0
cpu0: <ACPI CPU> on acpi0
acpi_throttle0: <ACPI CPU Throttling> on cpu0
cpu1: <ACPI CPU> on acpi0
acpi_throttle1: <ACPI CPU Throttling> on cpu1
cpu2: <ACPI CPU> on acpi0
cpu3: <ACPI CPU> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
pci0: <unknown> at device 0.1 (no driver attached)
pci0: <base peripheral> at device 1.0 (no driver attached)
pcib1: <ACPI PCI-PCI bridge> irq 16 at device 2.0 on pci0
pci1: <ACPI PCI bus> on pcib1
pcib2: <ACPI PCI-PCI bridge> at device 0.0 on pci1
pci2: <ACPI PCI bus> on pcib2
mpt0: <LSILogic 1030 Ultra4 Adapter> port 0xc800-0xc8ff mem 0xdedc0000-0xdedcffff,0xdedb0000-0xdedbffff irq 26 at device 5.0 on pci2
mpt0: [GIANT-LOCKED]
mpt0: MPI Version=1.2.14.0
mpt0: Unhandled Event Notify Frame. Event 0xa.
mpt0: Capabilities: ( RAID-1E RAID-1 SAFTE )
mpt0: 0 Active Volumes (1 Max)
mpt0: 0 Hidden Drive Members (6 Max)
mpt1: <LSILogic 1030 Ultra4 Adapter> port 0xcc00-0xccff mem 0xdedf0000-0xdedfffff,0xdede0000-0xdedeffff irq 25 at device 5.1 on pci2
mpt1: [GIANT-LOCKED]
mpt1: MPI Version=1.2.14.0
mpt1: Unhandled Event Notify Frame. Event 0xa.
mpt1: Capabilities: ( RAID-1E RAID-1 SAFTE )
mpt1: 0 Active Volumes (1 Max)
mpt1: 0 Hidden Drive Members (6 Max)
pci1: <base peripheral, interrupt controller> at device 0.1 (no driver attached)
pcib3: <ACPI PCI-PCI bridge> at device 0.2 on pci1
pci3: <ACPI PCI bus> on pcib3
em0: <Intel(R) PRO/1000 Network Connection Version - 3.2.18> port 0xdc00-0xdc3f mem 0xdeea0000-0xdeebffff irq 54 at device 4.0 on pci3
em0: [GIANT-LOCKED]
em0: Ethernet address: 00:04:23:b3:29:72
em1: <Intel(R) PRO/1000 Network Connection Version - 3.2.18> port 0xdc80-0xdcbf mem 0xdeee0000-0xdeefffff irq 55 at device 4.1 on pci3
em1: [GIANT-LOCKED]
em1: Ethernet address: 00:04:23:b3:29:73
pci1: <base peripheral, interrupt controller> at device 0.3 (no driver attached)
pcib4: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci4: <ACPI PCI bus> on pcib4
pci4: <display, VGA> at device 12.0 (no driver attached)
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel ICH5 UDMA100 controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xfc00-0xfc0f at device 31.1 on pci0
ata0: <ATA channel 0> on atapci0
ata1: <ATA channel 1> on atapci0
pci0: <serial bus, SMBus> at device 31.3 (no driver attached)
acpi_button0: <Power Button> on acpi0
atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
sio0: type 16550A
sio1: <16550A-compatible COM port> port 0x2f8-0x2ff irq 3 on acpi0
sio1: type 16550A
pmtimer0 on isa0
orm0: <ISA Option ROMs> at iomem 0xc0000-0xca7ff,0xca800-0xce7ff,0xce800-0xcf7ff,0xcf800-0xd07ff,0xdc000-0xdffff on isa0
ppc0: parallel port not found.
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
Timecounters tick every 1.000 msec
Waiting 5 seconds for SCSI devices to settle
ses0 at mpt0 bus 0 target 6 lun 0
ses0: <ESG-SHV SCA HSBP M30 1.06> Fixed Processor SCSI-2 device
ses0: 3.300MB/s transfers
ses0: SAF-TE Compliant Device
da0 at mpt0 bus 0 target 0 lun 0
da0: <SEAGATE ST336607LC 0007> Fixed Direct Access SCSI-3 device
da0: 320.000MB/s transfers (160.000MHz, offset 63, 16bit), Tagged Queueing Enabled
da0: 35003MB (71687372 512 byte sectors: 255H 63S/T 4462C)
da1 at mpt0 bus 0 target 1 lun 0
da1: <SEAGATE ST336607LC 0007> Fixed Direct Access SCSI-3 device
da1: 320.000MB/s transfers (160.000MHz, offset 63, 16bit), Tagged Queueing Enabled
da1: 35003MB (71687372 512 byte sectors: 255H 63S/T 4462C)
SMP: AP CPU #2 Launched!
SMP: AP CPU #1 Launched!
SMP: AP CPU #3 Launched!
Trying to mount root from ufs:/dev/da0s1a
WARNING: / was not properly dismounted
WARNING: /usr was not properly dismounted
WARNING: /var was not properly dismounted
WARNING: /var/log was not properly dismounted
WARNING: /var/tmp was not properly dismounted
WARNING: /.1 was not properly dismounted
WARNING: /.2 was not properly dismounted
/.2: mount pending error: blocks 44 files 2
WARNING: /.3 was not properly dismounted
/.3: mount pending error: blocks 445088 files 0
em0: link state changed to UP
===
kgdb output:
Unread portion of the kernel message buffer:
Fatal trap 12: page fault while in kernel mode
cpuid = 2; apic id = 06
fault virtual address = 0x98
fault code = supervisor write, page not present
instruction pointer = 0x20:0xc0707a67
stack pointer = 0x28:0xe8e3f730
frame pointer = 0x28:0xe8e3f774
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 55393 (dcpumon)
trap number = 12
panic: page fault
cpuid = 1
Uptime: 1h21m55s
Dumping 2047 MB (2 chunks)
chunk 0: 1MB (158 pages) ... ok
chunk 1: 2047MB (524000 pages) 2031 2015 1999 1983 1967 1951 1935 1919 1903
1887 1871 1855 1839 1823 1807 1791 1775 1759 1743 1727 1711 1695 1679 1663
1647 1631 1615 1599 1583 1567 1551 1535 1519 1503 1487 1471 1455 1439 1423
1407 1391 1375 1359 1343 1327 1311 1295 1279 1263 1247 1231 1215 1199 1183
1167 1151 1135 1119 1103 1087 1071 1055 1039 1023 1007 991 975 959 943 927 911
895 879 863 847 831 815 799 783 767 751 735 719 703 687 671 655 639 623 607
591 575 559 543 527 511 495 479 463 447 431 415 399 383 367 351 335 319 303
287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15
#0 doadump () at pcpu.h:165
165 __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb)
(kgdb) bt
#0 doadump () at pcpu.h:165
#1 0xc0690bab in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:399
#2 0xc0690f5c in panic (fmt=0xc08fffae "%s")
at /usr/src/sys/kern/kern_shutdown.c:555
#3 0xc08b487d in trap_fatal (frame=0xe8e3f6f0, eva=0)
at /usr/src/sys/i386/i386/trap.c:836
#4 0xc08b4571 in trap_pfault (frame=0xe8e3f6f0, usermode=0, eva=152)
at /usr/src/sys/i386/i386/trap.c:744
#5 0xc08b4137 in trap (frame=
{tf_fs = -1056636920, tf_es = -1056636888, tf_ds = -387776472, tf_edi =
4, tf_esi = 0, tf_ebp = -387713164, tf_isp = -387713252, tf_ebx = 4098, tf_edx
= -964568448, tf_ecx = 0, tf_eax = 4, tf_trapno = 12, tf_err = 2, tf_eip =
-1066370457, tf_cs = 32, tf_eflags = 66118, tf_esp = -387713016, tf_ss = 997})
at /usr/src/sys/i386/i386/trap.c:434
#6 0xc089f1ba in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#7 0xc0707a67 in vn_lock (vp=0x0, flags=4098, td=0xc681da80) at atomic.h:149
#8 0xc0642306 in procfs_doprocfile (td=0xc681da80, p=0xc7081000,
pn=0xc6690d80, sb=0x4, uio=0x0) at /usr/src/sys/fs/procfs/procfs.c:73
#9 0xc06471e8 in pfs_readlink (va=0x4) at pcpu.h:162
#10 0xc08c9182 in VOP_READLINK_APV (vop=0x4, a=0xc681da80) at vnode_if.c:1481
#11 0xc0700b4f in kern_readlink (td=0xc681da80,
path=0xc681da80 "\f\202÷Æ êIÆ", pathseg=3330398848,
buf=0x4 <Address 0x4 out of bounds>, bufseg=4, count=1024)
----Type <return> to continue, or q <return> to quit---
at vnode_if.h:772
#12 0xc0700a5c in readlink (td=0x4, uap=0xc681da80)
at /usr/src/sys/kern/vfs_syscalls.c:2261
#13 0xc08b4c64 in syscall (frame=
{tf_fs = 135725115, tf_es = 135725115, tf_ds = -1078001605, tf_edi =
135507064, tf_esi = 135655436, tf_ebp = -1077940936, tf_isp = -387711644,
tf_ebx = 674072692, tf_edx = -1077941960, tf_ecx = 0, tf_eax = 58, tf_trapno =
0, tf_err = 2, tf_eip = 672570948, tf_cs = 51, tf_eflags = 647, tf_esp =
-1077942020, tf_ss = 59}) at /usr/src/sys/i386/i386/trap.c:981
#14 0xc089f20f in Xint0x80_syscall () at
/usr/src/sys/i386/i386/exception.s:200
#15 0x00000033 in ?? ()
(kgdb)
(kgdb) list *0xc0707a67
0xc0707a67 is in vn_lock (atomic.h:149).
144 static __inline int
145 atomic_cmpset_int(volatile u_int *dst, u_int exp, u_int src)
146 {
147 int res = exp;
148
149 __asm __volatile (
150 " " __XSTRING(MPLOCKED) " "
151 " cmpxchgl %2,%1 ; "
152 " setz %%al ; "
153 " movzbl %%al,%0 ; "
(kgdb) up 10
#10 0xc08c9182 in VOP_READLINK_APV (vop=0x4, a=0xc681da80) at vnode_if.c:1481
1481 rc = vop->vop_readlink(a);
(kgdb) p vop
$1 = (struct vop_vector *) 0x4
(kgdb) p *vop
Cannot access memory at address 0x4
(kgdb) up
#11 0xc0700b4f in kern_readlink (td=0xc681da80,
path=0xc681da80 "\f\202÷Æ êIÆ", pathseg=3330398848,
buf=0x4 <Address 0x4 out of bounds>, bufseg=4, count=1024)
at vnode_if.h:772
772 a.a_cred = cred;
(kgdb) p path
$2 = 0xc681da80 "\f\202÷Æ êIÆ"
(kgdb) p td
$3 = (struct thread *) 0xc681da80
(kgdb) p *td
$4 = {td_proc = 0xc6f7820c, td_ksegrp = 0xc649ea20, td_plist = {
tqe_next = 0x0, tqe_prev = 0xc6f7821c}, td_kglist = {tqe_next = 0x0,
tqe_prev = 0xc649ea2c}, td_slpq = {tqe_next = 0x0, tqe_prev = 0xc71f94e0},
td_lockq = {tqe_next = 0x0, tqe_prev = 0xe948bb6c}, td_runq = {
tqe_next = 0x0, tqe_prev = 0x0}, td_selq = {tqh_first = 0x0,
tqh_last = 0xc681dab0}, td_sleepqueue = 0xc71f94e0,
td_turnstile = 0xc6b544c0, td_umtxq = 0xc6784840, td_tid = 100204,
td_flags = 83951619, td_inhibitors = 0, td_pflags = 0, td_dupfd = 0,
td_wchan = 0x0, td_wmesg = 0x0, td_lastcpu = 1 '\001', td_oncpu = 0 '\0',
td_owepreempt = 0 '\0', td_locks = 1, td_blocked = 0x0, td_ithd = 0x0,
td_lockname = 0x0, td_contested = {lh_first = 0xc6b59380},
td_sleeplocks = 0x0, td_intr_nesting_level = 0, td_pinned = 0,
td_mailbox = 0x0, td_ucred = 0xc8af2300, td_standin = 0x0, td_upcall = 0x0,
td_sticks = 3173, td_uuticks = 0, td_usticks = 0, td_intrval = 0,
td_oldsigmask = {__bits = {0, 0, 0, 0}}, td_sigmask = {__bits = {0, 0, 0,
0}}, td_siglist = {__bits = {0, 0, 0, 0}}, td_generation = 63,
td_sigstk = {ss_sp = 0x0, ss_size = 0, ss_flags = 4}, td_kflags = 0,
td_xsig = 0, td_profil_addr = 0, td_profil_ticks = 0, td_base_pri = 180 '´',
td_priority = 20 '\024', td_pcb = 0xe8e3fd90, td_state = TDS_RUNNING,
td_retval = {0, -1077941960}, td_slpcallout = {c_links = {sle = {
sle_next = 0x0}, tqe = {tqe_next = 0x0, tqe_prev = 0xda424950}},
c_time = 4873248, c_arg = 0xc681da80,
c_func = 0xc06b530d <sleepq_timeout>, c_mtx = 0x0, c_flags = 16},
---Type <return> to continue, or q <return> to quit---
td_frame = 0xe8e3fd38, td_kstack_obj = 0xc681e4a4, td_kstack = 3907248128,
td_kstack_pages = 2, td_altkstack_obj = 0x0, td_altkstack = 0,
td_altkstack_pages = 0, td_critnest = 1, td_md = {md_spinlock_count = 1,
md_saved_flags = 582}, td_sched = 0xc681dbd4}
(kgdb) list
767 struct vop_readlink_args a;
768
769 a.a_gen.a_desc = &vop_readlink_desc;
770 a.a_vp = vp;
771 a.a_uio = uio;
772 a.a_cred = cred;
773 return (VOP_READLINK_APV(vp->v_op, &a));
774 }
775
776 struct vop_inactive_args {
(kgdb) up
#12 0xc0700a5c in readlink (td=0x4, uap=0xc681da80)
at /usr/src/sys/kern/vfs_syscalls.c:2261
2261 return (kern_readlink(td, uap->path, UIO_USERSPACE, uap->buf,
(kgdb) list
2256 char *buf;
2257 int count;
2258 } */ *uap;
2259 {
2260
2261 return (kern_readlink(td, uap->path, UIO_USERSPACE, uap->buf,
2262 UIO_USERSPACE, uap->count));
2263 }
2264
2265 int
(kgdb) p *td
Cannot access memory at address 0x4
(kgdb) p td
$5 = (struct thread *) 0x4
(kgdb) up
#13 0xc08b4c64 in syscall (frame=
{tf_fs = 135725115, tf_es = 135725115, tf_ds = -1078001605, tf_edi =
135507064, tf_esi = 135655436, tf_ebp = -1077940936, tf_isp = -387711644,
tf_ebx = 674072692, tf_edx = -1077941960, tf_ecx = 0, tf_eax = 58, tf_trapno =
0, tf_err = 2, tf_eip = 672570948, tf_cs = 51, tf_eflags = 647, tf_esp =
-1077942020, tf_ss = 59}) at /usr/src/sys/i386/i386/trap.c:981
981 error = (*callp->sy_call)(td, args);
(kgdb) list
976
977 STOPEVENT(p, S_SCE, narg);
978
979 PTRACESTOP_SC(p, td, S_PT_SCE);
980
981 error = (*callp->sy_call)(td, args);
982 }
983
984 switch (error) {
985 case 0:
(kgdb)
(kgdb) up
#14 0xc089f20f in Xint0x80_syscall () at
/usr/src/sys/i386/i386/exception.s:200
200 call syscall
Current language: auto; currently asm
(kgdb) list
195 movl %eax,%ds
196 movl %eax,%es
197 movl $KPSEL,%eax
198 movl %eax,%fs
199 FAKE_MCOUNT(TF_EIP(%esp))
200 call syscall
201 MEXITCOUNT
202 jmp doreti
203
204 ENTRY(fork_trampoline)
(kgdb)
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200601211556.k0LFupcm015455>