FreeBSD Mail Archives

Date:      Fri, 25 Nov 2005 17:21:30 GMT
From:      Gleb Kozyrev <gkozyrev@gmail.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/89538: [tty] [panic] triggered by "sysctl -a"
Message-ID:  <200511251721.jAPHLUFE071582@www.freebsd.org>
Resent-Message-ID: <200511251730.jAPHU3oJ007082@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help


>Number:         89538
>Category:       kern
>Synopsis:       [tty] [panic] triggered by "sysctl -a"
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Nov 25 17:30:03 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Gleb Kozyrev
>Release:        FreeBSD 6.0-RELEASE i386
>Organization:
>Environment:
FreeBSD localhost 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Wed Nov 2 14:36:19 EET 2005 root@localhost:/usr/obj/usr/src/sys/DDB i386
>Description:
After 14 days of uptime I ran "sysctl -a" and it triggered a panic.
 
In ddb:
=========Beginning of the citation==============
db> bt
Tracing pid 15840 tid 100071 td 0xc1553600
dev2udev(c20bf300,88,0,0,0) at dev2udev+0x11
sysctl_kern_ttys(c08d4500,0,0,cc865c04,c08d4500) at sysctl_kern_ttys+0xdf
sysctl_root(0,cc865c74,2,cc865c04,c1553600) at sysctl_root+0x107
userland_sysctl(c1553600,cc865c74,2,0,bfbfd5bc) at userland_sysctl+0xec
__sysctl(c1553600,cc865d04,6,a,296) at __sysctl+0x93
syscall(3b,3b,bfbf003b,2,bfbfd5bc) at syscall+0x2b7
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (202, FreeBSD ELF32, __sysctl), eip = 0x280b7a33, esp = 0xbfbfd52c,
ebp = 0xbfbfd568 ---
=========The end of the citation================
 
After call doadump() and reboot:
=========Beginning of the citation==============
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".
 
Unread portion of the kernel message buffer:
 
Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0xbf
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc05f46ed
stack pointer           = 0x28:0xcc865b18
frame pointer           = 0x28:0xcc865b18
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 15840 (sysctl)
Dumping 127 MB (3 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 64MB (16381 pages) 49 33 17 ... ok
  chunk 2: 63MB (16128 pages) 48 32 16
 
#0  doadump () at pcpu.h:165
165             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) bt full
#0  doadump () at pcpu.h:165
No locals.
#1  0xc0468487 in db_fncall (dummy1=-1063902272, dummy2=0, dummy3=0, dummy4=0xcc865944 "pY\206û\224C\177&#9632;\\Y\206û`Y\206û\222\a")
    at /usr/src/sys/ddb/db_command.c:492
        fn_addr = -1067198068
        args = {1, 0, 545675548, -1065401452, -863610616, -863610612, 1938, 1938, 2, -1064703968}
        nargs = 0
        retval = 0
        t = 0
#2  0xc046828c in db_command (last_cmdp=0xc09181c4, cmd_table=0x0, aux_cmd_tablep=0xc089589c, aux_cmd_tablep_end=0xc08958b8)
    at /usr/src/sys/ddb/db_command.c:350
        cmd = (struct command *) 0xc089e9c0
        t = 0
        modif =
"pY\206û\224C\177&#9632;\\Y\206û`Y\206û\222\a\000\000&#9604;\003\000\000\220Y\206û\f\000\000\000|Y\206û&#9604;\003\000\000\200Y\206ûQª~&#9632;&#9604;\003\000\000&#9604;
\003\000\000\r\000\000\000ìY\206ûBº~&#9632;\220Y\206û&#9604;\003\000\000\f\000\017\003x\000\000\000&#9632;\212\221&#9632;\f\000\000\000+Y\206û\004?F&#9632;\235;\2
07&#9632;?\237F&#9632;\f\000\000\000&#9632;\212\221&#9632;&#9474;\227F&#9632;"
        addr = -1063902272
        count = 0
        have_addr = 0
        result = 0
#3  0xc0468354 in db_command_loop () at /usr/src/sys/ddb/db_command.c:458
No locals.
#4  0xc0469f61 in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_main.c:221
        jb = {{_jb = {-863610372, -863610392, -863610320, -863610152, 12, -1069113606,
12, -863610296, -1067089549, -1064761795, -1067089416, -863610316}}}
        prev_jb = (void *) 0x0
        bkpt = 0
#5  0xc065666b in kdb_trap (type=12, code=0, tf=0xcc865ad8) at /usr/src/sys/kern/subr_kdb.c:473
        handled = -863610152
#6  0xc08104b0 in trap_fatal (frame=0xcc865ad8, eva=191) at /usr/src/sys/i386/i386/trap.c:822
        eflags = 514
        code = 514
        type = 12
        ss = 514
        esp = 0
        softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27, ssd_dpl = 0, ssd_p = 1, ssd_xx = 2, ssd_xx1 = 2, ssd_def32 = 1,
ssd_gran = 1}
#7  0xc081021f in trap_pfault (frame=0xcc865ad8, usermode=0, eva=191) at /usr/src/sys/i386/i386/trap.c:742
        va = 0
        vm = (struct vmspace *) 0x0
        map = 0xc1598708
        rv = 1
        ftype = 1 '\001'
        td = (struct thread *) 0xc1553600
        p = (struct proc *) 0xc155620c
#8  0xc080fe19 in trap (frame=
      {tf_fs = -863633400, tf_es = 40, tf_ds = -863633368, tf_edi = -863609988, tf_esi = -1052413952, tf_ebp = -863610088, tf_isp
= -863610108, tf_ebx = -1052413952, tf_edx = -1039404288, tf_ecx = 0, tf_eax = -1, tf_trapno = 12, tf_err = 0, tf_eip = -1067497747,
tf_cs = 32, tf_eflags = 66182, tf_esp = -863609920, tf_ss = -1066996549}) at /usr/src/sys/i386/i386/trap.c:432
        td = (struct thread *) 0xc1553600
        p = (struct proc *) 0xc155620c
        sticks = 3431357272
        i = 0
        ucode = 0
        type = 12
        code = 0
        eva = 191
#9  0xc07ff31a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
No locals.
#10 0xc05f46ed in dev2udev (x=0xc20bf300) at /usr/src/sys/fs/devfs/devfs_vnops.c:1145
No locals.
#11 0xc066ecbb in sysctl_kern_ttys (oidp=0xc08d4500, arg1=0x0, arg2=0, req=0xcc865c04) at /usr/src/sys/kern/tty.c:3040
        tp = (struct tty *) 0xc1457000
        tp2 = (struct tty *) 0xc1457000
        xt = {xt_size = 136, xt_rawcc = 0, xt_cancc = 0, xt_outcc = 0, xt_line = 0, xt_dev = 0, xt_state = 0, xt_flags = 0,
xt_timeout = 0, xt_pgid = 0,
  xt_sid = 0, xt_termios = {c_iflag = 0, c_oflag = 0, c_cflag = 0, c_lflag = 0, c_cc = '\0' <repeats 19 times>, c_ispeed = 0,
c_ospeed = 0}, xt_winsize = {
    ws_row = 0, ws_col = 0, ws_xpixel = 0, ws_ypixel = 0}, xt_column = 0, xt_rocount = 0, xt_rocol = 0, xt_ififosize = 0, xt_ihiwat
= 0, xt_ilowat = 0,
  xt_ispeedwat = 0, xt_ohiwat = 0, xt_olowat = 0, xt_ospeedwat = 0}
        error = -1052413952
#12 0xc0645c63 in sysctl_root (oidp=0x0, arg1=0x0, arg2=0, req=0xcc865c04) at /usr/src/sys/kern/kern_sysctl.c:1248
        oid = (struct sysctl_oid *) 0xc08d4500
        error = -1
        indx = 2
        lvl = -1
#13 0xc0645e60 in userland_sysctl (td=0xffffffff, name=0xcc865c74, namelen=2, old=0xcc865c04, oldlenp=0xbfbfd5bc, inkernel=0,
new=0x0, newlen=4294967295,
    retval=0xcc865c70, flags=-1) at /usr/src/sys/kern/kern_sysctl.c:1347
        error = -1077946948
        req = {td = 0xc1553600, lock = 1, oldptr = 0x0, oldlen = 0, oldidx = 3536, oldfunc = 0xc06459a4 <sysctl_old_user>, newptr =
0x0, newlen = 0,
  newidx = 0, newfunc = 0xc0645a10 <sysctl_new_user>, validlen = 0, flags = 0}
#14 0xc0645d03 in __sysctl (td=0xc1553600, uap=0xcc865d04) at /usr/src/sys/kern/kern_sysctl.c:1282
        error = -1051368948
        name = {1, 533, 1, 533, -1, -1, 0, -1048488688, -1051368948, 0, -1051380224, -863609636, -1067059971, -1051380224,
1, -863609668, -1051368948,
  -1051380224, -863609544, -863609640, -1067068430, -1051380224, -1051368948, 0}
        j = 10
#15 0xc08107ff in syscall (frame=
      {tf_fs = 59, tf_es = 59, tf_ds = -1078001605, tf_edi = 2, tf_esi = -1077946948, tf_ebp = -1077947032, tf_isp = -863609500,
tf_ebx = 672367844, tf_edx = 0, tf_ecx = -1077944736, tf_eax = 202, tf_trapno = 0, tf_err = 2, tf_eip = 671840819, tf_cs = 51,
tf_eflags = 662, tf_esp = -1077947092, tf_ss = 59})
    at /usr/src/sys/i386/i386/trap.c:976
        params = 0xbfbfd530 <Address 0xbfbfd530 out of bounds>
        callp = (struct sysent *) 0xc08cb8d8
        td = (struct thread *) 0xc1553600
        p = (struct proc *) 0xc155620c
        orig_tf_eflags = 662
        sticks = 10
        error = 0
        narg = 6
        args = {-1077944736, 2, 0, -1077946948, 0, 0, -863609548, 672367844}
        code = 202
#16 0xc07ff36f in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200
No locals.
#17 0x00000033 in ?? ()
No symbol table info available.
Previous frame inner to this frame (corrupt stack?)
=========The end of the citation================
>How-To-Repeat:

>Fix:
Antoine Pelisse wrote on Mon, 21 Nov 2005 12:41:40 +0000:
 
AP>  This is probably the same kind of panic that Don Lewis fixed lately in
AP> fill_kinfo_proc() and it should certainly be fixed the same way.
AP> We really can't release the lock in the loop and should look in the code
AP> for other occurrences of this mistake as it's really likely that it will
AP> trigger other panics in the future.
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200511251721.jAPHLUFE071582>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation