From owner-freebsd-bugs@FreeBSD.ORG Fri Nov 25 17:30:41 2005 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8559B16A41F for ; Fri, 25 Nov 2005 17:30:41 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B564843D93 for ; Fri, 25 Nov 2005 17:30:04 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jAPHU3Jn007083 for ; Fri, 25 Nov 2005 17:30:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jAPHU3oJ007082; Fri, 25 Nov 2005 17:30:03 GMT (envelope-from gnats) Resent-Date: Fri, 25 Nov 2005 17:30:03 GMT Resent-Message-Id: <200511251730.jAPHU3oJ007082@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Gleb Kozyrev Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 271DF16A420 for ; Fri, 25 Nov 2005 17:21:40 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 58CB143D88 for ; Fri, 25 Nov 2005 17:21:30 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id jAPHLUZ2071583 for ; Fri, 25 Nov 2005 17:21:30 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id jAPHLUFE071582; Fri, 25 Nov 2005 17:21:30 GMT (envelope-from nobody) Message-Id: <200511251721.jAPHLUFE071582@www.freebsd.org> Date: Fri, 25 Nov 2005 17:21:30 GMT From: Gleb Kozyrev To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Cc: Subject: kern/89538: [tty] [panic] triggered by "sysctl -a" X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Nov 2005 17:30:41 -0000 >Number: 89538 >Category: kern >Synopsis: [tty] [panic] triggered by "sysctl -a" >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Nov 25 17:30:03 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Gleb Kozyrev >Release: FreeBSD 6.0-RELEASE i386 >Organization: >Environment: FreeBSD localhost 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Wed Nov 2 14:36:19 EET 2005 root@localhost:/usr/obj/usr/src/sys/DDB i386 >Description: After 14 days of uptime I ran "sysctl -a" and it triggered a panic. In ddb: =========Beginning of the citation============== db> bt Tracing pid 15840 tid 100071 td 0xc1553600 dev2udev(c20bf300,88,0,0,0) at dev2udev+0x11 sysctl_kern_ttys(c08d4500,0,0,cc865c04,c08d4500) at sysctl_kern_ttys+0xdf sysctl_root(0,cc865c74,2,cc865c04,c1553600) at sysctl_root+0x107 userland_sysctl(c1553600,cc865c74,2,0,bfbfd5bc) at userland_sysctl+0xec __sysctl(c1553600,cc865d04,6,a,296) at __sysctl+0x93 syscall(3b,3b,bfbf003b,2,bfbfd5bc) at syscall+0x2b7 Xint0x80_syscall() at Xint0x80_syscall+0x1f --- syscall (202, FreeBSD ELF32, __sysctl), eip = 0x280b7a33, esp = 0xbfbfd52c, ebp = 0xbfbfd568 --- =========The end of the citation================ After call doadump() and reboot: =========Beginning of the citation============== [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"] GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd". Unread portion of the kernel message buffer: Fatal trap 12: page fault while in kernel mode fault virtual address = 0xbf fault code = supervisor read, page not present instruction pointer = 0x20:0xc05f46ed stack pointer = 0x28:0xcc865b18 frame pointer = 0x28:0xcc865b18 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 15840 (sysctl) Dumping 127 MB (3 chunks) chunk 0: 1MB (159 pages) ... ok chunk 1: 64MB (16381 pages) 49 33 17 ... ok chunk 2: 63MB (16128 pages) 48 32 16 #0 doadump () at pcpu.h:165 165 __asm __volatile("movl %%fs:0,%0" : "=r" (td)); (kgdb) bt full #0 doadump () at pcpu.h:165 No locals. #1 0xc0468487 in db_fncall (dummy1=-1063902272, dummy2=0, dummy3=0, dummy4=0xcc865944 "pY\206û\224C\177■\\Y\206û`Y\206û\222\a") at /usr/src/sys/ddb/db_command.c:492 fn_addr = -1067198068 args = {1, 0, 545675548, -1065401452, -863610616, -863610612, 1938, 1938, 2, -1064703968} nargs = 0 retval = 0 t = 0 #2 0xc046828c in db_command (last_cmdp=0xc09181c4, cmd_table=0x0, aux_cmd_tablep=0xc089589c, aux_cmd_tablep_end=0xc08958b8) at /usr/src/sys/ddb/db_command.c:350 cmd = (struct command *) 0xc089e9c0 t = 0 modif = "pY\206û\224C\177■\\Y\206û`Y\206û\222\a\000\000▄\003\000\000\220Y\206û\f\000\000\000|Y\206û▄\003\000\000\200Y\206ûQª~■▄\003\000\000▄ \003\000\000\r\000\000\000ìY\206ûBº~■\220Y\206û▄\003\000\000\f\000\017\003x\000\000\000■\212\221■\f\000\000\000+Y\206û\004?F■\235;\2 07■?\237F■\f\000\000\000■\212\221■│\227F■" addr = -1063902272 count = 0 have_addr = 0 result = 0 #3 0xc0468354 in db_command_loop () at /usr/src/sys/ddb/db_command.c:458 No locals. #4 0xc0469f61 in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_main.c:221 jb = {{_jb = {-863610372, -863610392, -863610320, -863610152, 12, -1069113606, 12, -863610296, -1067089549, -1064761795, -1067089416, -863610316}}} prev_jb = (void *) 0x0 bkpt = 0 #5 0xc065666b in kdb_trap (type=12, code=0, tf=0xcc865ad8) at /usr/src/sys/kern/subr_kdb.c:473 handled = -863610152 #6 0xc08104b0 in trap_fatal (frame=0xcc865ad8, eva=191) at /usr/src/sys/i386/i386/trap.c:822 eflags = 514 code = 514 type = 12 ss = 514 esp = 0 softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27, ssd_dpl = 0, ssd_p = 1, ssd_xx = 2, ssd_xx1 = 2, ssd_def32 = 1, ssd_gran = 1} #7 0xc081021f in trap_pfault (frame=0xcc865ad8, usermode=0, eva=191) at /usr/src/sys/i386/i386/trap.c:742 va = 0 vm = (struct vmspace *) 0x0 map = 0xc1598708 rv = 1 ftype = 1 '\001' td = (struct thread *) 0xc1553600 p = (struct proc *) 0xc155620c #8 0xc080fe19 in trap (frame= {tf_fs = -863633400, tf_es = 40, tf_ds = -863633368, tf_edi = -863609988, tf_esi = -1052413952, tf_ebp = -863610088, tf_isp = -863610108, tf_ebx = -1052413952, tf_edx = -1039404288, tf_ecx = 0, tf_eax = -1, tf_trapno = 12, tf_err = 0, tf_eip = -1067497747, tf_cs = 32, tf_eflags = 66182, tf_esp = -863609920, tf_ss = -1066996549}) at /usr/src/sys/i386/i386/trap.c:432 td = (struct thread *) 0xc1553600 p = (struct proc *) 0xc155620c sticks = 3431357272 i = 0 ucode = 0 type = 12 code = 0 eva = 191 #9 0xc07ff31a in calltrap () at /usr/src/sys/i386/i386/exception.s:139 No locals. #10 0xc05f46ed in dev2udev (x=0xc20bf300) at /usr/src/sys/fs/devfs/devfs_vnops.c:1145 No locals. #11 0xc066ecbb in sysctl_kern_ttys (oidp=0xc08d4500, arg1=0x0, arg2=0, req=0xcc865c04) at /usr/src/sys/kern/tty.c:3040 tp = (struct tty *) 0xc1457000 tp2 = (struct tty *) 0xc1457000 xt = {xt_size = 136, xt_rawcc = 0, xt_cancc = 0, xt_outcc = 0, xt_line = 0, xt_dev = 0, xt_state = 0, xt_flags = 0, xt_timeout = 0, xt_pgid = 0, xt_sid = 0, xt_termios = {c_iflag = 0, c_oflag = 0, c_cflag = 0, c_lflag = 0, c_cc = '\0' , c_ispeed = 0, c_ospeed = 0}, xt_winsize = { ws_row = 0, ws_col = 0, ws_xpixel = 0, ws_ypixel = 0}, xt_column = 0, xt_rocount = 0, xt_rocol = 0, xt_ififosize = 0, xt_ihiwat = 0, xt_ilowat = 0, xt_ispeedwat = 0, xt_ohiwat = 0, xt_olowat = 0, xt_ospeedwat = 0} error = -1052413952 #12 0xc0645c63 in sysctl_root (oidp=0x0, arg1=0x0, arg2=0, req=0xcc865c04) at /usr/src/sys/kern/kern_sysctl.c:1248 oid = (struct sysctl_oid *) 0xc08d4500 error = -1 indx = 2 lvl = -1 #13 0xc0645e60 in userland_sysctl (td=0xffffffff, name=0xcc865c74, namelen=2, old=0xcc865c04, oldlenp=0xbfbfd5bc, inkernel=0, new=0x0, newlen=4294967295, retval=0xcc865c70, flags=-1) at /usr/src/sys/kern/kern_sysctl.c:1347 error = -1077946948 req = {td = 0xc1553600, lock = 1, oldptr = 0x0, oldlen = 0, oldidx = 3536, oldfunc = 0xc06459a4 , newptr = 0x0, newlen = 0, newidx = 0, newfunc = 0xc0645a10 , validlen = 0, flags = 0} #14 0xc0645d03 in __sysctl (td=0xc1553600, uap=0xcc865d04) at /usr/src/sys/kern/kern_sysctl.c:1282 error = -1051368948 name = {1, 533, 1, 533, -1, -1, 0, -1048488688, -1051368948, 0, -1051380224, -863609636, -1067059971, -1051380224, 1, -863609668, -1051368948, -1051380224, -863609544, -863609640, -1067068430, -1051380224, -1051368948, 0} j = 10 #15 0xc08107ff in syscall (frame= {tf_fs = 59, tf_es = 59, tf_ds = -1078001605, tf_edi = 2, tf_esi = -1077946948, tf_ebp = -1077947032, tf_isp = -863609500, tf_ebx = 672367844, tf_edx = 0, tf_ecx = -1077944736, tf_eax = 202, tf_trapno = 0, tf_err = 2, tf_eip = 671840819, tf_cs = 51, tf_eflags = 662, tf_esp = -1077947092, tf_ss = 59}) at /usr/src/sys/i386/i386/trap.c:976 params = 0xbfbfd530
callp = (struct sysent *) 0xc08cb8d8 td = (struct thread *) 0xc1553600 p = (struct proc *) 0xc155620c orig_tf_eflags = 662 sticks = 10 error = 0 narg = 6 args = {-1077944736, 2, 0, -1077946948, 0, 0, -863609548, 672367844} code = 202 #16 0xc07ff36f in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200 No locals. #17 0x00000033 in ?? () No symbol table info available. Previous frame inner to this frame (corrupt stack?) =========The end of the citation================ >How-To-Repeat: >Fix: Antoine Pelisse wrote on Mon, 21 Nov 2005 12:41:40 +0000: AP> This is probably the same kind of panic that Don Lewis fixed lately in AP> fill_kinfo_proc() and it should certainly be fixed the same way. AP> We really can't release the lock in the loop and should look in the code AP> for other occurrences of this mistake as it's really likely that it will AP> trigger other panics in the future. >Release-Note: >Audit-Trail: >Unformatted: