From owner-freebsd-current@FreeBSD.ORG  Sun Aug  9 18:21:34 2009
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D74A71065672
	for <freebsd-current@freebsd.org>; Sun,  9 Aug 2009 18:21:34 +0000 (UTC)
	(envelope-from rmacklem@uoguelph.ca)
Received: from esa-annu.mail.uoguelph.ca (esa-annu.mail.uoguelph.ca
	[131.104.91.36])
	by mx1.freebsd.org (Postfix) with ESMTP id 8DE608FC20
	for <freebsd-current@freebsd.org>; Sun,  9 Aug 2009 18:21:34 +0000 (UTC)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEAC6wfkqDaFvG/2dsb2JhbADMG4QYBYFM
X-IronPort-AV: E=Sophos;i="4.43,349,1246852800"; d="scan'208";a="42094869"
Received: from amazon.cs.uoguelph.ca ([131.104.91.198])
	by esa-annu-pri.mail.uoguelph.ca with ESMTP; 09 Aug 2009 14:21:33 -0400
Received: from localhost (localhost.localdomain [127.0.0.1])
	by amazon.cs.uoguelph.ca (Postfix) with ESMTP id A67C72100E1;
	Sun,  9 Aug 2009 14:21:33 -0400 (EDT)
X-Virus-Scanned: amavisd-new at amazon.cs.uoguelph.ca
Received: from amazon.cs.uoguelph.ca ([127.0.0.1])
	by localhost (amazon.cs.uoguelph.ca [127.0.0.1]) (amavisd-new,
	port 10024)
	with ESMTP id Rw+YTUB0P4Wv; Sun,  9 Aug 2009 14:21:32 -0400 (EDT)
Received: from muncher.cs.uoguelph.ca (muncher.cs.uoguelph.ca [131.104.91.102])
	by amazon.cs.uoguelph.ca (Postfix) with ESMTP id 9144E2100BD;
	Sun,  9 Aug 2009 14:21:32 -0400 (EDT)
Received: from localhost (rmacklem@localhost)
	by muncher.cs.uoguelph.ca (8.11.7p3+Sun/8.11.6) with ESMTP id
	n79IPS419167; Sun, 9 Aug 2009 14:25:28 -0400 (EDT)
X-Authentication-Warning: muncher.cs.uoguelph.ca: rmacklem owned process doing
	-bs
Date: Sun, 9 Aug 2009 14:25:28 -0400 (EDT)
From: Rick Macklem <rmacklem@uoguelph.ca>
X-X-Sender: rmacklem@muncher.cs.uoguelph.ca
To: Thomas Backman <serenity@exscape.org>
In-Reply-To: <598778D3-AE7B-47AF-A4F9-0D832BC1A990@exscape.org>
Message-ID: <Pine.GSO.4.63.0908091421360.18198@muncher.cs.uoguelph.ca>
References: <598778D3-AE7B-47AF-A4F9-0D832BC1A990@exscape.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: FreeBSD current <freebsd-current@freebsd.org>
Subject: Re: nmap UDP scan against 8.0-CURRENT -> fatal trap 12
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Aug 2009 18:21:35 -0000



On Sun, 9 Aug 2009, Thomas Backman wrote:

[stuff snipped]
> Fatal trap 12: page fault while in kernel mode
> cpuid = 0; apic id = 00
> fault virtual address   = 0x18
> fault code      = supervisor read data, page not present
> instruction pointer = 0x20:0xffffffff805d2722
> stack pointer           = 0x28:0xffffff803e76f980
> frame pointer           = 0x28:0xffffff803e76f990
> code segment        = base 0x0, limit 0xfffff, type 0x1b
> 				= DPL 0, pres 1, long 1, def32 0, gran 1
> processor eflags    = interrupt enabled, resume, IOPL = 0
> current process     = 846 (nfsd: service) [NOTE: nfsd was not in use, merely 
> running]
> panic: from debugger
> cpuid = 0
> KDB: stack backtrace:
> Uptime: 8m48s
> Physical memory: 2029 MB
> Dumping 1625 MB: ...
>
> #11 0xffffffff805dba87 in calltrap ()    at 
> /usr/src/sys/amd64/amd64/exception.S:224
> #12 0xffffffff805d2722 in xdrmbuf_inline (xdrs=0xffffff803e76fa30, len=4)
>   at /usr/src/sys/xdr/xdr_mbuf.c:302
> #13 0xffffffff805d2b90 in xdrmbuf_getlong (xdrs=0xffffff803e76fa30,
>   lp=0xffffff803e76f9e0) at /usr/src/sys/xdr/xdr_mbuf.c:147
> #14 0xffffffff805d1a4d in xdr_int (xdrs=Variable "xdrs" is not available.
> ) at /usr/src/sys/xdr/xdr.c:111
> #15 0xffffffff80554ef4 in xdr_callmsg (xdrs=0xffffff803e76fa30, 
> cmsg=0xffffff803e76fb70) at /usr/src/sys/rpc/rpc_callmsg.c:188
> #16 0xffffffff80559c60 in svc_dg_recv (xprt=Variable "xprt" is not available.
> ) at /usr/src/sys/rpc/svc_dg.c:216
> #17 0xffffffff80557910 in svc_run_internal (pool=0xffffff00027acc00,
>   ismaster=0) at /usr/src/sys/rpc/svc.c:797
> #18 0xffffffff8055811b in svc_thread_start (arg=Variable "arg" is not 
> available.
> )    at /usr/src/sys/rpc/svc.c:1198
> #19 0xffffffff80341008 in fork_exit (
>   callout=0xffffffff80558110 <svc_thread_start>, arg=0xffffff00027acc00,
>   frame=0xffffff803e76fc80) at /usr/src/sys/kern/kern_fork.c:838
> #20 0xffffffff805dbf5e in fork_trampoline ()    at 
> /usr/src/sys/amd64/amd64/exception.S:561
> #21 0x0000000000000010 in ?? ()
> #22 0x00007fffffffe710 in ?? ()
> ...
> #47 0x0000000000000000 in ?? ()
> #48 0xffffffff808acf00 in affinity ()
> #49 0xffffff0002d9d390 in ?? ()
> #50 0xffffff803e76f200 in ?? ()
> #51 0xffffff803e76f1b8 in ?? ()
> #52 0xffffff0002336720 in ?? ()
> #53 0xffffffff80391c2d in sched_switch (td=0xffffffff80558110,
>   newtd=0xffffff00027acc00, flags=Variable "flags" is not available.
> ) at /usr/src/sys/kern/sched_ule.c:1858
>
You could try this patch, which is currently in the re@ queue. I'm not
sure if it will help, since the above panic didn't seem to happen at
the beginning of xdrmbuf_inline() as I would have expected it to.

rick
--- xdr/xdr_mbuf.c.sav	2009-08-07 15:02:35.000000000 -0400
+++ xdr/xdr_mbuf.c	2009-08-07 15:03:04.000000000 -0400
@@ -282,6 +282,8 @@
  	size_t available;
  	char *p;

+	if (!m)
+		return (0);
  	if (xdrs->x_op == XDR_ENCODE) {
  		available = M_TRAILINGSPACE(m) + (m->m_len - xdrs->x_handy);
  	} else {