kern/75381: kqueue EVFILT_PROC panics kernel
Jonas Bulow
jonas at ark.servicefactory.se
Wed Dec 22 01:30:27 PST 2004
>Number: 75381
>Category: kern
>Synopsis: kqueue EVFILT_PROC panics kernel
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Dec 22 09:30:26 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Jonas Bulow
>Release: FreeBSD 4.11-STABLE i386
>Organization:
>Environment:
System: FreeBSD localhost.servicefactory.se 4.11-STABLE FreeBSD 4.11-STABLE #5: Mon Dec 20 20:44:39 CET 2004 root at localhost.servicefactory.se:/usr/obj/usr/src/sys/TP i386
Machine used is a IBM Thinkpad T30.
>Description:
Kernel panics when the attached program is run according to the instructions below.
IdlePTD at physical address 0x003b1000
initial pcb at physical address 0x002e30a0
panicstr: page fault
panic messages:
---
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x123423b0
fault code = supervisor read, page not present
instruction pointer = 0x8:0xc0153a38
stack pointer = 0x10:0xc02ba6f8
frame pointer = 0x10:0xc02ba700
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = Idle
interrupt mask = net tty bio cam
trap number = 12
panic: page fault
syncing disks...
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x30
fault code = supervisor read, page not present
instruction pointer = 0x8:0xc01eaa44
stack pointer = 0x10:0xc02ba4e4
frame pointer = 0x10:0xc02ba4ec
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = Idle
interrupt mask = net tty bio cam
trap number = 12
panic: page fault
Uptime: 2m20s
(kgdb) bt
#0 dumpsys () at /usr/src/sys/kern/kern_shutdown.c:487
#1 0xc015ce33 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:316
#2 0xc015d258 in poweroff_wait (junk=0xc02b17cc, howto=-1070918930)
at /usr/src/sys/kern/kern_shutdown.c:595
#3 0xc0253862 in trap_fatal (frame=0xc02ba4a4, eva=48)
at /usr/src/sys/i386/i386/trap.c:974
#4 0xc0253535 in trap_pfault (frame=0xc02ba4a4, usermode=0, eva=48)
at /usr/src/sys/i386/i386/trap.c:867
#5 0xc025311f in trap (frame={tf_fs = 16, tf_es = -866844656,
tf_ds = -866844656, tf_edi = 0, tf_esi = -1041213184,
tf_ebp = -1070881556, tf_isp = -1070881584, tf_ebx = -1070792516,
tf_edx = 6866944, tf_ecx = -622237760, tf_eax = 0, tf_trapno = 12,
tf_err = 0, tf_eip = -1071732156, tf_cs = 8, tf_eflags = 66182,
tf_esp = -1041213184, tf_ss = -1041213184})
at /usr/src/sys/i386/i386/trap.c:466
#6 0xc01eaa44 in acquire_lock (lk=0xc02d00bc)
at /usr/src/sys/ufs/ffs/ffs_softdep.c:266
#7 0xc01eeb44 in softdep_update_inodeblock (ip=0xc1f05900, bp=0xcc582df8,
waitfor=0) at /usr/src/sys/ufs/ffs/ffs_softdep.c:3813
#8 0xc01e9b79 in ffs_update (vp=0xdae967c0, waitfor=0)
at /usr/src/sys/ufs/ffs/ffs_inode.c:106
#9 0xc01f35a5 in ffs_fsync (ap=0xc02ba598)
at /usr/src/sys/ufs/ffs/ffs_vnops.c:273
---Type <return> to continue, or q <return> to quit---
#10 0xc01f1e57 in ffs_sync (mp=0xc1e93600, waitfor=2, cred=0xc100b600,
p=0xc02f9520) at vnode_if.h:558
#11 0xc018f5c7 in sync (p=0xc02f9520, uap=0x0)
at /usr/src/sys/kern/vfs_syscalls.c:583
#12 0xc015cbce in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:235
#13 0xc015d258 in poweroff_wait (junk=0xc02b17cc, howto=-1070918930)
at /usr/src/sys/kern/kern_shutdown.c:595
#14 0xc0253862 in trap_fatal (frame=0xc02ba6b8, eva=305406896)
at /usr/src/sys/i386/i386/trap.c:974
#15 0xc0253535 in trap_pfault (frame=0xc02ba6b8, usermode=0, eva=305406896)
at /usr/src/sys/i386/i386/trap.c:867
#16 0xc025311f in trap (frame={tf_fs = -1039728624, tf_es = -621215728,
tf_ds = -1070923760, tf_edi = 2, tf_esi = 134217730,
tf_ebp = -1070881024, tf_isp = -1070881052, tf_ebx = 305406840,
tf_edx = 0, tf_ecx = 134217730, tf_eax = -1039726832, tf_trapno = 12,
tf_err = 0, tf_eip = -1072350664, tf_cs = 8, tf_eflags = 66054,
tf_esp = -621114272, tf_ss = -621114272})
at /usr/src/sys/i386/i386/trap.c:466
#17 0xc0153a38 in knote (list=0xdafa8d80, hint=134217730)
at /usr/src/sys/kern/kern_event.c:851
#18 0xc015e491 in psignal (p=0xdafa8c60, sig=2)
at /usr/src/sys/kern/kern_sig.c:1015
#19 0xc015e261 in pgsignal (pgrp=0xc1dc5920, sig=2, checkctty=1)
---Type <return> to continue, or q <return> to quit---
at /usr/src/sys/kern/kern_sig.c:942
#20 0xc0173461 in ttyinput (c=3, tp=0xc02f3880) at /usr/src/sys/kern/tty.c:409
#21 0xc023d0c6 in sckbdevent (thiskbd=0xc02f1e40, event=0, arg=0xc02f8ea0)
at /usr/src/sys/dev/syscons/syscons.c:598
#22 0xc0234b7e in atkbd_intr (kbd=0xc02f1e40, arg=0x0)
at /usr/src/sys/dev/kbd/atkbd.c:464
#23 0xc025c6a0 in atkbd_isa_intr (arg=0xc02f1e40)
at /usr/src/sys/isa/atkbd_isa.c:140
#24 0xc024a09e in cpu_idle () at /usr/src/sys/i386/i386/machdep.c:1000
(kgdb) bt full
#0 dumpsys () at /usr/src/sys/kern/kern_shutdown.c:487
error = 0
#1 0xc015ce33 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:316
howto = 260
#2 0xc015d258 in poweroff_wait (junk=0xc02b17cc, howto=-1070918930)
at /usr/src/sys/kern/kern_shutdown.c:595
fmt = 0xc02b17cc "%s"
bootopt = 260
buf = "page fault", '\000' <repeats 245 times>
#3 0xc0253862 in trap_fatal (frame=0xc02ba4a4, eva=48)
at /usr/src/sys/i386/i386/trap.c:974
frame = (struct trapframe *) 0x104
code = -1070917684
type = 12
ss = -1070917684
esp = 0
softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27,
ssd_dpl = 0, ssd_p = 1, ssd_xx = 15, ssd_xx1 = 3, ssd_def32 = 1,
ssd_gran = 1}
#4 0xc0253535 in trap_pfault (frame=0xc02ba4a4, usermode=0, eva=48)
at /usr/src/sys/i386/i386/trap.c:867
va = 0
vm = (struct vmspace *) 0x0
---Type <return> to continue, or q <return> to quit---
map = 0xc
rv = 0
ftype = 32 ' '
p = (struct proc *) 0x0
#5 0xc025311f in trap (frame={tf_fs = 16, tf_es = -866844656,
tf_ds = -866844656, tf_edi = 0, tf_esi = -1041213184,
tf_ebp = -1070881556, tf_isp = -1070881584, tf_ebx = -1070792516,
tf_edx = 6866944, tf_ecx = -622237760, tf_eax = 0, tf_trapno = 12,
tf_err = 0, tf_eip = -1071732156, tf_cs = 8, tf_eflags = 66182,
tf_esp = -1041213184, tf_ss = -1041213184})
at /usr/src/sys/i386/i386/trap.c:466
p = (struct proc *) 0x0
sticks = 17179869183
i = 0
ucode = 0
type = 12
code = 0
eva = 48
#6 0xc01eaa44 in acquire_lock (lk=0xc02d00bc)
at /usr/src/sys/ufs/ffs/ffs_softdep.c:266
lk = (struct lockit *) 0xffffffff
holder = -1041213184
#7 0xc01eeb44 in softdep_update_inodeblock (ip=0xc1f05900, bp=0xcc582df8,
---Type <return> to continue, or q <return> to quit---
waitfor=0) at /usr/src/sys/ufs/ffs/ffs_softdep.c:3813
ip = (struct inode *) 0xc1f05900
inodedep = (struct inodedep *) 0xc02f9520
wk = (struct worklist *) 0xc1f05900
gotit = -1041213184
#8 0xc01e9b79 in ffs_update (vp=0xdae967c0, waitfor=0)
at /usr/src/sys/ufs/ffs/ffs_inode.c:106
fs = (struct fs *) 0xc1ee8800
bp = (struct buf *) 0xcc582df8
ip = (struct inode *) 0xc1f05900
error = 0
#9 0xc01f35a5 in ffs_fsync (ap=0xc02ba598)
at /usr/src/sys/ufs/ffs/ffs_vnops.c:273
vp = (struct vnode *) 0xdae967c0
bp = (struct buf *) 0x0
nbp = (struct buf *) 0xc02ba5ac
s = -1
error = 0
wait = 0
passes = 4
skipmeta = 0
lbn = 36
#10 0xc01f1e57 in ffs_sync (mp=0xc1e93600, waitfor=2, cred=0xc100b600,
---Type <return> to continue, or q <return> to quit---
p=0xc02f9520) at vnode_if.h:558
a = {a_desc = 0xc02bade0, a_vp = 0xdae967c0, a_cred = 0xc100b600,
a_waitfor = 2, a_p = 0xc02f9520}
vp = (struct vnode *) 0xdae967c0
cred = (struct ucred *) 0xc100b600
waitfor = 2
p = (struct proc *) 0xc02f9520
p = (struct proc *) 0xc02f9520
nvp = (struct vnode *) 0xdae96280
vp = (struct vnode *) 0xdae967c0
ip = (struct inode *) 0x0
ump = (struct ufsmount *) 0xc1e93400
fs = (struct fs *) 0xc1ee8800
error = 0
allerror = 0
#11 0xc018f5c7 in sync (p=0xc02f9520, uap=0x0)
at /usr/src/sys/kern/vfs_syscalls.c:583
p = (struct proc *) 0xc02f9520
mp = (struct mount *) 0xc1e93600
nmp = (struct mount *) 0x0
asyncflag = 0
#12 0xc015cbce in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:235
bp = (struct buf *) 0x0
---Type <return> to continue, or q <return> to quit---
iter = 5
nbusy = -1070917684
pbusy = -1070881252
howto = 256
#13 0xc015d258 in poweroff_wait (junk=0xc02b17cc, howto=-1070918930)
at /usr/src/sys/kern/kern_shutdown.c:595
fmt = 0xc02b17cc "%s"
bootopt = 256
buf = "page fault", '\000' <repeats 245 times>
#14 0xc0253862 in trap_fatal (frame=0xc02ba6b8, eva=305406896)
at /usr/src/sys/i386/i386/trap.c:974
frame = (struct trapframe *) 0x100
code = -1070917684
type = 12
ss = -1070917684
esp = 0
softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27,
ssd_dpl = 0, ssd_p = 1, ssd_xx = 0, ssd_xx1 = 0, ssd_def32 = 1, ssd_gran = 1}
#15 0xc0253535 in trap_pfault (frame=0xc02ba6b8, usermode=0, eva=305406896)
at /usr/src/sys/i386/i386/trap.c:867
va = 305405952
vm = (struct vmspace *) 0x0
map = 0xc
---Type <return> to continue, or q <return> to quit---
rv = 0
ftype = 0 '\000'
p = (struct proc *) 0x0
#16 0xc025311f in trap (frame={tf_fs = -1039728624, tf_es = -621215728,
tf_ds = -1070923760, tf_edi = 2, tf_esi = 134217730,
tf_ebp = -1070881024, tf_isp = -1070881052, tf_ebx = 305406840,
tf_edx = 0, tf_ecx = 134217730, tf_eax = -1039726832, tf_trapno = 12,
tf_err = 0, tf_eip = -1072350664, tf_cs = 8, tf_eflags = 66054,
tf_esp = -621114272, tf_ss = -621114272})
at /usr/src/sys/i386/i386/trap.c:466
p = (struct proc *) 0x0
sticks = 3224320260
i = 0
ucode = 0
type = 12
code = 0
eva = 305406896
#17 0xc0153a38 in knote (list=0xdafa8d80, hint=134217730)
at /usr/src/sys/kern/kern_event.c:851
list = (struct klist *) 0x0
hint = 134217730
kn = (struct knote *) 0xffffffff
#18 0xc015e491 in psignal (p=0xdafa8c60, sig=2)
---Type <return> to continue, or q <return> to quit---
at /usr/src/sys/kern/kern_sig.c:1015
p = (struct proc *) 0xdafa8c60
s = 6494234
prop = 2
action = 0xdafa8c60
#19 0xc015e261 in pgsignal (pgrp=0xc1dc5920, sig=2, checkctty=1)
at /usr/src/sys/kern/kern_sig.c:942
pgrp = (struct pgrp *) 0x0
sig = 2
checkctty = 1
p = (struct proc *) 0xdafa8c60
#20 0xc0173461 in ttyinput (c=3, tp=0xc02f3880) at /usr/src/sys/kern/tty.c:409
c = 3
tp = (struct tty *) 0xc02f3880
iflag = 11010
lflag = 536872395
cc = (
cc_t *) 0xc02f391c "\004ÿÿ\b\027\025\022\b\003\034\032\031\021\023\026\017\001"
i = -1070647168
err = 0
#21 0xc023d0c6 in sckbdevent (thiskbd=0xc02f1e40, event=0, arg=0xc02f8ea0)
at /usr/src/sys/dev/syscons/syscons.c:598
---Type <return> to continue, or q <return> to quit---
event = 0
sc = (sc_softc_t *) 0xc02f8ea0
cur_tty = (struct tty *) 0xc02f3880
c = 3
len = 1000
cp = (u_char *) 0x3cannot read proc at 0
(kgdb) f 17
#17 0xc0153a38 in knote (list=0xdafa8d80, hint=134217730)
at /usr/src/sys/kern/kern_event.c:851
851 SLIST_FOREACH(kn, list, kn_selnext)
(kgdb) list
846 void
847 knote(struct klist *list, long hint)
848 {
849 struct knote *kn;
850
851 SLIST_FOREACH(kn, list, kn_selnext)
852 if (kn->kn_fop->f_event(kn, hint))
853 KNOTE_ACTIVATE(kn);
854 }
855
(kgdb) p list
$1 = (struct klist *) 0x0
(kgdb) up
#18 0xc015e491 in psignal (p=0xdafa8c60, sig=2)
at /usr/src/sys/kern/kern_sig.c:1015
1015 KNOTE(&p->p_klist, NOTE_SIGNAL | sig);
(kgdb) list
1010 printf("psignal: signal %d\n", sig);
1011 panic("psignal signal number");
1012 }
1013
1014 s = splhigh();
1015 KNOTE(&p->p_klist, NOTE_SIGNAL | sig);
1016 splx(s);
1017
1018 prop = sigprop(sig);
1019
(kgdb) set print pretty
(kgdb) print *p
$2 = {
p_procq = {
tqe_next = 0x0,
tqe_prev = 0xc02f9e60
},
p_list = {
le_next = 0x0,
le_prev = 0xc02f9dc4
},
p_cred = 0xc1f7caa0,
p_fd = 0xc2070500,
p_stats = 0xdafb5cd0,
p_limit = 0xc206e500,
p_upages_obj = 0xdaf9b844,
p_procsig = 0xc1fb4400,
p_flag = 24582,
p_stat = 5 '\005',
p_pad1 = "\000\000",
p_pid = 302,
p_hash = {
le_next = 0x0,
le_prev = 0xc10034b8
},
---Type <return> to continue, or q <return> to quit---
p_pglist = {
le_next = 0x0,
le_prev = 0xdafa8e3c
},
p_pptr = 0xdafa8e00,
p_sibling = {
le_next = 0x0,
le_prev = 0xdafa8e50
},
p_children = {
lh_first = 0x0
},
p_ithandle = {
callout = 0x0
},
p_oppid = 0,
p_dupfd = 0,
p_vmspace = 0xd46f5800,
p_estcpu = 0,
p_cpticks = 0,
p_pctcpu = 0,
p_wchan = 0x0,
p_wmesg = 0x0,
---Type <return> to continue, or q <return> to quit---
p_swtime = 0,
p_slptime = 0,
p_realtimer = {
it_interval = {
tv_sec = 0,
tv_usec = 0
},
it_value = {
tv_sec = 0,
tv_usec = 0
}
},
p_runtime = 129,
p_uu = 0,
p_su = 390,
p_iu = 0,
p_uticks = 0,
p_sticks = 0,
p_iticks = 0,
p_traceflag = 0,
p_tracep = 0x0,
p_siglist = {
__bits = {0, 0, 0, 0}
---Type <return> to continue, or q <return> to quit---
},
p_textvp = 0x0,
p_lock = 0 '\000',
p_oncpu = 0 '\000',
p_lastcpu = 0 '\000',
p_rqindex = 12 '\f',
p_locks = 0,
p_simple_locks = 0,
p_stops = 0,
p_stype = 0,
p_step = 0 '\000',
p_pfsflags = 0 '\000',
p_pad3 = "\000",
p_retval = {0, 134649960},
p_sigiolst = {
slh_first = 0x0
},
p_sigparent = 20,
p_oldsigmask = {
__bits = {0, 0, 0, 0}
},
p_sig = 0,
p_code = 0,
---Type <return> to continue, or q <return> to quit---
p_klist = {
slh_first = 0xdaf9dfc0
},
p_sigmask = {
__bits = {0, 0, 0, 0}
},
p_sigstk = {
ss_sp = 0x0,
ss_size = 0,
ss_flags = 4
},
p_priority = 50 '2',
p_usrpri = 50 '2',
p_nice = 0 '\000',
p_comm = "date\000\000r\000\000\000\000\000\000\000\000\000",
p_pgrp = 0xc1dc5920,
p_sysent = 0xc02c0440,
p_rtprio = {
type = 1,
prio = 0
},
p_prison = 0x0,
p_args = 0xc1d97510,
---Type <return> to continue, or q <return> to quit---
p_addr = 0xdafb5000,
p_md = {
md_regs = 0xdafb7fa8
},
p_xstat = 0,
p_acflag = 0,
p_ru = 0xc1f78e80,
p_nthreads = 0,
p_aioinfo = 0x0,
p_wakeup = 0,
p_peers = 0x0,
p_leader = 0xdafa8c60,
p_asleep = {
as_priority = 0,
as_timo = 0
},
p_emuldata = 0x0,
p_fdtol = 0x0
}
(kgdb) print *p->p_klist.slh_first
$7 = {
kn_link = {
sle_next = 0xdaf9df80
},
kn_selnext = {
sle_next = 0x12342378
},
kn_tqe = {
tqe_next = 0x0,
tqe_prev = 0xc2070700
},
kn_kq = 0xc2070700,
kn_kevent = {
ident = 302,
filter = -5,
flags = 32821,
fflags = 2147483648,
data = 0,
udata = 0x0
},
kn_status = 11,
kn_sfflags = -536870909,
kn_sdata = 301,
---Type <return> to continue, or q <return> to quit---
kn_ptr = {
p_fp = 0xdafa8c60,
p_proc = 0xdafa8c60
},
kn_fop = 0xc02c2588,
kn_hook = 0x0
}
>How-To-Repeat:
Compile and run the below program:
cc -g -Wall -c kqpt2.c
cc -g -Wall -o kqpt2 kqpt2.o
./kqpt2 date
<some output>
Ctrl+C
PANIC!
----------------- code ---------------------
#include <sys/types.h>
#include <sys/event.h>
#include <sys/time.h>
#include <err.h>
#include <sysexits.h>
#include <errno.h>
#include <stdio.h>
#include <unistd.h>
#include <libgen.h>
#include <string.h>
#define N_EVENTS 64
void
dump_proc_note(u_int fflags)
{
printf(" fflags:");
if (fflags & NOTE_EXIT)
printf(" EXIT");
if (fflags & NOTE_FORK)
printf(" FORK");
if (fflags & NOTE_EXEC)
printf(" EXEC");
if (fflags & NOTE_TRACK)
printf(" TRACK");
if (fflags & NOTE_TRACKERR)
printf(" TRACKERR");
if (fflags & NOTE_CHILD)
printf(" CHILD");
}
void
dump_kevent(int i, struct kevent *ke)
{
printf("i:%d pid=%u flags=%hu data=%d ",
i,
ke->ident,
ke->flags,
ke->data);
dump_proc_note(ke->fflags);
if (ke->flags & EV_EOF)
printf(" EOF", strerror(ke->data));
if (ke->flags & EV_ERROR)
printf(" Error: %s", strerror(ke->data));
printf("\n");
}
void
dump_kevent_list(int n, struct kevent *kes)
{
int i;
for (i = 0; i < n; i++)
dump_kevent(i, &kes[i]);
}
void
usage(const char *name)
{
errx(EX_USAGE, "Usage: %s [-v] command\n", basename(name));
/* Not reached */
}
int
main(int argc, char * const argv[])
{
const char *prog;
int ch;
int verbose = 0;
int kq;
int pid;
struct kevent kev;
struct kevent el[N_EVENTS];
struct timeval tp;
struct timespec ts;
int ks;
prog = argv[0];
while ((ch = getopt(argc, argv, "v")) != -1)
switch((char)ch) {
case 'v':
verbose++;
break;
default:
usage(argv[0]);
/* not reached */
}
argv += optind;
argc -= optind;
/* Check for command to trace */
if (argc == 0)
usage(prog);
if ((kq = kqueue()) == -1)
err(EX_OSERR, "kqueue");
ts.tv_sec = 0;
ts.tv_nsec = 0;
pid = getpid();
printf("my pid=%d\n", pid);
EV_SET(&kev,
pid,
EVFILT_PROC,
EV_ADD | EV_CLEAR,
NOTE_EXIT | NOTE_FORK | NOTE_EXEC | NOTE_TRACK | NOTE_TRACKERR,
NULL,
NULL);
if ((ks = kevent(kq, &kev, 1, el, 8, &ts)) == -1)
err(EX_OSERR, "kevent");
dump_kevent_list(ks, el);
if (!(pid = vfork()))
{
if (execvp(argv[0], &argv[0]) == -1)
err(EX_OSERR, "execvp: %s", argv[0]); /* no return */
}
printf("cmd pid=%d\n", pid);
if ((ks = kevent(kq, &kev, 1, el, 8, &ts)) == -1)
err(EX_OSERR, "kevent"); /* no return */
dump_kevent_list(ks, el);
while (1)
{
ks = kevent(kq, NULL, 0, el, 8, NULL);
if (ks == 0)
break;
if (gettimeofday(&tp, NULL) == -1 )
err(EX_OSERR, "gettimeofday");
printf("*\n");
}
return 0;
}
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list