[panic]Fatal trap 12: page fault while in kernel mode

Thu Aug 2 22:39:50 UTC 2007

On Tue, 31 Jul 2007, ytriffy wrote:

> Trap 12 occured when I rebooted PC. Sending you backtrace. My system: amd64 
> 3200+ Venice, MB ECS nForce4 A939,Samsung 250GB and WD 250 GB, 2 memory 
> banks 512MB each, videocard: Geforce 6600gt 128MB, NIC on realtek chip, 
> sound card cirrus logic cs4281. It's very unstable, crashes happen every 
> day, so I'm hoping you would say why(any hints what hardware may cause it). 
> How to repeat it? I don't know. It happened once during reboot process.

In general, you want to report this sort of bug using the send-pr interface, 
or the gnats web submission form.  In the past, I've quite a few bug reports 
sent to hackers@ get lost because many FreeBSD developers don't subscribe to 
the list.  You could also consider sending it to stable@, since that's the 
mailing list for discussing 6-STABLE development.  FYI, this looks like a 
NULL-pointer dereference in the VFS shutdown code.

Robert N M Watson
Computer Laboratory
University of Cambridge

>
> [root at freelanc /var]# uname -a
> FreeBSD freelanc.dubki.ru <http://freelanc.dubki.ru> 6.2-STABLE-200706 
> FreeBSD 6.2-STABLE-200706
> #1: Mon Jul 23 13:34:27 MSD 2007
> root at freelanc.dubki.ru:/usr/obj/usr/src/sys/DEBUGGER
> KERN i386
>
> [root at freelanc /usr/obj/usr/src/sys/DEBUGGERKERN]# kgdb kernel.debug
> /var/crash/vmcore.3
> kgdb: kvm_nlist(_stopped_cpus):
> kgdb: kvm_nlist(_stoppcbs):
> [GDB will not be able to debug user-mode threads:
> /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
> GNU gdb 6.1.1 [FreeBSD]
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you
> are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for details.
> This GDB was configured as "i386-marcel-freebsd".
>
> Unread portion of the kernel message buffer:
> <118>Jul 25 14:06:32 freelanc syslogd: exiting on signal 15
> Waiting (max 60 seconds) for system process `vnlru' to stop...done
> Waiting (max 60 seconds) for system process `syncer' to stop...
> Syncing disks, vnodes remaining...6 5 3 1 0 0 done
> Waiting (max 60 seconds) for system process `bufdaemon' to stop...done
> All buffers synced.
>
>
> Fatal trap 12: page fault while in kernel mode
> fault virtual address = 0x4
> fault code = supervisor read, page not present
> instruction pointer = 0x20:0xc058a4e0
> stack pointer = 0x28:0xe9455c48
> frame pointer = 0x28:0xe9455c58
> code segment = base 0x0, limit 0xfffff, type 0x1b
> = DPL 0, pres 1, def32 1, gran 1
> processor eflags = interrupt enabled, resume, IOPL = 0
> current process = 44922 (reboot)
> panic: from debugger
> Uptime: 2h45m36s
> Dumping 1022 MB (2 chunks)
> chunk 0: 1MB (159 pages) ... ok
> chunk 1: 1022MB (261600 pages) 1006 990 974 958 942 926 910 894 878 862
> 846 830 814 798 782 766 750 734 718 702 686 670 654 638 622 606 590 574
> 558 542 526 510 494 478 462 446 430 414 398 382 366 350 334 318 302 286
> 270 254 238 222 206 190 174 158 142 126 110 94 78 62 46 30 14
>
> #0 doadump () at pcpu.h:165
> 165 __asm __volatile("movl %%fs:0,%0" : "=r" (td));
> (kgdb) bt
> #0 doadump () at pcpu.h:165
> #1 0xc053d916 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
> #2 0xc053dbdc in panic (fmt=0xc06f5278 "from debugger")
> at /usr/src/sys/kern/kern_shutdown.c:565
> #3 0xc045361d in db_panic (addr=-1067932448, have_addr=0, count=-1,
> modif=0xe9455a74 "") at /usr/src/sys/ddb/db_command.c:438
> #4 0xc04535b4 in db_command (last_cmdp=0xc0766784, cmd_table=0x0,
> aux_cmd_tablep=0xc0728e90, aux_cmd_tablep_end=0xc0728e94)
> at /usr/src/sys/ddb/db_command.c:350
> #5 0xc045367c in db_command_loop () at /usr/src/sys/ddb/db_command.c:458
> #6 0xc0455291 in db_trap (type=12, code=0) at
> /usr/src/sys/ddb/db_main.c:222
> #7 0xc0556a2b in kdb_trap (type=12, code=0, tf=0xe9455c08)
> at /usr/src/sys/kern/subr_kdb.c:473
> #8 0xc06cba6c in trap_fatal (frame=0xe9455c08, eva=4)
> at /usr/src/sys/i386/i386/trap.c:828
> #9 0xc06cb7d7 in trap_pfault (frame=0xe9455c08, usermode=0, eva=4)
> at /usr/src/sys/i386/i386/trap.c:745
> #10 0xc06cb3f1 in trap (frame=
> {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = -381330360, tf_esi =
> -993547624, tf_ebp = -381330344, tf_isp = -381330380, tf_ebx = 0, tf_edx
> = -992513384, tf_ecx = 4, tf_eax = -950651024, tf_trapno = 12, tf_err =
> 0, tf_eip = -1067932448, tf_cs = 32, tf_eflags = 590338, tf_esp = 0,
> tf_ss = -992305712})
> at /usr/src/sys/i386/i386/trap.c:435
> #11 0xc06b8b1a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
> #12 0xc058a4e0 in cache_purgevfs (mp=0xc4d77298)
> at /usr/src/sys/kern/vfs_cache.c:622
> #13 0xc0591f29 in dounmount (mp=0xc4d77298, flags=524288, td=0xc62ce300)
> at /usr/src/sys/kern/vfs_mount.c:1214
> #14 0xc0597d0a in vfs_unmountall () at /usr/src/sys/kern/vfs_subr.c:2837
> #15 0xc053d807 in boot (howto=0) at /usr/src/sys/kern/kern_shutdown.c:391
> #16 0xc053d2a2 in reboot (td=0xc62ce300, uap=0xc7563770)
> at /usr/src/sys/kern/kern_shutdown.c:169
> #17 0xc06cbdbb in syscall (frame=
> {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 2, tf_esi = 18, tf_ebp =
> -1077941304, tf_isp = -381330076, tf_ebx = 0, tf_edx = -1, tf_ecx =
> 672491264, tf_eax = 55, tf_trapno = 12, tf_err = 2, tf_eip = 671802263,
> tf_cs = 51, tf_eflags = 662, tf_esp = -1077941380, tf_ss = 59}) at
> /usr/src/sys/i386/i386/trap.c:983
> #18 0xc06b8b6f in Xint0x80_syscall () at
> /usr/src/sys/i386/i386/exception.s:200
> #19 0x00000033 in ?? ()
> Previous frame inner to this frame (corrupt stack?)
> (kgdb) up 19
> #19 0x00000033 in ?? ()
> (kgdb) down 1
> #18 0xc06b8b6f in Xint0x80_syscall () at
> /usr/src/sys/i386/i386/exception.s:200
> 200 call syscall
> Current language: auto; currently asm
> (kgdb) down 1
> #17 0xc06cbdbb in syscall (frame=
> {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 2, tf_esi = 18, tf_ebp =
> -1077941304, tf_isp = -381330076, tf_ebx = 0, tf_edx = -1, tf_ecx =
> 672491264, tf_eax = 55, tf_trapno = 12, tf_err = 2, tf_eip = 671802263,
> tf_cs = 51, tf_eflags = 662, tf_esp = -1077941380, tf_ss = 59}) at
> /usr/src/sys/i386/i386/trap.c:983
> 983 error = (*callp->sy_call)(td, args);
> Current language: auto; currently c
> (kgdb) p *callp
> $1 = {sy_narg = 65537, sy_call = 0xc053d258 <reboot>, sy_auevent = 20}
> (kgdb) p *callp->sy_call
> $2 = {int (struct thread *, void *)} 0xc053d258 <reboot>
> (kgdb) p td
> $3 = (struct thread *) 0xc62ce300
> (kgdb) p args
> $4 = {0, 9, -994250272, -1077941388, 0, 0, 3, 0}
> (kgdb) down 1
> #16 0xc053d2a2 in reboot (td=0xc62ce300, uap=0xc7563770)
> at /usr/src/sys/kern/kern_shutdown.c:169
> 169 boot(uap->opt);
> (kgdb) p uap
> $5 = (struct reboot_args *) 0xc7563770
> (kgdb) p uap->opt
> $6 = 2
> (kgdb) down 1
> #15 0xc053d807 in boot (howto=0) at /usr/src/sys/kern/kern_shutdown.c:391
> 391 vfs_unmountall();
> (kgdb) down 1
> #14 0xc0597d0a in vfs_unmountall () at /usr/src/sys/kern/vfs_subr.c:2837
> 2837 error = dounmount(mp, MNT_FORCE, td);
> (kgdb) p mp
> $7 = (struct mount *) 0xc4d77298
> (kgdb) p td
> $8 = (struct thread *) 0xc62ce300
> (kgdb) down 1
> #13 0xc0591f29 in dounmount (mp=0xc4d77298, flags=524288, td=0xc62ce300)
> at /usr/src/sys/kern/vfs_mount.c:1214
> 1214 cache_purgevfs(mp); /* remove cache entries for this file sys */
> (kgdb) down 1
> #12 0xc058a4e0 in cache_purgevfs (mp=0xc4d77298)
> at /usr/src/sys/kern/vfs_cache.c:622
> 622 for (ncp = LIST_FIRST(ncpp); ncp != 0; ncp = nnp) {
> (kgdb) p ncp
> $9 = (struct namecache *) 0x4
> (kgdb) p ncpp
> $10 = (struct nchashhead *) 0xc4c7aa98
> (kgdb) down 1
> #11 0xc06b8b1a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
> 139 call trap
> Current language: auto; currently asm
> (kgdb) down 1
> #10 0xc06cb3f1 in trap (frame=
> {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = -381330360, tf_esi =
> -993547624, tf_ebp = -381330344, tf_isp = -381330380, tf_ebx = 0, tf_edx
> = -992513384, tf_ecx = 4, tf_eax = -950651024, tf_trapno = 12, tf_err =
> 0, tf_eip = -1067932448, tf_cs = 32, tf_eflags = 590338, tf_esp = 0,
> tf_ss = -992305712})
> at /usr/src/sys/i386/i386/trap.c:435
> 435 (void) trap_pfault(&frame, FALSE, eva);
> Current language: auto; currently c
> (kgdb) p frame
> $11 = {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = -381330360,
> tf_esi = -993547624, tf_ebp = -381330344, tf_isp = -381330380, tf_ebx = 0,
> tf_edx = -992513384, tf_ecx = 4, tf_eax = -950651024, tf_trapno = 12,
> tf_err = 0, tf_eip = -1067932448, tf_cs = 32, tf_eflags = 590338,
> tf_esp = 0, tf_ss = -992305712}
> (kgdb) p eva
> $12 = 4
> (kgdb) down 1
> #9 0xc06cb7d7 in trap_pfault (frame=0xe9455c08, usermode=0, eva=4)
> at /usr/src/sys/i386/i386/trap.c:745
> 745 trap_fatal(frame, eva);
> (kgdb) down 1
> #8 0xc06cba6c in trap_fatal (frame=0xe9455c08, eva=4)
> at /usr/src/sys/i386/i386/trap.c:828
> 828 if (kdb_trap(type, 0, frame)) {
> (kgdb) p type
> $13 = 12
> (kgdb) down 1
> #7 0xc0556a2b in kdb_trap (type=12, code=0, tf=0xe9455c08)
> at /usr/src/sys/kern/subr_kdb.c:473
> 473 handled = kdb_dbbe->dbbe_trap(type, code);
> (kgdb) p kdb_dbbe
> $14 = (struct kdb_dbbe *) 0xc072f0e0
> (kgdb) p kdb_dbbe->dbbe_trap
> $15 = (dbbe_trap_f *) 0xc04551ac <db_trap>
> (kgdb) p type
> $16 = 12
> (kgdb) p code
> $17 = 0
> (kgdb) down 1
> #6 0xc0455291 in db_trap (type=12, code=0) at
> /usr/src/sys/ddb/db_main.c:222
> 222 db_command_loop();
> (kgdb) down 1
> #5 0xc045367c in db_command_loop () at /usr/src/sys/ddb/db_command.c:458
> 458 db_command(&db_last_command, db_command_table,
> (kgdb) p &db_last_command
> $18 = (struct command **) 0xc0766784
> (kgdb) p db_command_table
> $19 = {{name = 0xc0726d8d "print", fcn = 0xc0453e44 <db_print_cmd>, flag
> = 0,
> more = 0x0}, {name = 0xc0707446 "p", fcn = 0xc0453e44 <db_print_cmd>,
> flag = 0, more = 0x0}, {name = 0xc06f521d "examine",
> fcn = 0xc0453b74 <db_examine_cmd>, flag = 256, more = 0x0}, {
> name = 0xc06f3248 "x", fcn = 0xc0453b74 <db_examine_cmd>, flag = 256,
> more = 0x0}, {name = 0xc06f5225 "search",
> fcn = 0xc0453f44 <db_search_cmd>, flag = 257, more = 0x0}, {
> name = 0xc06fc7c7 "set", fcn = 0xc0456d98 <db_set_cmd>, flag = 1,
> more = 0x0}, {name = 0xc071c1dc "write", fcn = 0xc045714c <db_write_cmd>,
> flag = 258, more = 0x0}, {name = 0xc070470c "w",
> fcn = 0xc045714c <db_write_cmd>, flag = 258, more = 0x0}, {
> name = 0xc0711df9 "delete", fcn = 0xc045312c <db_delete_cmd>, flag = 0,
> more = 0x0}, {name = 0xc06f3296 "d", fcn = 0xc045312c <db_delete_cmd>,
> flag = 0, more = 0x0}, {name = 0xc06f522c "break",
> fcn = 0xc0453144 <db_breakpoint_cmd>, flag = 0, more = 0x0}, {
> name = 0xc06f5232 "dwatch", fcn = 0xc0457014 <db_deletewatch_cmd>,
> flag = 0, more = 0x0}, {name = 0xc06f5233 "watch",
> fcn = 0xc045702c <db_watchpoint_cmd>, flag = 2, more = 0x0}, {
> name = 0xc06f5239 "dhwatch", fcn = 0xc04570e4 <db_deletehwatch_cmd>,
> flag = 0, more = 0x0}, {name = 0xc06f523a "hwatch",
> fcn = 0xc0457118 <db_hwatchpoint_cmd>, flag = 0, more = 0x0}, {
> name = 0xc0721ca0 "step", fcn = 0xc0456438 <db_single_step_cmd>, flag = 0,
> more = 0x0}, {name = 0xc06f55e4 "s",
> fcn = 0xc0456438 <db_single_step_cmd>, flag = 0, more = 0x0}, {
> name = 0xc06f5241 "continue", fcn = 0xc045653c <db_continue_cmd>,
> flag = 0, more = 0x0}, {name = 0xc0713305 "c",
> fcn = 0xc045653c <db_continue_cmd>, flag = 0, more = 0x0}, {
> name = 0xc06f524a "until", fcn = 0xc04564a0 <db_trace_until_call_cmd>,
> flag = 0, more = 0x0}, {name = 0xc06f5250 "next",
> fcn = 0xc04564e8 <db_trace_until_matching_cmd>, flag = 0, more = 0x0}, {
> name = 0xc070d7da "match", fcn = 0xc04564e8 <db_trace_until_matching_cmd>,
> flag = 0, more = 0x0}, {name = 0xc070882b "trace",
> fcn = 0xc0453a4c <db_stack_trace>, flag = 1, more = 0x0}, {
> name = 0xc06f5255 "alltrace", fcn = 0xc0453b20 <db_stack_trace_all>,
> flag = 0, more = 0x0}, {name = 0xc07249cf "where",
> fcn = 0xc0453a4c <db_stack_trace>, flag = 1, more = 0x0}, {
> name = 0xc06f525e "bt", fcn = 0xc0453a4c <db_stack_trace>, flag = 1,
> more = 0x0}, {name = 0xc071aa99 "call", fcn = 0xc04536b0 <db_fncall>,
> flag = 1, more = 0x0}, {name = 0xc06f5261 "show", fcn = 0, flag = 0,
> more = 0xc072edc0}, {name = 0xc07126a2 "ps", fcn = 0xc0455784 <db_ps>,
> flag = 0, more = 0x0}, {name = 0xc06f5266 "gdb",
> fcn = 0xc0453a18 <db_gdb>, flag = 0, more = 0x0}, {
> name = 0xc06fc600 "reset", fcn = 0xc0453920 <db_reset>, flag = 0,
> more = 0x0}, {name = 0xc06f526a "kill", fcn = 0xc04537d8 <db_kill>,
> flag = 1, more = 0x0}, {name = 0xc06f526f "watchdog",
> fcn = 0xc045392c <db_watchdog>, flag = 0, more = 0x0}, {
> name = 0xc070887d "thread", fcn = 0xc0456a10 <db_set_thread>, flag = 1,
> more = 0x0}, {name = 0x0, fcn = 0, flag = 0, more = 0x0}}
> (kgdb) down 1
> #4 0xc04535b4 in db_command (last_cmdp=0xc0766784, cmd_table=0x0,
> aux_cmd_tablep=0xc0728e90, aux_cmd_tablep_end=0xc0728e94)
> at /usr/src/sys/ddb/db_command.c:350
> 350 (*cmd->fcn)(addr, have_addr, count, modif);
> (kgdb) p addr
> $20 = -1067932448
> (kgdb) p have_addr
> $21 = 0
> (kgdb) p count
> $22 = -1
> (kgdb) p modif
> $23 =
> "\000ZEDj\214ZE\220ZE\211\a\000\000ZE\"LJ\000\000\000\000\000¤\2005y\r\000\000\000\2005y\r\000\000\000\001\000\000\000»ZE\213j»ZEj\000@@\036wx\000\000\000\200pv\f\000\000\000ZE<VE§p,SE\f\000\000\000\200pvJE" 
>
> (kgdb) down 1
> #3 0xc045361d in db_panic (addr=-1067932448, have_addr=0, count=-1,
> modif=0xe9455a74 "") at /usr/src/sys/ddb/db_command.c:438
> 438 panic("from debugger");
> (kgdb) down 1
> #2 0xc053dbdc in panic (fmt=0xc06f5278 "from debugger")
> at /usr/src/sys/kern/kern_shutdown.c:565
> 565 boot(bootopt);
> (kgdb) p bootopt
> $24 = 260
> (kgdb) down 1
> #1 0xc053d916 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
> 409 doadump();
> (kgdb) down 1
> #0 doadump () at pcpu.h:165
> 165 __asm __volatile("movl %%fs:0,%0" : "=r" (td));
> (kgdb)
>
> Some other info orequired - feel free to email me:)
> Best regards, Slava.
>
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>