another panic in 8.3-PRERELEASE

Konstantin Belousov kostikbel at gmail.com
Tue Feb 28 13:09:37 UTC 2012 

On Sat, Feb 25, 2012 at 02:58:28AM +0900, Hiroki Sato wrote:
> Konstantin Belousov <kostikbel at gmail.com> wrote
>   in <20120224150259.GV55074 at deviant.kiev.zoral.com.ua>:
> 
> ko> > > #19 0x0000000800abecfc in ?? ()
> ko> > > Previous frame inner to this frame (corrupt stack?)
> ko> > > (kgdb)
> ko> > Can you, please, print out the content of *td, e.g. from the frame 16 ?
> ko> 
> ko> And *req from the frame 11, please.
> 
>  Here:
> 
> (kgdb) f 16
> #16 0xffffffff80675e3a in __sysctl (td=0xffffff0396ec5460, 
>     uap=0xffffff86c6389bc0) at /usr/src/sys/kern/kern_sysctl.c:1491
> 1491		error = userland_sysctl(td, name, uap->namelen,
> (kgdb) print *td
> $2 = {td_lock = 0xffffffff80d7f540, td_proc = 0xffffff03969bf470, td_plist = {
>     tqe_next = 0x0, tqe_prev = 0xffffff03969bf480}, td_runq = {tqe_next = 0x0, 
>     tqe_prev = 0xffffffff80d7f788}, td_slpq = {tqe_next = 0x0, 
>     tqe_prev = 0xffffff0396ebe800}, td_lockq = {tqe_next = 0x0, 
>     tqe_prev = 0xffffff86c57b48a0}, td_cpuset = 0xffffff0005789dc8, 
>   td_sel = 0xffffff01b5dd0500, td_sleepqueue = 0xffffff0396ebe800, 
>   td_turnstile = 0xffffff01334cf600, td_umtxq = 0xffffff0396ec3a80, 
>   td_tid = 100763, td_sigqueue = {sq_signals = {__bits = {0, 0, 0, 0}}, 
>     sq_kill = {__bits = {0, 0, 0, 0}}, sq_list = {tqh_first = 0x0, 
>       tqh_last = 0xffffff0396ec5500}, sq_proc = 0xffffff03969bf470, 
>     sq_flags = 1}, td_flags = 65540, td_inhibitors = 0, td_pflags = 0, 
>   td_dupfd = 0, td_sqqueue = 0, td_wchan = 0x0, td_wmesg = 0x0, 
>   td_lastcpu = 4 '\004', td_oncpu = 4 '\004', td_owepreempt = 0 '\0', 
>   td_tsqueue = 255 '?', td_locks = 4, td_rw_rlocks = 0, td_lk_slocks = 0, 
>   td_blocked = 0x0, td_lockname = 0x0, td_contested = {lh_first = 0x0}, 
>   td_sleeplocks = 0xffffffff80ecebf0, td_intr_nesting_level = 0, 
>   td_pinned = 0, td_ucred = 0xffffff007d537b00, td_estcpu = 0, td_slptick = 0, 
>   td_blktick = 0, td_ru = {ru_utime = {tv_sec = 0, tv_usec = 0}, ru_stime = {
>       tv_sec = 0, tv_usec = 0}, ru_maxrss = 1864, ru_ixrss = 66288, 
>     ru_idrss = 1347856, ru_isrss = 176768, ru_minflt = 263901, ru_majflt = 10, 
>     ru_nswap = 0, ru_inblock = 0, ru_oublock = 0, ru_msgsnd = 0, 
>     ru_msgrcv = 0, ru_nsignals = 0, ru_nvcsw = 14937, ru_nivcsw = 3286}, 
>   td_incruntime = 0, td_runtime = 15204044088, td_pticks = 15, td_sticks = 15, 
>   td_iticks = 0, td_uticks = 0, td_intrval = 0, td_oldsigmask = {__bits = {0, 
>       0, 0, 0}}, td_sigmask = {__bits = {0, 0, 0, 0}}, td_generation = 18223, 
>   td_sigstk = {ss_sp = 0x0, ss_size = 0, ss_flags = 4}, td_xsig = 0, 
>   td_profil_addr = 0, td_profil_ticks = 0, 
>   td_name = "top", '\0' <repeats 16 times>, td_fpop = 0x0, td_dbgflags = 0, 
>   td_dbgksi = {ksi_link = {tqe_next = 0x0, tqe_prev = 0x0}, ksi_info = {
>       si_signo = 0, si_errno = 0, si_code = 0, si_pid = 0, si_uid = 0, 
>       si_status = 0, si_addr = 0x0, si_value = {sival_int = 0, 
>         sival_ptr = 0x0, sigval_int = 0, sigval_ptr = 0x0}, _reason = {
>         _fault = {_trapno = 0}, _timer = {_timerid = 0, _overrun = 0}, 
>         _mesgq = {_mqd = 0}, _poll = {_band = 0}, __spare__ = {__spare1__ = 0, 
>           __spare2__ = {0, 0, 0, 0, 0, 0, 0}}}}, ksi_flags = 0, 
>     ksi_sigq = 0x0}, td_ng_outbound = 0, td_osd = {osd_nslots = 0, 
>     osd_slots = 0x0, osd_next = {le_next = 0x0, le_prev = 0x0}}, 
>   td_rqindex = 32 ' ', td_base_pri = 128 '\200', td_priority = 128 '\200', 
>   td_pri_class = 3 '\003', td_user_pri = 129 '\201', 
>   td_base_user_pri = 129 '\201', td_pcb = 0xffffff86c6389d10, 
>   td_state = TDS_RUNNING, td_retval = {0, 34375032832}, td_slpcallout = {
>     c_links = {sle = {sle_next = 0x0}, tqe = {tqe_next = 0x0, 
>         tqe_prev = 0xffffff800042ccd0}}, c_time = 51568077, 
>     c_arg = 0xffffff0396ec5460, c_func = 0xffffffff806a84c0 <sleepq_timeout>, 
>     c_lock = 0x0, c_flags = 18, c_cpu = 4}, td_frame = 0xffffff86c6389c50, 
>   td_kstack_obj = 0xffffff03410b20d8, td_kstack = 18446743553049124864, 
>   td_kstack_pages = 4, td_unused1 = 0x0, td_unused2 = 0, td_unused3 = 0, 
>   td_critnest = 0, td_md = {md_spinlock_count = 0, md_saved_flags = 70}, 
>   td_sched = 0xffffff0396ec5890, td_ar = 0x0, td_syscalls = 469926, 
>   td_lprof = {{lh_first = 0x0}, {lh_first = 0x0}}, td_dtrace = 0x0, 
>   td_errno = 0, td_vnet = 0x0, td_vnet_lpush = 0x0, td_rux = {
>     rux_runtime = 15204044088, rux_uticks = 226, rux_sticks = 1140, 
>     rux_iticks = 0, rux_uu = 0, rux_su = 0, rux_tu = 0}, 
>   td_map_def_user = 0x0, td_dbg_forked = 0}
> (kgdb) f 11
> #11 0xffffffff8065f6a6 in sysctl_out_proc_copyout (ki=0xffffff86c6389470, 
>     req=0xffffff86c63899c0) at /usr/src/sys/kern/kern_proc.c:1085
> 1085			error = SYSCTL_OUT(req, ki, sizeof(struct kinfo_proc));
> (kgdb) print *req
> $3 = {td = 0xffffff0396ec5460, lock = 2, oldptr = 0x800e96000, oldlen = 68217, 
>   oldidx = 1088, oldfunc = 0xffffffff80675e80 <sysctl_old_user>, newptr = 0x0, 
>   newlen = 0, newidx = 0, newfunc = 0xffffffff80675d10 <sysctl_new_user>, 
>   validlen = 68217, flags = 0}
> (kgdb) quit
> 
> -- Hiroki

I can see the race in how the wiring of the sysctl buffers is done, but the
race can only realize for the multithreaded process.

Can you, please, further show me two things:
- the p/x *(td->td_pcb)
- (this is somewhat laborous) Please find the vm map entry in the process
  vm_map which covers the range [0x800e96000, 0x800ea6a79) and print it out.
  You need to walk the td->td_proc->p_vmspace.vm_map.header list using
  the next link, looking for the entry start/end values.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20120228/5b4e33fe/attachment.pgp

More information about the freebsd-stable mailing list