kern/129219: Kernel panic when using kernel mode ppp

Greg Robinson greg.robinson at dsto.defence.gov.au
Wed Nov 26 21:10:01 PST 2008 

>Number:         129219
>Category:       kern
>Synopsis:       Kernel panic when using kernel mode ppp
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 27 05:10:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Greg Robinson
>Release:        7.1-PRERELEASE
>Organization:
>Environment:
FreeBSD hostname.com.au 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #4: Sat Nov 15 18:02:01 CST 2008     root at hostname.com.au:/usr/obj/usr/src/sys/HOSTNAME i386
>Description:
I have installed 7.0-RELEASE, cvsup'ed to 7.1-PRERELEASE.  The system runs rock solid as a simple file server (smb - no NFS).  But when I dialup using kernel mode PPP, the system will crash after an unspecified amount of time.

kgdb kernel.debug /var/crash/vmcore.2
[...]
This GDB was configured as "i386-marcel-freebsd"...

Unread portion of the kernel message buffer:


Fa
ta
lF attraalp  tr1a2p:  p1a2g:e  pfaaguel tf awuhlitl ew hiinl ek eirnn ekle rmnoe
dle m
odcepu
idc p=u id1 ;=  ap0i;c  aipdi c=  id0 1= 00
f
afualutl tv ivritrutaula la daddrdersess        s=       =0 0xx1144

fafualutl tc ocdoed     e               =        =s uspueprevrivsiosro r rreeaad
, padg,e  npoatg ep rnesoetn tpr
esiennsttruction pointe
ri      n=s t0rxuc2t0i:o0nx pco0ian6tae2r8      6= 
0sxta2c0k: 0pxoicn0tae6ra       2 8 6 
     = s0txac2k8 :p0oxinet7ecr5 1 9 7 4 
 f r a m=e  0pxo2i8n:t0exre     7 c 4 e 9 7 4  
=f r0axme2 8p:o0ixntee7rc       5 1 9 a 4 
  c o=d e0 xse2g8m:e0nxt        e       7=c 4bea9sae4 0x0, l
cturrarpe nntu mpbreorc e       s=s             1=2
68p9an i(cn:a mepda)ge
 tfraaupl tn
umcbpeuri       d        ==  012

Uptime: 11d2h7m15s
Physical memory: 2027 MB
Dumping 252 MB: 237 221 205 189 173 157 141 125 109 93 77 61 45 29 13

Reading symbols from /boot/kernel/acpi.ko...Reading symbols from /boot/kernel/ac
pi.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/acpi.ko
#0  doadump () at pcpu.h:196
196             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) backtrace
#0  doadump () at pcpu.h:196
#1  0xc07711d7 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418
#2  0xc07714a9 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:574
#3  0xc0a6c65c in trap_fatal (frame=0xe7c51934, eva=20)
    at /usr/src/sys/i386/i386/trap.c:939
#4  0xc0a6c8e0 in trap_pfault (frame=0xe7c51934, usermode=0, eva=20)
    at /usr/src/sys/i386/i386/trap.c:852
#5  0xc0a6d29c in trap (frame=0xe7c51934) at /usr/src/sys/i386/i386/trap.c:530
#6  0xc0a531eb in calltrap () at /usr/src/sys/i386/i386/exception.s:159
#7  0xc0a6a286 in generic_bcopy () at /usr/src/sys/i386/i386/support.s:498
Previous frame inner to this frame (corrupt stack?)
(kgdb)

This is an *exact* cut and paste of the error.  To me, the first line translates to:

Fatal trap 12: page fault while in kernel mode

I think it is a bug in kernel mode ppp and/or the sio module.  An earlier crash on 7.0-RELEASE looks like this:

# kgdb kernel.debug /var/crash/vmcore.0
[...]
This GDB was configured as "i386-marcel-freebsd".

Unread portion of the kernel message buffer:
spin lock 0xc0c04448 (sio) held by 0xc566f420 (tid 100079) too long
panic: spin lock held too long
cpuid = 0
Uptime: 2h14m42s
Physical memory: 2027 MB
Dumping 73 MB: 58 42 26 10
#0  doadump () at pcpu.h:195
195             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) backtrace
#0  doadump () at pcpu.h:195
#1  0xc0754647 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
#2  0xc0754909 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:563
#3  0xc0747fff in _mtx_lock_spin_failed (m=0x0)
    at /usr/src/sys/kern/kern_mutex.c:445
#4  0xc0748085 in _mtx_lock_spin (m=0xc0c04448, tid=3306395184, opts=0,
    file=0x0, line=0) at /usr/src/sys/kern/kern_mutex.c:478
#5  0xc0a2b19a in comstart (tp=0xc5278800) at /usr/src/sys/dev/sio/sio.c:1996
#6  0xc07f4404 in pppstart (tp=0xc5278800) at tty.h:393
#7  0xc07f4eff in pppasyncstart (sc=0xc5487e00)
    at /usr/src/sys/net/ppp_tty.c:693
#8  0xc07ef9a2 in pppoutput (ifp=0xc5286000, m0=0xc5600600, dst=0xc543c0b0,
    rtp=0xc5595ca8) at /usr/src/sys/net/if_ppp.c:992
#9  0xc0836f09 in ip_output (m=0xc5600600, opt=0x0, ro=0xe578db1c, flags=Variable "flags" is not available.
)
    at /usr/src/sys/netinet/ip_output.c:549
#10 0xc0833e05 in ip_forward (m=0xc5600600, srcrt=0)
    at /usr/src/sys/netinet/ip_input.c:1361
#11 0xc08352f3 in ip_input (m=0xc5600600)
    at /usr/src/sys/netinet/ip_input.c:610
#12 0xc07f4045 in netisr_dispatch (num=2, m=0xc5600600)
    at /usr/src/sys/net/netisr.c:185
#13 0xc07ea081 in ether_demux (ifp=0xc5255800, m=0xc5600600)
    at /usr/src/sys/net/if_ethersubr.c:834
---Type <return> to continue, or q <return> to quit---
#14 0xc07ea473 in ether_input (ifp=0xc5255800, m=0xc5600600)
    at /usr/src/sys/net/if_ethersubr.c:692
#15 0xc09208e8 in xl_rxeof (sc=0xc526b000) at /usr/src/sys/pci/if_xl.c:2062
#16 0xc0922c64 in xl_intr (arg=0xc526b000) at /usr/src/sys/pci/if_xl.c:2298
#17 0xc073786b in ithread_loop (arg=0xc5231a80)
    at /usr/src/sys/kern/kern_intr.c:1036
#18 0xc0734669 in fork_exit (callout=0xc07376c0 <ithread_loop>,
    arg=0xc5231a80, frame=0xe578dd38) at /usr/src/sys/kern/kern_fork.c:781
#19 0xc0a37f60 in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:205
(kgdb)

This problem is critcal for me, as I want to replace my router with an updated release of FreeBSD.  But it may not be critical in regards to other IFF_NEEDSGIANT flag work being worked on at the moment.
>How-To-Repeat:
run kernel mode PPP on 7.0 or 7.1-PRERELEASE

>Fix:
Dont run kernel mode ppp


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list