[Bug 221849] Kernel panic, kqueue related NULL pointer dereference sys/kern/kern_event.c
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sun Aug 27 14:39:29 UTC 2017
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=221849
--- Comment #1 from Aragon Gouveia <aragon at phat.za.net> ---
After more tests, I think the kqueue related backtrace from earlier might just
be a symptom of something much stranger. Is it possible the IPSec stack is
overwriting kernel memory?
The kernel panic consistently happens shortly after the Android VPN client and
racoon finish establishing ISAKMP and IPSec SAs, but before MPD sees any L2TP
requests.
What is inconsistent is the contents of the backtrace. I have rebuilt a
GENERIC kernel with -O0 to try make debugging easier, and below are a few kgdb
sessions of separate panics that were triggered under the same condition of an
Android VPN client trying to connect.
Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address = 0x1100000094
fault code = supervisor write data, page not present
instruction pointer = 0x20:0xffffffff814c43b6
stack pointer = 0x28:0xfffffe00003b3af0
frame pointer = 0x28:0xfffffe00003b3b00
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 814 (sshd)
trap number = 12
panic: page fault
cpuid = 1
KDB: stack backtrace:
#0 0xffffffff810e9be7 at kdb_backtrace+0xa7
#1 0xffffffff8107a129 at vpanic+0x249
#2 0xffffffff81079ee0 at vpanic+0
#3 0xffffffff817cb38a at trap_fatal+0x60a
#4 0xffffffff817cb538 at trap_pfault+0x188
#5 0xffffffff817ca6e1 at trap+0x751
#6 0xffffffff817cb9ba at trap_check+0x4a
#7 0xffffffff817a07e1 at calltrap+0x8
#8 0xffffffff814bfc42 at refcount_release+0x22
#9 0xffffffff814bfbae at key_freesp+0x2e
#10 0xffffffff814b7744 at ipsec_invalidate_cache+0xc4
#11 0xffffffff814b622a at ipsec_getpcbpolicy+0x16a
#12 0xffffffff814b6005 at ipsec_hdrsiz_inpcb+0x25
#13 0xffffffff8141e57d at tcp_output+0x9dd
#14 0xffffffff81439c80 at tcp_usr_send+0x350
#15 0xffffffff8116a051 at sosend_generic+0xeb1
#16 0xffffffff8116a31d at sosend+0x5d
#17 0xffffffff8112e7c7 at soo_write+0x87
Uptime: 6m9s
Dumping 123 out of 981 MB:..13%..26%..39%..52%..65%..78%..91%
Reading symbols from /boot/kernel/ng_socket.ko...Reading symbols from
/usr/lib/debug//boot/kernel/ng_socket.ko.debug...done.
done.
Loaded symbols for /boot/kernel/ng_socket.ko
Reading symbols from /boot/kernel/netgraph.ko...Reading symbols from
/usr/lib/debug//boot/kernel/netgraph.ko.debug...done.
done.
Loaded symbols for /boot/kernel/netgraph.ko
Reading symbols from /boot/kernel/ng_mppc.ko...Reading symbols from
/usr/lib/debug//boot/kernel/ng_mppc.ko.debug...done.
done.
Loaded symbols for /boot/kernel/ng_mppc.ko
Reading symbols from /boot/kernel/rc4.ko...Reading symbols from
/usr/lib/debug//boot/kernel/rc4.ko.debug...done.
done.
Loaded symbols for /boot/kernel/rc4.ko
#0 doadump (textdump=1) at /usr/src/sys/kern/kern_shutdown.c:298
298 dumptid = curthread->td_tid;
(kgdb) list *0xffffffff814c43b6
0xffffffff814c43b6 is in atomic_fetchadd_int (atomic.h:245).
240 */
241 static __inline u_int
242 atomic_fetchadd_int(volatile u_int *p, u_int v)
243 {
244
245 __asm __volatile(
246 " " MPLOCKED " "
247 " xaddl %0,%1 ; "
248 "# atomic_fetchadd_int"
249 : "+r" (v), /* 0 */
Current language: auto; currently minimal
(kgdb) backtrace
#0 doadump (textdump=1) at /usr/src/sys/kern/kern_shutdown.c:298
#1 0xffffffff81079668 in kern_reboot (howto=260) at
/usr/src/sys/kern/kern_shutdown.c:366
#2 0xffffffff8107a17f in vpanic (fmt=0xffffffff81b40308 "%s",
ap=0xfffffe00003b34a0) at /usr/src/sys/kern/kern_shutdown.c:759
#3 0xffffffff81079ee0 in panic (fmt=0xffffffff81b40308 "%s") at
/usr/src/sys/kern/kern_shutdown.c:690
#4 0xffffffff817cb38a in trap_fatal (frame=0xfffffe00003b3a30,
eva=73014444180) at /usr/src/sys/amd64/amd64/trap.c:801
#5 0xffffffff817cb538 in trap_pfault (frame=0xfffffe00003b3a30, usermode=0) at
/usr/src/sys/amd64/amd64/trap.c:683
#6 0xffffffff817ca6e1 in trap (frame=0xfffffe00003b3a30) at
/usr/src/sys/amd64/amd64/trap.c:421
#7 0xffffffff817cb9ba in trap_check (frame=0xfffffe00003b3a30) at
/usr/src/sys/amd64/amd64/trap.c:602
#8 0xffffffff817a07e1 in calltrap () at
/usr/src/sys/amd64/amd64/exception.S:236
#9 0xffffffff814c43b6 in atomic_fetchadd_int (p=0x1100000094, v=4294967295) at
atomic.h:250
#10 0xffffffff814bfc42 in refcount_release (count=0x1100000094) at
refcount.h:62
#11 0xffffffff814bfbae in key_freesp (spp=0xfffffe00003b3b58) at
/usr/src/sys/netipsec/key.c:1076
#12 0xffffffff814b7744 in ipsec_invalidate_cache (inp=0xfffff80003f2fae0,
dir=2) at /usr/src/sys/netipsec/ipsec.c:317
#13 0xffffffff814b622a in ipsec_getpcbpolicy (inp=0xfffff80003f2fae0, dir=2) at
/usr/src/sys/netipsec/ipsec.c:463
#14 0xffffffff814b6005 in ipsec_hdrsiz_inpcb (inp=0xfffff80003f2fae0) at
/usr/src/sys/netipsec/ipsec.c:1151
#15 0xffffffff8141e57d in tcp_output (tp=0xfffff80003e58820) at
/usr/src/sys/netinet/tcp_output.c:560
#16 0xffffffff81439c80 in tcp_usr_send (so=0xfffff80013035000, flags=0,
m=0xfffff80013538400, nam=0x0, control=0x0,
td=0xfffff80003cbd000) at /usr/src/sys/netinet/tcp_usrreq.c:967
#17 0xffffffff8116a051 in sosend_generic (so=0xfffff80013035000, addr=0x0,
uio=0xfffffe00003b47a8, top=0xfffff80013538400,
control=0x0, flags=0, td=0xfffff80003cbd000) at
/usr/src/sys/kern/uipc_socket.c:1360
#18 0xffffffff8116a31d in sosend (so=0xfffff80013035000, addr=0x0,
uio=0xfffffe00003b47a8, top=0x0, control=0x0, flags=0,
td=0xfffff80003cbd000) at /usr/src/sys/kern/uipc_socket.c:1405
#19 0xffffffff8112e7c7 in soo_write (fp=0xfffff80003869b90,
uio=0xfffffe00003b47a8, active_cred=0xfffff80003d5a600, flags=0,
td=0xfffff80003cbd000) at /usr/src/sys/kern/sys_socket.c:146
#20 0xffffffff81121e1a in fo_write (fp=0xfffff80003869b90,
uio=0xfffffe00003b47a8, active_cred=0xfffff80003d5a600, flags=0,
td=0xfffff80003cbd000) at file.h:307
#21 0xffffffff8111dc36 in dofilewrite (td=0xfffff80003cbd000, fd=3,
fp=0xfffff80003869b90, auio=0xfffffe00003b47a8, offset=-1,
flags=0) at /usr/src/sys/kern/sys_generic.c:592
#22 0xffffffff8111d786 in kern_writev (td=0xfffff80003cbd000, fd=3,
auio=0xfffffe00003b47a8) at /usr/src/sys/kern/sys_generic.c:506
#23 0xffffffff8111d65f in sys_write (td=0xfffff80003cbd000,
uap=0xfffffe00003b4a58) at /usr/src/sys/kern/sys_generic.c:420
#24 0xffffffff817cc7b1 in syscallenter (td=0xfffff80003cbd000,
sa=0xfffffe00003b4a48) at subr_syscall.c:135
#25 0xffffffff817cbd0a in amd64_syscall (td=0xfffff80003cbd000, traced=0) at
/usr/src/sys/amd64/amd64/trap.c:902
#26 0xffffffff817a0acb in Xfast_syscall () at
/usr/src/sys/amd64/amd64/exception.S:396
#27 0x00000008021c34aa in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) frame 11
#11 0xffffffff814bfbae in key_freesp (spp=0xfffffe00003b3b58) at
/usr/src/sys/netipsec/key.c:1076
1076 if (SP_DELREF(sp) == 0)
(kgdb) list
1071 key_freesp(struct secpolicy **spp)
1072 {
1073 struct secpolicy *sp = *spp;
1074
1075 IPSEC_ASSERT(sp != NULL, ("null sp"));
1076 if (SP_DELREF(sp) == 0)
1077 return;
1078
1079 KEYDBG(IPSEC_STAMP,
1080 printf("%s: last reference to SP(%p)\n", __func__, sp));
(kgdb) print sp
$1 = (struct secpolicy *) 0x1100000000
(kgdb) print *sp
Cannot access memory at address 0x1100000000
Below panic seemed to occur just as a tried to perform a "racoonctl show-sa
ipsec", while the VPN client was busy trying to connect.
Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address = 0x4c
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff814c43fe
stack pointer = 0x28:0xfffffe0000336b70
frame pointer = 0x28:0xfffffe0000336bd0
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 688 (racoon)
trap number = 12
panic: page fault
cpuid = 0
KDB: stack backtrace:
#0 0xffffffff810e9be7 at kdb_backtrace+0xa7
#1 0xffffffff8107a129 at vpanic+0x249
#2 0xffffffff81079ee0 at vpanic+0
#3 0xffffffff817cb38a at trap_fatal+0x60a
#4 0xffffffff817cb538 at trap_pfault+0x188
#5 0xffffffff817ca6e1 at trap+0x751
#6 0xffffffff817cb9ba at trap_check+0x4a
#7 0xffffffff817a07e1 at calltrap+0x8
#8 0xffffffff814d297a at key_setdumpsa+0x40a
#9 0xffffffff814cb182 at key_dump+0x412
#10 0xffffffff814c31e4 at key_parse+0xce4
#11 0xffffffff814d86ac at key_output+0x1ac
#12 0xffffffff8125af8c at raw_usend+0x8c
#13 0xffffffff814d9bb1 at key_send+0x51
#14 0xffffffff8116a051 at sosend_generic+0xeb1
#15 0xffffffff8116a31d at sosend+0x5d
#16 0xffffffff811769bc at kern_sendit+0x42c
#17 0xffffffff81176e86 at sendit+0x146
Uptime: 5m22s
Dumping 124 out of 981 MB:..13%..26%..39%..52%..65%..78%..91%
Reading symbols from /boot/kernel/ng_socket.ko...Reading symbols from
/usr/lib/debug//boot/kernel/ng_socket.ko.debug...done.
done.
Loaded symbols for /boot/kernel/ng_socket.ko
Reading symbols from /boot/kernel/netgraph.ko...Reading symbols from
/usr/lib/debug//boot/kernel/netgraph.ko.debug...done.
done.
Loaded symbols for /boot/kernel/netgraph.ko
Reading symbols from /boot/kernel/ng_mppc.ko...Reading symbols from
/usr/lib/debug//boot/kernel/ng_mppc.ko.debug...done.
done.
Loaded symbols for /boot/kernel/ng_mppc.ko
Reading symbols from /boot/kernel/rc4.ko...Reading symbols from
/usr/lib/debug//boot/kernel/rc4.ko.debug...done.
done.
Loaded symbols for /boot/kernel/rc4.ko
#0 doadump (textdump=1) at /usr/src/sys/kern/kern_shutdown.c:298
298 dumptid = curthread->td_tid;
(kgdb) list *0xffffffff814c43fe
0xffffffff814c43fe is in key_setsadbaddr (/usr/src/sys/netipsec/key.c:3693).
3688 struct mbuf *m;
3689 struct sadb_address *p;
3690 size_t len;
3691
3692 len = PFKEY_ALIGN8(sizeof(struct sadb_address)) +
3693 PFKEY_ALIGN8(saddr->sa_len);
3694 m = m_get2(len, M_NOWAIT, MT_DATA, 0);
3695 if (m == NULL)
3696 return (NULL);
3697 m_align(m, len);
Current language: auto; currently minimal
(kgdb) backtrace
#0 doadump (textdump=1) at /usr/src/sys/kern/kern_shutdown.c:298
#1 0xffffffff81079668 in kern_reboot (howto=260) at
/usr/src/sys/kern/kern_shutdown.c:366
#2 0xffffffff8107a17f in vpanic (fmt=0xffffffff81b40308 "%s",
ap=0xfffffe0000336520) at /usr/src/sys/kern/kern_shutdown.c:759
#3 0xffffffff81079ee0 in panic (fmt=0xffffffff81b40308 "%s") at
/usr/src/sys/kern/kern_shutdown.c:690
#4 0xffffffff817cb38a in trap_fatal (frame=0xfffffe0000336ab0, eva=76) at
/usr/src/sys/amd64/amd64/trap.c:801
#5 0xffffffff817cb538 in trap_pfault (frame=0xfffffe0000336ab0, usermode=0) at
/usr/src/sys/amd64/amd64/trap.c:683
#6 0xffffffff817ca6e1 in trap (frame=0xfffffe0000336ab0) at
/usr/src/sys/amd64/amd64/trap.c:421
#7 0xffffffff817cb9ba in trap_check (frame=0xfffffe0000336ab0) at
/usr/src/sys/amd64/amd64/trap.c:602
#8 0xffffffff817a07e1 in calltrap () at
/usr/src/sys/amd64/amd64/exception.S:236
#9 0xffffffff814c43fe in key_setsadbaddr (exttype=6, saddr=0x4c, prefixlen=255
'?', ul_proto=255) at /usr/src/sys/netipsec/key.c:3693
#10 0xffffffff814d297a in key_setdumpsa (sav=0xfffff8000381b700, type=10 '\n',
satype=3 '\003', seq=0, pid=688)
at /usr/src/sys/netipsec/key.c:3469
#11 0xffffffff814cb182 in key_dump (so=0xfffff800039a8360,
m=0xfffff8003d4fab00, mhp=0xfffffe0000336fd8)
at /usr/src/sys/netipsec/key.c:7509
#12 0xffffffff814c31e4 in key_parse (m=0xfffff8003d4fab00,
so=0xfffff800039a8360) at /usr/src/sys/netipsec/key.c:7861
#13 0xffffffff814d86ac in key_output (m=0xfffff8003d4fab00,
so=0xfffff800039a8360) at /usr/src/sys/netipsec/keysock.c:128
#14 0xffffffff8125af8c in raw_usend (so=0xfffff800039a8360, flags=0,
m=0xfffff8003d4fab00, nam=0x0, control=0x0,
td=0xfffff800039f5560) at /usr/src/sys/net/raw_usrreq.c:238
#15 0xffffffff814d9bb1 in key_send (so=0xfffff800039a8360, flags=0,
m=0xfffff8003d4fab00, nam=0x0, control=0x0, td=0xfffff800039f5560)
at /usr/src/sys/netipsec/keysock.c:492
#16 0xffffffff8116a051 in sosend_generic (so=0xfffff800039a8360, addr=0x0,
uio=0xfffffe00003376a0, top=0xfffff8003d4fab00,
control=0x0, flags=0, td=0xfffff800039f5560) at
/usr/src/sys/kern/uipc_socket.c:1360
#17 0xffffffff8116a31d in sosend (so=0xfffff800039a8360, addr=0x0,
uio=0xfffffe00003376a0, top=0x0, control=0x0, flags=0,
td=0xfffff800039f5560) at /usr/src/sys/kern/uipc_socket.c:1405
#18 0xffffffff811769bc in kern_sendit (td=0xfffff800039f5560, s=12,
mp=0xfffffe00003377b0, flags=0, control=0x0, segflg=UIO_USERSPACE)
at /usr/src/sys/kern/uipc_syscalls.c:873
#19 0xffffffff81176e86 in sendit (td=0xfffff800039f5560, s=12,
mp=0xfffffe00003377b0, flags=0)
at /usr/src/sys/kern/uipc_syscalls.c:793
#20 0xffffffff81176d37 in sys_sendto (td=0xfffff800039f5560,
uap=0xfffffe0000337a58) at /usr/src/sys/kern/uipc_syscalls.c:924
#21 0xffffffff817cc7b1 in syscallenter (td=0xfffff800039f5560,
sa=0xfffffe0000337a48) at subr_syscall.c:135
#22 0xffffffff817cbd0a in amd64_syscall (td=0xfffff800039f5560, traced=0) at
/usr/src/sys/amd64/amd64/trap.c:902
#23 0xffffffff817a0acb in Xfast_syscall () at
/usr/src/sys/amd64/amd64/exception.S:396
#24 0x00000008013c9dfa in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) frame 10
#10 0xffffffff814d297a in key_setdumpsa (sav=0xfffff8000381b700, type=10 '\n',
satype=3 '\003', seq=0, pid=688)
at /usr/src/sys/netipsec/key.c:3469
3469 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST,
(kgdb) list
3464 if (!m)
3465 goto fail;
3466 break;
3467
3468 case SADB_EXT_ADDRESS_DST:
3469 m = key_setsadbaddr(SADB_EXT_ADDRESS_DST,
3470 &sav->sah->saidx.dst.sa,
3471 FULLMASK, IPSEC_ULPROTO_ANY);
3472 if (!m)
3473 goto fail;
(kgdb) print sav
$1 = (struct secasvar *) 0xfffff8000381b700
(kgdb) print *sav
$2 = {spi = 778989686, flags = 779777128, seq = 1819047270, pid = 1768120678,
ivlen = 1663985518, sah = 0x0, key_auth = 0x0,
key_enc = 0x0, replay = 0x0, natt = 0x0, lock = 0x0, tdb_xform = 0x0,
tdb_encalgxform = 0x0, tdb_authalgxform = 0x0,
tdb_compalgxform = 0x0, tdb_cryptoid = 0, alg_auth = 0 '\0', alg_enc = 0
'\0', alg_comp = 0 '\0', state = 0 '\0', lft_c = 0x0,
lft_h = 0x0, lft_s = 0x0, created = 0, firstused = 0, chain = {tqe_next =
0x0, tqe_prev = 0x0}, spihash = {le_next = 0x0,
le_prev = 0x0}, drainq = {le_next = 0x0, le_prev = 0x0}, cntr = 0, refcnt =
0}
(kgdb) print sav->sah
$3 = (struct secashead *) 0x0
Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address = 0x50
fault code = supervisor write data, page not present
instruction pointer = 0x20:0xffffffff8106e168
stack pointer = 0x28:0xfffffe00002bf620
frame pointer = 0x28:0xfffffe00002bf630
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 948 (sshd)
trap number = 12
panic: page fault
cpuid = 1
KDB: stack backtrace:
#0 0xffffffff810e9be7 at kdb_backtrace+0xa7
#1 0xffffffff8107a129 at vpanic+0x249
#2 0xffffffff81079ee0 at vpanic+0
#3 0xffffffff817cb38a at trap_fatal+0x60a
#4 0xffffffff817cb538 at trap_pfault+0x188
#5 0xffffffff817ca6e1 at trap+0x751
#6 0xffffffff817cb9ba at trap_check+0x4a
#7 0xffffffff817a07e1 at calltrap+0x8
#8 0xffffffff8106defd at chglimit+0x3d
#9 0xffffffff8106e09b at chgkqcnt+0x3b
#10 0xffffffff80fefe55 at kern_kqueue+0x75
#11 0xffffffff80fefdd7 at sys_kqueue+0x37
#12 0xffffffff817cc7b1 at syscallenter+0x961
#13 0xffffffff817cbd0a at amd64_syscall+0x2a
#14 0xffffffff817a0acb at Xfast_syscall+0xfb
Uptime: 45m34s
Dumping 123 out of 981 MB:..13%..26%..39%..52%..65%..78%..91%
Reading symbols from /boot/kernel/ng_socket.ko...Reading symbols from
/usr/lib/debug//boot/kernel/ng_socket.ko.debug...done.
done.
Loaded symbols for /boot/kernel/ng_socket.ko
Reading symbols from /boot/kernel/netgraph.ko...Reading symbols from
/usr/lib/debug//boot/kernel/netgraph.ko.debug...done.
done.
Loaded symbols for /boot/kernel/netgraph.ko
Reading symbols from /boot/kernel/ng_mppc.ko...Reading symbols from
/usr/lib/debug//boot/kernel/ng_mppc.ko.debug...done.
done.
Loaded symbols for /boot/kernel/ng_mppc.ko
Reading symbols from /boot/kernel/rc4.ko...Reading symbols from
/usr/lib/debug//boot/kernel/rc4.ko.debug...done.
done.
Loaded symbols for /boot/kernel/rc4.ko
#0 doadump (textdump=1) at /usr/src/sys/kern/kern_shutdown.c:298
298 dumptid = curthread->td_tid;
(kgdb) list *0xffffffff8106e168
0xffffffff8106e168 is in atomic_fetchadd_long (atomic.h:263).
258 */
259 static __inline u_long
260 atomic_fetchadd_long(volatile u_long *p, u_long v)
261 {
262
263 __asm __volatile(
264 " " MPLOCKED " "
265 " xaddq %0,%1 ; "
266 "# atomic_fetchadd_long"
267 : "+r" (v), /* 0 */
Current language: auto; currently minimal
(kgdb) backtrace
#0 doadump (textdump=1) at /usr/src/sys/kern/kern_shutdown.c:298
#1 0xffffffff81079668 in kern_reboot (howto=260) at
/usr/src/sys/kern/kern_shutdown.c:366
#2 0xffffffff8107a17f in vpanic (fmt=0xffffffff81b40308 "%s",
ap=0xfffffe00002befd0) at /usr/src/sys/kern/kern_shutdown.c:759
#3 0xffffffff81079ee0 in panic (fmt=0xffffffff81b40308 "%s") at
/usr/src/sys/kern/kern_shutdown.c:690
#4 0xffffffff817cb38a in trap_fatal (frame=0xfffffe00002bf560, eva=80) at
/usr/src/sys/amd64/amd64/trap.c:801
#5 0xffffffff817cb538 in trap_pfault (frame=0xfffffe00002bf560, usermode=0) at
/usr/src/sys/amd64/amd64/trap.c:683
#6 0xffffffff817ca6e1 in trap (frame=0xfffffe00002bf560) at
/usr/src/sys/amd64/amd64/trap.c:421
#7 0xffffffff817cb9ba in trap_check (frame=0xfffffe00002bf560) at
/usr/src/sys/amd64/amd64/trap.c:602
#8 0xffffffff817a07e1 in calltrap () at
/usr/src/sys/amd64/amd64/exception.S:236
#9 0xffffffff8106e168 in atomic_fetchadd_long (p=0x50, v=1) at atomic.h:268
#10 0xffffffff8106defd in chglimit (uip=0x0, limit=0x50, diff=1,
max=9223372036854775807, name=0xffffffff81e06486 "kqcnt")
at /usr/src/sys/kern/kern_resource.c:1376
#11 0xffffffff8106e09b in chgkqcnt (uip=0x0, diff=1, max=9223372036854775807)
at /usr/src/sys/kern/kern_resource.c:1433
#12 0xffffffff80fefe55 in kern_kqueue (td=0xfffff8000364e000, flags=0,
fcaps=0x0) at /usr/src/sys/kern/kern_event.c:837
#13 0xffffffff80fefdd7 in sys_kqueue (td=0xfffff8000364e000,
uap=0xfffffe00002bfa58) at /usr/src/sys/kern/kern_event.c:813
#14 0xffffffff817cc7b1 in syscallenter (td=0xfffff8000364e000,
sa=0xfffffe00002bfa48) at subr_syscall.c:135
#15 0xffffffff817cbd0a in amd64_syscall (td=0xfffff8000364e000, traced=0) at
/usr/src/sys/amd64/amd64/trap.c:902
#16 0xffffffff817a0acb in Xfast_syscall () at
/usr/src/sys/amd64/amd64/exception.S:396
#17 0x00000008021aae9a in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) frame 12
#12 0xffffffff80fefe55 in kern_kqueue (td=0xfffff8000364e000, flags=0,
fcaps=0x0) at /usr/src/sys/kern/kern_event.c:837
837 if (!chgkqcnt(cred->cr_ruidinfo, 1, lim_cur(td,
RLIMIT_KQUEUES)))
(kgdb) list
832 struct ucred *cred;
833 int fd, error;
834
835 fdp = td->td_proc->p_fd;
836 cred = td->td_ucred;
837 if (!chgkqcnt(cred->cr_ruidinfo, 1, lim_cur(td,
RLIMIT_KQUEUES)))
838 return (ENOMEM);
839
840 error = falloc_caps(td, &fp, &fd, flags, fcaps);
841 if (error != 0) {
(kgdb) print *td
$1 = {td_lock = 0xffffffff825e8d00, td_proc = 0xfffff8000333f000, td_plist =
{tqe_next = 0x0, tqe_prev = 0xfffff8000333f010},
td_runq = {tqe_next = 0xfffff80003e80560, tqe_prev = 0xffffffff825e8f88},
td_slpq = {tqe_next = 0x0,
tqe_prev = 0xfffff80003323480}, td_lockq = {tqe_next = 0x0, tqe_prev =
0x0}, td_hash = {le_next = 0x0,
le_prev = 0xfffffe0000d4c7b8}, td_cpuset = 0xfffff800032ce000, td_sel =
0xfffff800032d8680, td_sleepqueue = 0xfffff80003323480,
td_turnstile = 0xfffff8000320f540, td_rlqe = 0xfffff80003874820, td_umtxq =
0xfffff80003642c80, td_vm_dom_policy = {seq = 0, p = {
policy = VM_POLICY_NONE, domain = -1}}, td_tid = 100087, padding1 =
0xfffff8000364e0a0, padding2 = 0xfffff8000364e0c0,
td_lend_user_pri = 255 '?', td_flags = 67174406, td_inhibitors = 0, td_pflags
= 0, td_dupfd = 0, td_sqqueue = 0, td_wchan = 0x0,
td_wmesg = 0x0, td_owepreempt = 0 '\0', td_tsqueue = 0 '\0', td_locks = 0,
td_rw_rlocks = 0, td_lk_slocks = 0, td_stopsched = 1,
td_blocked = 0x0, td_lockname = 0x0, td_contested = {lh_first = 0x0},
td_sleeplocks = 0x0, td_intr_nesting_level = 0,
td_pinned = 0, td_ucred = 0xfffff8000390f700, td_limit = 0xfffff8000381b400,
td_slptick = 0, td_blktick = 0,
td_swvoltick = -2145350148, td_swinvoltick = -2145350138, td_cow = 127, td_ru
= {ru_utime = {tv_sec = 0, tv_usec = 0}, ru_stime = {
tv_sec = 0, tv_usec = 0}, ru_maxrss = 7268, ru_ixrss = 592, ru_idrss =
80, ru_isrss = 256, ru_minflt = 274, ru_majflt = 0,
ru_nswap = 0, ru_inblock = 0, ru_oublock = 0, ru_msgsnd = 0, ru_msgrcv = 2,
ru_nsignals = 0, ru_nvcsw = 1, ru_nivcsw = 1},
td_rux = {rux_runtime = 0, rux_uticks = 0, rux_sticks = 0, rux_iticks = 0,
rux_uu = 0, rux_su = 0, rux_tu = 0},
td_incruntime = 44205853, td_runtime = 44205853, td_pticks = 1, td_sticks =
1, td_iticks = 0, td_uticks = 1, td_intrval = 0,
td_oldsigmask = {__bits = 0xfffff8000364e254}, td_generation = 2, td_sigstk =
{ss_sp = 0x0, ss_size = 0, ss_flags = 4},
td_xsig = 0, td_profil_addr = 0, td_profil_ticks = 0, td_name =
0xfffff8000364e294 "sshd", td_fpop = 0x0, td_dbgflags = 0,
td_dbgksi = {ksi_link = {tqe_next = 0x0, tqe_prev = 0x0}, ksi_info =
{si_signo = 0, si_errno = 0, si_code = 0, si_pid = 0,
si_uid = 0, si_status = 0, si_addr = 0x0, si_value = {sival_int = 0,
sival_ptr = 0x0, sigval_int = 0, sigval_ptr = 0x0},
_reason = {_fault = {_trapno = 0}, _timer = {_timerid = 0, _overrun = 0},
_mesgq = {_mqd = 0}, _poll = {_band = 0},
__spare__ = {__spare1__ = 0, __spare2__ = 0xfffff8000364e2f8}}},
ksi_flags = 0, ksi_sigq = 0x0}, td_ng_outbound = 0,
td_osd = {osd_nslots = 0, osd_slots = 0x0, osd_next = {le_next = 0x0, le_prev
= 0x0}}, td_map_def_user = 0x0, td_dbg_forked = 0,
td_vp_reserv = 0, td_no_sleeping = 0, td_dom_rr_idx = 0, td_su = 0x0,
td_rtcgen = 0, td_sigmask = {__bits = 0xfffff8000364e374},
td_rqindex = 30 '\036', td_base_pri = 120 'x', td_priority = 120 'x',
td_pri_class = 3 '\003', td_user_pri = 121 'y',
td_base_user_pri = 121 'y', td_dbg_sc_code = 0, td_dbg_sc_narg = 0,
td_rb_list = 0, td_rbp_list = 0, td_rb_inact = 0,
td_pcb = 0xfffffe00002bfb80, td_state = TDS_RUNNING, td_uretoff = {tdu_retval
= 0xfffff8000364e3c0, tdu_off = 0}, td_cowgen = 1,
td_slpcallout = {c_links = {le = {le_next = 0x0, le_prev =
0xfffff8001317d3d8}, sle = {sle_next = 0x0}, tqe = {tqe_next = 0x0,
tqe_prev = 0xfffff8001317d3d8}}, c_time = 8284352236906, c_precision =
16106127360, c_arg = 0xfffff8000364e000,
c_func = 0xffffffff811018e0 <sleepq_timeout>, c_lock = 0x0, c_flags = 0,
c_iflags = 272, c_cpu = 0},
td_frame = 0xfffffe00002bfac0, td_kstack_obj = 0xfffff800037b8a50, td_kstack
= 18446741874689163264, td_kstack_pages = 4,
td_critnest = 1, td_md = {md_spinlock_count = 1, md_saved_flags = 646,
md_spurflt_addr = 34427155648, md_invl_gen = {gen = 0,
link = {le_next = 0x0, le_prev = 0xffffffff826df868}}}, td_ar = 0x0,
td_lprof = 0xfffff8000364e470,
td_dtrace = 0xfffff80003e35600, td_errno = 0, td_vnet = 0x0, td_vnet_lpush =
0x0, td_intr_frame = 0x0,
td_rfppwait_p = 0xfffff8000396d588, td_ma = 0x0, td_ma_cnt = 0, td_emuldata =
0x0, td_lastcpu = 1, td_oncpu = 1, td_sleeptimo = 0,
---Type <return> to continue, or q <return> to quit---
td_sigqueue = {sq_signals = {__bits = 0xfffff8000364e4d8}, sq_kill = {__bits
= 0xfffff8000364e4e8}, sq_ptrace = {
__bits = 0xfffff8000364e4f8}, sq_list = {tqh_first = 0x0, tqh_last =
0xfffff8000364e508}, sq_proc = 0xfffff8000333f000,
sq_flags = 1}}
(kgdb) print *cred
$2 = {cr_ref = 2178945375, cr_uid = 4294967295, cr_ruid = 21168128, cr_svuid =
0, cr_ngroups = 0, cr_rgid = 0, cr_svgid = 4,
cr_uidinfo = 0x0, cr_ruidinfo = 0x0, cr_prison = 0xfffff800130f3060,
cr_loginclass = 0xfffff80013032d80, cr_flags = 318975384,
cr_pspare2 = 0xfffff8000390f748, cr_label = 0x0, cr_audit = {ai_auid = 0,
ai_mask = {am_success = 0, am_failure = 2164206432},
ai_termid = {at_port = 4294967295, at_type = 2164206608, at_addr =
0xfffff8000390f774}, ai_asid = -1,
ai_flags = 18446735277676361472}, cr_groups = 0x0, cr_agroups = 0,
cr_smallgroups = 0xfffff8000390f79c}
Thank you for looking at this!!
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list