[PATCH] Fix in6p_leave_group() panic by misbehaving apps - VLC
SAP service discovey still panics kernel
Mattia Rossi
mrossi at swin.edu.au
Fri Jul 31 07:47:50 UTC 2009
Hi,
finally had the time to test this patch (well I'm on FreeBSD 8.0-BETA2
#28 r195968M now which includes the patch), but VLC still crashes using
SAP service discovery.
But I also finally got a saved kernel dump, so here are the details:
Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address = 0x8
fault code = supervisor read, page not present
instruction pointer = 0x20:0xc071c9a0
stack pointer = 0x28:0xc737983c
frame pointer = 0x28:0xc73798cc
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 12 (swi4: clock)
trap number = 12
panic: page fault
cpuid = 1
Uptime: 2m14s
Physical memory: 3551 MB
Dumping 222 MB: 207 191 175 159 143 127 111 95 79 63 47 31 15
Reading symbols from /boot/kernel/snd_hda.ko...Reading symbols from
/boot/kernel/snd_hda.ko.symbols...done.
done.
Loaded symbols for
/boot/kernel/snd_hda.ko
Reading symbols from /boot/kernel/sound.ko...Reading symbols from
/boot/kernel/sound.ko.symbols...done.
done.
Loaded symbols for
/boot/kernel/sound.ko
Reading symbols from /boot/kernel/linprocfs.ko...Reading symbols from
/boot/kernel/linprocfs.ko.symbols...done.
done.
Loaded symbols for
/boot/kernel/linprocfs.ko
Reading symbols from /boot/kernel/linux.ko...Reading symbols from
/boot/kernel/linux.ko.symbols...done.
done.
Loaded symbols for
/boot/kernel/linux.ko
Reading symbols from /boot/kernel/i915.ko...Reading symbols from
/boot/kernel/i915.ko.symbols...done.
done.
Loaded symbols for
/boot/kernel/i915.ko
Reading symbols from /boot/kernel/drm.ko...Reading symbols from
/boot/kernel/drm.ko.symbols...done.
done.
Loaded symbols for
/boot/kernel/drm.ko
#0 doadump () at
pcpu.h:246
246 __asm __volatile("movl %%fs:0,%0" : "=r" (td));
Some more details:
(kgdb) list
*0xc071c9a0
0xc071c9a0 is in lpoutput (/usr/src/sys/dev/ppbus/if_plip.c:669).
664
665 static __inline int
666 lpoutbyte(u_char byte, int spin, device_t ppbus)
667 {
668
669 ppb_wdtr(ppbus, txmith[byte]);
670 while (!(ppb_rstr(ppbus) & LPIP_SHAKE))
671 if (--spin == 0)
672 return (1);
673 ppb_wdtr(ppbus, txmitl[byte]);
And the backtrace:
(kgdb)
bt
#0 doadump () at
pcpu.h:246
#1 0xc088c5c7 in boot (howto=260) at
/usr/src/sys/kern/kern_shutdown.c:419
#2 0xc088c8f2 in panic (fmt=Variable "fmt" is not
available.
) at
/usr/src/sys/kern/kern_shutdown.c:575
#3 0xc0bc75b3 in trap_fatal (frame=0xc73797fc, eva=8) at
/usr/src/sys/i386/i386/trap.c:933
#4 0xc0bc7810 in trap_pfault (frame=0xc73797fc, usermode=0, eva=8) at
/usr/src/sys/i386/i386/trap.c:846
#5 0xc0bc8223 in trap (frame=0xc73797fc) at
/usr/src/sys/i386/i386/trap.c:528
#6 0xc0baad0b in calltrap () at
/usr/src/sys/i386/i386/exception.s:165
#7 0xc071c9a0 in lpoutput (ifp=0xc782b400, m=0xc86f2400,
dst=0xc7379a58, ro=0x0) at /usr/src/sys/dev/ppbus/if_plip.c:669
#8 0xc0a39018 in nd6_output_lle (ifp=0xc782b400, origifp=0xc782b400,
m0=0xc86f2400, dst=0xc7379a58, rt0=0x0, lle=0x0, chain=0x0) at
/usr/src/sys/netinet6/nd6.c:1914
#9 0xc0a3912d in nd6_output (ifp=0xc782b400, origifp=0xc782b400,
m0=0xc86f2400, dst=0xc7379a58, rt0=0x0) at
/usr/src/sys/netinet6/nd6.c:1691
#10 0xc0a33ac8 in ip6_output (m0=0xc7dab500, opt=0xc0dda6a0,
ro=0xc7379a50, flags=1, im6o=0xc7379b30, ifpp=0xc7379b50,
inp=0x0)
at
/usr/src/sys/netinet6/ip6_output.c:905
#11 0xc0a34833 in mld_dispatch_packet (m=Variable "m" is not
available.
) at
/usr/src/sys/netinet6/mld6.c:3074
#12 0xc0a34b48 in mld_dispatch_queue (ifq=0xc7379bdc, limit=0) at
/usr/src/sys/netinet6/mld6.c:409
#13 0xc0a375e9 in mld_fasttimo () at
/usr/src/sys/netinet6/mld6.c:1421
#14 0xc0a19588 in icmp6_fasttimo () at
/usr/src/sys/netinet6/icmp6.c:2231
#15 0xc08e1d49 in pffasttimo (arg=0x0) at
/usr/src/sys/kern/uipc_domain.c:522
#16 0xc089f50c in softclock (arg=0xc0dc1b80) at
/usr/src/sys/kern/kern_timeout.c:411
#17 0xc08635eb in intr_event_execute_handlers (p=0xc755a7f8,
ie=0xc75a0d80) at
/usr/src/sys/kern/kern_intr.c:1165
#18 0xc0864b8b in ithread_loop (arg=0xc75591d0) at
/usr/src/sys/kern/kern_intr.c:1178
#19 0xc0860e81 in fork_exit (callout=0xc0864b20 <ithread_loop>,
arg=0xc75591d0, frame=0xc7379d38) at
/usr/src/sys/kern/kern_fork.c:838
#20 0xc0baad80 in fork_trampoline () at
/usr/src/sys/i386/i386/exception.s:270
(kgdb)
up
#1 0xc088c5c7 in boot (howto=260) at
/usr/src/sys/kern/kern_shutdown.c:419
419
doadump();
(kgdb)
up
#2 0xc088c8f2 in panic (fmt=Variable "fmt" is not
available.
) at
/usr/src/sys/kern/kern_shutdown.c:575
575
boot(bootopt);
(kgdb)
up
#3 0xc0bc75b3 in trap_fatal (frame=0xc73797fc, eva=8) at
/usr/src/sys/i386/i386/trap.c:933
933 panic("%s",
trap_msg[type]);
(kgdb)
up
#4 0xc0bc7810 in trap_pfault (frame=0xc73797fc, usermode=0, eva=8) at
/usr/src/sys/i386/i386/trap.c:846
846 trap_fatal(frame,
eva);
(kgdb)
up
#5 0xc0bc8223 in trap (frame=0xc73797fc) at
/usr/src/sys/i386/i386/trap.c:528
528 (void) trap_pfault(frame, FALSE,
eva);
(kgdb)
up
#6 0xc0baad0b in calltrap () at
/usr/src/sys/i386/i386/exception.s:165
165 call
trap
Current language: auto; currently
asm
(kgdb)
up
#7 0xc071c9a0 in lpoutput (ifp=0xc782b400, m=0xc86f2400,
dst=0xc7379a58, ro=0x0) at
/usr/src/sys/dev/ppbus/if_plip.c:669
669 ppb_wdtr(ppbus,
txmith[byte]);
Current language: auto; currently
c
(kgdb)
up
#8 0xc0a39018 in nd6_output_lle (ifp=0xc782b400, origifp=0xc782b400,
m0=0xc86f2400, dst=0xc7379a58, rt0=0x0, lle=0x0, chain=0x0) at
/usr/src/sys/netinet6/nd6.c:1914
1914 error = (*ifp->if_output)(ifp, m, (struct sockaddr
*)dst,
NULL);
(kgdb)
up
#9 0xc0a3912d in nd6_output (ifp=0xc782b400, origifp=0xc782b400,
m0=0xc86f2400, dst=0xc7379a58, rt0=0x0) at
/usr/src/sys/netinet6/nd6.c:1691
1691 return (nd6_output_lle(ifp, origifp, m0, dst, rt0, NULL,
NULL));
(kgdb)
up
#10 0xc0a33ac8 in ip6_output (m0=0xc7dab500, opt=0xc0dda6a0,
ro=0xc7379a50, flags=1, im6o=0xc7379b30, ifpp=0xc7379b50,
inp=0x0)
at /usr/src/sys/netinet6/ip6_output.c:905
905 error = nd6_output(ifp, origifp, m, dst, ro->ro_rt);
(kgdb) up
#11 0xc0a34833 in mld_dispatch_packet (m=Variable "m" is not available.
) at /usr/src/sys/netinet6/mld6.c:3074
3074 error = ip6_output(m0, &mld_po, NULL, IPV6_UNSPECSRC, &im6o,
(kgdb) up
#12 0xc0a34b48 in mld_dispatch_queue (ifq=0xc7379bdc, limit=0) at
/usr/src/sys/netinet6/mld6.c:409
409 mld_dispatch_packet(m);
(kgdb) up
#13 0xc0a375e9 in mld_fasttimo () at /usr/src/sys/netinet6/mld6.c:1421
1421 mld_dispatch_queue(&scq, 0);
(kgdb) up
#14 0xc0a19588 in icmp6_fasttimo () at /usr/src/sys/netinet6/icmp6.c:2231
2231 mld_fasttimo();
(kgdb) up
#15 0xc08e1d49 in pffasttimo (arg=0x0) at
/usr/src/sys/kern/uipc_domain.c:522
522 (*pr->pr_fasttimo)();
(kgdb) up
#16 0xc089f50c in softclock (arg=0xc0dc1b80) at
/usr/src/sys/kern/kern_timeout.c:411
411 c_func(c_arg);
(kgdb) up
#17 0xc08635eb in intr_event_execute_handlers (p=0xc755a7f8,
ie=0xc75a0d80) at /usr/src/sys/kern/kern_intr.c:1165
1165 ih->ih_handler(ih->ih_argument);
(kgdb) up
#18 0xc0864b8b in ithread_loop (arg=0xc75591d0) at
/usr/src/sys/kern/kern_intr.c:1178
1178 intr_event_execute_handlers(p, ie);
(kgdb) up
#19 0xc0860e81 in fork_exit (callout=0xc0864b20 <ithread_loop>,
arg=0xc75591d0, frame=0xc7379d38) at /usr/src/sys/kern/kern_fork.c:838
838 callout(arg, frame);
(kgdb) up
#20 0xc0baad80 in fork_trampoline () at
/usr/src/sys/i386/i386/exception.s:270
270 call fork_exit
Current language: auto; currently asm
(kgdb) up
Initial frame selected; you cannot go up.
It really seems it has to do something with IPv6...
Mat
Bruce Simpson wrote:
> Hi,
>
> If anyone is experiencing panics with IPv6 in the kernel, and
> multicast applications active, please test this patch. I think some
> folk here saw this with VLC.
>
> re@: If this patch is good (I'll try to test locally) then it should
> go into HEAD ASAP.
>
> Some poorly behaved IPv6 multicast applications don't specify an
> interface for the join, and this triggers a KASSERT I put in to catch
> such corner cases.
>
> Multicast doesn't work unless apps are aware of the links active in
> the system they're running on, and this is a glaring hole in the
> Boost.ASIO API, sadly. This was caught by a Boost regression run on
> ref8.freebsd.org.
>
> Thanks to simon@ for logging the panic from the cluster console servers.
>
> cheers,
> BMS
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"
More information about the freebsd-current
mailing list