devd panic on i386 7.2 Release with CARP

Kostik Belousov kostikbel at gmail.com
Fri May 22 20:31:50 UTC 2009 

On Fri, May 22, 2009 at 03:26:51PM -0400, Ken Menzel wrote:
> 
> I am having a problem with one of my freebsd 7.2R boxes panicing on 
> start of devd after upgrading to 7.2R.  It is an old DELL 2400 dual 
> processor.  This is a build from completely refreshed sources.
> 
> -  generic kernel does not panic (built by me)
> - custom kernel does not panic with devd_enable="NO" set in rc.conf, but 
> !!! __ I can start devd AFTER booting by hand at the command prompt!
> 
> -  custom kernel (carp and more memory ) does panic if devd is started 
> automatically by rc.d scripts (the default behaviour). 
> 
> Do I really need devd for anything if I am not using USB?  Anyone have 
> any idea of how to fix this?
> 
> My kernel config is pretty simple,  I am building a test i386 box with a 
> carp kernel to try and repro this on another box, but that box is really 
> slow.
> 
> After booting I just run
> kes# devd
> devd: Setting hw.bus.devctl_disable to 0
> kes#
...
> <118>lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> <118>   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
> <118>   inet6 ::1 prefixlen 128
> <118>   inet 127.0.0.1 netmask 0xff000000
> <118>fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 
> mtu 1500
> <118>   options=2009<RXCSUM,VLAN_MTU,WOL_MAGIC>
> <118>   ether 00:b0:d0:3e:c7:19
> <118>   inet 207.99.22.32 netmask 0xffffff80 broadcast 207.99.22.127
> <118>   media: Ethernet autoselect (100baseTX <full-duplex>)
> <118>   status: active
> <118>add net default: gateway 207.99.22.1
> <118>Additional routing options:
> <118>.
> <118>Starting devd.
> 
> 
> Fatal trap 12: page fault while in kernel mode
> cpuid = 1; apic id = 00
> fault virtual address   = 0x0
> fault code              = supervisor read, page not present
> instruction pointer     = 0x20:0xc0874488
> stack pointer           = 0x28:0xf7bd0b68
> frame pointer           = 0x28:0xf7bd0b68
> code segment            = base 0x0, limit 0xfffff, type 0x1b
>                        = DPL 0, pres 1, def32 1, gran 1
> processor eflags        = interrupt enabled, resume, IOPL = 0
> current process         = 388 (devd)
> trap number             = 12
> panic: page fault
> cpuid = 1
> Uptime: 2m12s
> Physical memory: 2035 MB
> Dumping 68 MB: 53 37 21 5
> 
> Reading symbols from /boot/kernel/acpi.ko...Reading symbols from 
> /boot/kernel/acpi.ko.symbols...done.
> done.
> Loaded symbols for /boot/kernel/acpi.ko
> #0  doadump () at pcpu.h:196
> 196             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
> (kgdb) backtrace
> #0  doadump () at pcpu.h:196
> #1  0xc07e2a07 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418
> #2  0xc07e2cd9 in panic (fmt=Variable "fmt" is not available.
> ) at /usr/src/sys/kern/kern_shutdown.c:574
> #3  0xc0ae895c in trap_fatal (frame=0xf7bd0b28, eva=0)
>    at /usr/src/sys/i386/i386/trap.c:939
> #4  0xc0ae8be0 in trap_pfault (frame=0xf7bd0b28, usermode=0, eva=0)
>    at /usr/src/sys/i386/i386/trap.c:852
> #5  0xc0ae958c in trap (frame=0xf7bd0b28) at 
> /usr/src/sys/i386/i386/trap.c:530
> #6  0xc0acdc9b in calltrap () at /usr/src/sys/i386/i386/exception.s:159
> #7  0xc0874488 in strlen (str=0x0) at /usr/src/sys/libkern/strlen.c:41
> #8  0xc080a46c in devread (dev=0xc548b900, uio=0xf7bd0c60, ioflag=0)
>    at /usr/src/sys/kern/subr_bus.c:458
> #9  0xc07a6039 in giant_read (dev=0xc548b900, uio=0xf7bd0c60, ioflag=0)
>    at /usr/src/sys/kern/kern_conf.c:414
> #10 0xc076cecd in devfs_read_f (fp=0xc58ba260, uio=0xf7bd0c60,
>    cred=0xc5470300, flags=0, td=0xc56288c0)
>    at /usr/src/sys/fs/devfs/devfs_vnops.c:1007
> #11 0xc081be86 in dofileread (td=0xc56288c0, fd=3, fp=0xc58ba260,
>    auio=0xf7bd0c60, offset=-1, flags=0) at file.h:245
> #12 0xc081c1f8 in kern_readv (td=0xc56288c0, fd=3, auio=0xf7bd0c60)
>    at /usr/src/sys/kern/sys_generic.c:193
> #13 0xc081c2df in read (td=0xc56288c0, uap=0xf7bd0cfc)
>    at /usr/src/sys/kern/sys_generic.c:109
> ---Type <return> to continue, or q <return> to quit---
> #14 0xc0ae8f35 in syscall (frame=0xf7bd0d38)
>    at /usr/src/sys/i386/i386/trap.c:1090
> #15 0xc0acdd00 in Xint0x80_syscall () at 
> /usr/src/sys/i386/i386/exception.s:255
> #16 0x00000033 in ?? ()
> Previous frame inner to this frame (corrupt stack?)
> (kgdb)

The strlen was supplied NULL pointer. This means that n1->dei_data
is NULL. Brief looking over the RELENG_7 code does not reveal any
caller of devctl_queue_data outside subr_bus.c, and all uses inside
subr_bus.c seems to be safe.

Added options in the config cannot affect this behaviour, I believe.
You may add check at the start of the devctl_queue_data() to verify
that data != NULL, and panic when it is. This way, we will see where
it happen.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20090522/605cf16a/attachment.pgp

More information about the freebsd-stable mailing list