fork_findpid() - Fatal trap 12: page fault while in kernel mode
Konstantin Belousov
kostikbel at gmail.com
Wed Dec 16 13:33:24 UTC 2015
On Tue, Dec 15, 2015 at 05:42:38PM +0100, Fabian Keil wrote:
> I've seen the following panic a couple of times in the last three
> months, usually while poudriere was running and with sh being the
> current process.
>
> This one is from a system based on r290926 running with
> kern.randompid=9001 and forking frequently (>1000 forks/second)
> due to poudriere and afl-fuzz:
>
> Fatal trap 12: page fault while in kernel mode
> cpuid = 1; apic id = 04
> fault virtual address = 0x618b00a8
> fault code = supervisor read data, page not present
> instruction pointer = 0x20:0xffffffff80909158
> stack pointer = 0x28:0xfffffe011e03b940
> frame pointer = 0x28:0xfffffe011e03b960
> code segment = base 0x0, limit 0xfffff, type 0x1b
> = DPL 0, pres 1, long 1, def32 0, gran 1
> processor eflags = interrupt enabled, resume, IOPL = 0
> current process = 71325 (sh)
> trap number = 12
> panic: page fault
> cpuid = 1
> KDB: stack backtrace:
> [...]
> Uptime: 13d20h43m20s
> [...]
> (kgdb) where
> #0 doadump (textdump=1) at pcpu.h:221
> #1 0xffffffff8094a923 in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:364
> #2 0xffffffff8094ae8b in vpanic (fmt=<value optimized out>, ap=<value optimized out>) at /usr/src/sys/kern/kern_shutdown.c:757
> #3 0xffffffff8094acc3 in panic (fmt=0x0) at /usr/src/sys/kern/kern_shutdown.c:688
> #4 0xffffffff80c2fbb1 in trap_fatal (frame=<value optimized out>, eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:834
> #5 0xffffffff80c2fda4 in trap_pfault (frame=0xfffffe011e03b890, usermode=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:684
> #6 0xffffffff80c2f55e in trap (frame=0xfffffe011e03b890) at /usr/src/sys/amd64/amd64/trap.c:435
> #7 0xffffffff80c120a7 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:234
> #8 0xffffffff80909158 in fork_findpid (flags=<value optimized out>) at /usr/src/sys/kern/kern_fork.c:281
It is the values of *p and *(p->p_pgrp) that are needed, from the frame 8.
> #9 0xffffffff80907225 in do_fork (td=0xfffff8009db9a9a0, flags=20, p2=0xfffff8009dbe1a90, td2=0xfffff800aa6884d0, vm2=0xfffff800a9eee000, pdflags=0) at /usr/src/sys/kern/kern_fork.c:385
> #10 0xffffffff80906c08 in fork1 (td=0xfffff8009db9a9a0, flags=20, pages=<value optimized out>, procp=0xfffffe011e03bac0, procdescp=0x0, pdflags=99999, fcaps=<value optimized out>)
> at /usr/src/sys/kern/kern_fork.c:937
> #11 0xffffffff809066ca in sys_fork (td=0xfffff8009db9a9a0, uap=<value optimized out>) at /usr/src/sys/kern/kern_fork.c:108
> #12 0xffffffff80c3054b in amd64_syscall (td=0xfffff8009db9a9a0, traced=0) at subr_syscall.c:140
> #13 0xffffffff80c1238b in Xfast_syscall () at /usr/src/sys/amd64/amd64/exception.S:394
> #14 0x00000008009257aa in ?? ()
> Previous frame inner to this frame (corrupt stack?)
> Current language: auto; currently minimal
> (kgdb) f 8
> #8 0xffffffff80909158 in fork_findpid (flags=<value optimized out>) at /usr/src/sys/kern/kern_fork.c:281
> warning: Source file is more recent than executable.
>
> 281 (p->p_pgrp != NULL &&
> (kgdb) l -
> 271 * id is kept reserved only while there is a
> 272 * non-reaped process in the subtree, so amount of
> 273 * reserved pids is limited by process limit times
> 274 * two.
> 275 */
> 276 p = LIST_FIRST(&allproc);
> 277 again:
> 278 for (; p != NULL; p = LIST_NEXT(p, p_list)) {
> 279 while (p->p_pid == trypid ||
> 280 p->p_reapsubtree == trypid ||
> (kgdb) l
> 281 (p->p_pgrp != NULL &&
> 282 (p->p_pgrp->pg_id == trypid ||
> 283 (p->p_session != NULL &&
> 284 p->p_session->s_sid == trypid)))) {
> 285 trypid++;
> 286 if (trypid >= pidchecked)
> 287 goto retry;
> 288 }
> 289 if (p->p_pid > trypid && pidchecked > p->p_pid)
> 290 pidchecked = p->p_pid;
More information about the freebsd-current
mailing list