[panic] page fault in tcp_timer_2msl_tw

Mohan Srinivasan mohan_srinivasan at yahoo.com
Mon Aug 21 22:01:44 UTC 2006 

I checked in a fix for this into -current a few days ago. Haven't MFC'ed
it to releng 6.

mohan

--- Pawel Worach <pawel.worach at gmail.com> wrote:

> On 9/22/05, Pawel Worach <pawel.worach at gmail.com> wrote:
> > Pawel Worach wrote:
> >
> > > (kgdb) print *tw
> > > $1 = {tw_inpcb = 0x0, snd_nxt = 438603527, rcv_nxt = 3383864561,
> > >   iss = 438603320, irs = 3383863898, cc_recv = 0, cc_send = 0,
> > >   last_win = 65534, tw_so_options = 4, tw_cred = 0x0, t_recent = 0,
> > >   t_starttime = 4294952294, tw_time = 0, tw_2msl = {le_next = 0xc24680a8,
> > >     le_prev = 0xc06a827c}}
> >
> > I poked a bit more and it looks like the dereference happens here in
> > tcp_timer_2msl_tw().
> >
> > tcp_timer.c:294         INP_LOCK(tw->tw_inpcb);
> >
> > INP_LOCK macro tries to reference tw->tw_inpcb->inp_mtx while
> > tw->tw_inpcb is null. However I have no idea how it got to this point.
> >
> 
> Bumped into this one again on 6.1, almost a year ago since last time.
> So far my conclusion is that it is hard to reproduce :) Anyone has an
> idea what might be going on ?
> 
> Fatal trap 12: page fault while in kernel mode
> cpuid = 0; apic id = 00
> fault virtual address   = 0xac
> fault code              = supervisor write, page not present
> instruction pointer     = 0x20:0xc059291a
> stack pointer           = 0x28:0xe3474bf4
> frame pointer           = 0x28:0xe3474c20
> code segment            = base 0x0, limit 0xfffff, type 0x1b
>                         = DPL 0, pres 1, def32 1, gran 1
> processor eflags        = interrupt enabled, resume, IOPL = 0
> current process         = 15 (swi4: clock sio)
> trap number             = 12
> panic: page fault
> cpuid = 2
> KDB: stack backtrace:
> kdb_backtrace(c068eecd,2,c06718cd,e3474af8,a) at kdb_backtrace+0x2e
> panic(c06718cd,c068fa6f,c46c8394,1,1) at panic+0x139
> trap_fatal(e3474bb4,ac,2,8,0) at trap_fatal+0x36e
> trap_pfault(e3474bb4,0,ac,c0c471e0,ac) at trap_pfault+0x242
> trap(8,28,c0c40028,0,4) at trap+0x350
> calltrap() at calltrap+0x5
> --- trap 0xc, eip = 0xc059291a, esp = 0xe3474bf4, ebp = 0xe3474c20 ---
> tcp_timer_2msl_tw(0,c04f462a,c06ad420,c06ad880,16) at tcp_timer_2msl_tw+0x5a
> tcp_slowtimo(e3474c5c,c46c9d80,4,e3474c5c,0) at tcp_slowtimo+0x6c
> pfslowtimo(0,c4826300,c06a5320,ca76356b,c46c82b4) at pfslowtimo+0x39
> softclock(0,e3474cd0,831264,61432328,c46c9d80) at softclock+0x366
> ithread_execute_handlers(c46c820c,c4725c00,0,0,0) at
> ithread_execute_handlers+0x178
> ithread_loop(c46af8c0,e3474d38,0,0,0) at ithread_loop+0x77
> fork_exit(c04c2180,c46af8c0,e3474d38) at fork_exit+0x80
> fork_trampoline() at fork_trampoline+0x8
> --- trap 0x1, eip = 0, esp = 0xe3474d6c, ebp = 0 ---
> Uptime: 99d10h5m26s
> Dumping 1023 MB (2 chunks)
>   chunk 0: 1MB (157 pages) ... ok
>   chunk 1: 1023MB (261851 pages) 1007 991 975 959 943 927 911 895 879
> 863 847 831 815 799 783 767 751 735 719 703 687 671 655 639 623 607
> 591 575 559 543 527 511 495 479 463 447 431 415 399 383 367 351 335
> 319 303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31
> 15
> 
> #0  doadump () at pcpu.h:165
> 165     pcpu.h: No such file or directory.
>         in pcpu.h
> (kgdb) bt
> #0  doadump () at pcpu.h:165
> #1  0xc04dde2c in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:402
> #2  0xc04de253 in panic (fmt=0xc06718cd "%s")
>     at /usr/src/sys/kern/kern_shutdown.c:558
> #3  0xc065481e in trap_fatal (frame=0xe3474bb4, eva=0)
>     at /usr/src/sys/i386/i386/trap.c:836
> #4  0xc0654482 in trap_pfault (frame=0xe3474bb4, usermode=0, eva=172)
>     at /usr/src/sys/i386/i386/trap.c:744
> #5  0xc0653ff0 in trap (frame=
>       {tf_fs = 8, tf_es = 40, tf_ds = -1060896728, tf_edi = 0, tf_esi
> = 4, tf_ebp = -481866720, tf_isp = -481866784, tf_ebx = -966999536,
> tf_edx = -1060867608, tf_ecx = -999514752, tf_eax = 4, tf_trapno = 12,
> tf_err = 2, tf_eip = -1067898598, tf_cs = 32, tf_eflags = 66195,
> tf_esp = -966999536, tf_ss = 0})
>     at /usr/src/sys/i386/i386/trap.c:434
> #6  0xc063e18a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
> #7  0xc059291a in tcp_timer_2msl_tw (reuse=0) at atomic.h:149
> #8  0xc05922ac in tcp_slowtimo () at /usr/src/sys/netinet/tcp_timer.c:116
> #9  0xc0522879 in pfslowtimo (arg=0x0) at /usr/src/sys/kern/uipc_domain.c:477
> #10 0xc04edce6 in softclock (dummy=0x0) at /usr/src/sys/kern/kern_timeout.c:290
> #11 0xc04c2088 in ithread_execute_handlers (p=0xc46c820c, ie=0xc4725c00)
>     at /usr/src/sys/kern/kern_intr.c:684
> #12 0xc04c21f7 in ithread_loop (arg=0xc46af8c0)
> ---Type <return> to continue, or q <return> to quit---
>     at /usr/src/sys/kern/kern_intr.c:767
> #13 0xc04c0840 in fork_exit (callout=0xc04c2180 <ithread_loop>, arg=0x4,
>     frame=0x4) at /usr/src/sys/kern/kern_fork.c:805
> #14 0xc063e1ec in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:208
> (kgdb) f 7
> #7  0xc059291a in tcp_timer_2msl_tw (reuse=0) at atomic.h:149
> 149     atomic.h: No such file or directory.
>         in atomic.h
> (kgdb) p *tw
> $1 = {tw_inpcb = 0x0, snd_nxt = 842737231, rcv_nxt = 17758516,
>   iss = 842735507, irs = 17758065, last_win = 65534, tw_so_options = 4,
>   tw_cred = 0x0, t_recent = 0, t_starttime = 4294952294, tw_time = 0,
>   tw_2msl = {le_next = 0xc65ccd50, le_prev = 0xc06cf294}}
> (kgdb)
> 
> -- 
> Pawel
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>

More information about the freebsd-net mailing list