Bug #1950

socket panic

Added by pavalos almost 4 years ago. Updated almost 4 years ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-

Description

Got a page fault panic today on my laptop.

Files can be fetched from:
http://www.theshell.com/~pavalos/crash/crash6.tar.xz

--Peter

(kgdb) bt
#0 _get_mycpu (di=0xc049ed20) at ./machine/thread.h:83
#1 md_dumpsys (di=0xc049ed20) at /usr/src/sys/platform/pc32/i386/dump_machdep.c:263
#2 0xc01ac98e in dumpsys () at /usr/src/sys/kern/kern_shutdown.c:881
#3 0xc01acf4e in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:388
#4 0xc01ad1f5 in panic (fmt=0xc03dd634 "%s") at /usr/src/sys/kern/kern_shutdown.c:787
#5 0xc039f022 in trap_fatal (frame=0xd6f3ac94, eva=<value optimized out>)
at /usr/src/sys/platform/pc32/i386/trap.c:1116
#6 0xc039f130 in trap_pfault (frame=0xd6f3ac94, usermode=0, eva=51)
at /usr/src/sys/platform/pc32/i386/trap.c:1018
#7 0xc039f69c in trap (frame=0xd6f3ac94)
at /usr/src/sys/platform/pc32/i386/trap.c:705
#8 0xc0387b47 in calltrap () at /usr/src/sys/platform/pc32/i386/exception.s:785
#9 0xc01999d0 in knote (list=0xd993de64, hint=0)
at /usr/src/sys/kern/kern_event.c:1303
#10 0xc01ea6cd in sowakeup (so=0xd993de00, ssb=0xd993de4c)
at /usr/src/sys/kern/uipc_socket2.c:499
#11 0xc01ef5d8 in uipc_send (msg=0xde077b50) at /usr/src/sys/kern/uipc_usrreq.c:493
#12 0xc0228637 in netmsg_service_loop (arg=0x0) at /usr/src/sys/net/netisr.c:294
#13 0xc01b6117 in lwkt_deschedule_self (td=Cannot access memory at address 0x8
) at /usr/src/sys/kern/lwkt_thread.c:272
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

History

#1 Updated by sjg almost 4 years ago

Both of Peter's panics from inside knote() are the result of a corrupt SLIST
kn_next.sle_next pointer in the knote in question.

(kgdb) frame
#9 0xc01999d0 in knote (list=0xd993de64, hint=0) at
/usr/src/sys/kern/kern_event.c:1303
1303 SLIST_FOREACH(kn, list, kn_next) {
(kgdb) p *list->slh_first
$9 = {kn_link = {sle_next = 0xdd5c9008}, kn_kqlink = {tqe_next = 0xdd5ca490,
tqe_prev = 0x10000}, kn_next = {
sle_next = 0x3}, kn_tqe = {tqe_next = 0xd76f0008, tqe_prev = 0xc045312c},
kn_kq = 0x34, kn_kevent = {ident = 1241,
filter = 0, flags = 0, fflags = 1241, data = 0, udata = 0xd995c638},
kn_status = 39, kn_sfflags = 0,
kn_sdata = -644321272, kn_ptr = {p_fp = 0xd99c9160, p_proc = 0xd99c9160},
kn_fop = 0x0, kn_hook = 0x0}

(kgdb) frame
#9 0xc018afc0 in knote (list=0xf236e364, hint=0) at
/usr/src/sys/kern/kern_event.c:1301
1301 lwkt_gettoken(&kq_token);
(kgdb) p *list->slh_first
$4 = {kn_link = {sle_next = 0xdeaf4e70}, kn_kqlink = {tqe_next = 0xde96b690,
tqe_prev = 0x10000}, kn_next = {
sle_next = 0x1003}, kn_tqe = {tqe_next = 0xdffd2708, tqe_prev = 0xc03c0060},
kn_kq = 0x1, kn_kevent = {ident = 0,
filter = 0, flags = 0, fflags = 0, data = 0, udata = 0xd5e124f8}, kn_status
= 39, kn_sfflags = 0,
kn_sdata = -972652552, kn_ptr = {p_fp = 0xd9e43d28, p_proc = 0xd9e43d28},
kn_fop = 0x0, kn_hook = 0x0}

Interestingly the filterops for both knotes is null and the pointer to their
parent kq is invalid. I'm not sure where these might be falling through the
cracks and being mangled in such a fashion and still being knote()'d.

Also available in: Atom PDF