Bug #1950
closedsocket panic
Description
Got a page fault panic today on my laptop.
Files can be fetched from:
http://www.theshell.com/~pavalos/crash/crash6.tar.xz
--Peter
(kgdb) bt #0 _get_mycpu (di=0xc049ed20) at ./machine/thread.h:83 #1 md_dumpsys (di=0xc049ed20) at /usr/src/sys/platform/pc32/i386/dump_machdep.c:263 #2 0xc01ac98e in dumpsys () at /usr/src/sys/kern/kern_shutdown.c:881 #3 0xc01acf4e in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:388 #4 0xc01ad1f5 in panic (fmt=0xc03dd634 "%s") at /usr/src/sys/kern/kern_shutdown.c:787 #5 0xc039f022 in trap_fatal (frame=0xd6f3ac94, eva=<value optimized out>) at /usr/src/sys/platform/pc32/i386/trap.c:1116 #6 0xc039f130 in trap_pfault (frame=0xd6f3ac94, usermode=0, eva=51) at /usr/src/sys/platform/pc32/i386/trap.c:1018 #7 0xc039f69c in trap (frame=0xd6f3ac94) at /usr/src/sys/platform/pc32/i386/trap.c:705 #8 0xc0387b47 in calltrap () at /usr/src/sys/platform/pc32/i386/exception.s:785 #9 0xc01999d0 in knote (list=0xd993de64, hint=0) at /usr/src/sys/kern/kern_event.c:1303 #10 0xc01ea6cd in sowakeup (so=0xd993de00, ssb=0xd993de4c) at /usr/src/sys/kern/uipc_socket2.c:499 #11 0xc01ef5d8 in uipc_send (msg=0xde077b50) at /usr/src/sys/kern/uipc_usrreq.c:493 #12 0xc0228637 in netmsg_service_loop (arg=0x0) at /usr/src/sys/net/netisr.c:294 #13 0xc01b6117 in lwkt_deschedule_self (td=Cannot access memory at address 0x8 ) at /usr/src/sys/kern/lwkt_thread.c:272 Backtrace stopped: previous frame inner to this frame (corrupt stack?)
Updated by sjg almost 14 years ago
Both of Peter's panics from inside knote() are the result of a corrupt SLIST
kn_next.sle_next pointer in the knote in question.
(kgdb) frame
#9 0xc01999d0 in knote (list=0xd993de64, hint=0) at
/usr/src/sys/kern/kern_event.c:1303
1303 SLIST_FOREACH(kn, list, kn_next) {
(kgdb) p *list->slh_first
$9 = {kn_link = {sle_next = 0xdd5c9008}, kn_kqlink = {tqe_next = 0xdd5ca490,
tqe_prev = 0x10000}, kn_next = {
sle_next = 0x3}, kn_tqe = {tqe_next = 0xd76f0008, tqe_prev = 0xc045312c},
kn_kq = 0x34, kn_kevent = {ident = 1241,
filter = 0, flags = 0, fflags = 1241, data = 0, udata = 0xd995c638},
kn_status = 39, kn_sfflags = 0,
kn_sdata = -644321272, kn_ptr = {p_fp = 0xd99c9160, p_proc = 0xd99c9160},
kn_fop = 0x0, kn_hook = 0x0}
(kgdb) frame
#9 0xc018afc0 in knote (list=0xf236e364, hint=0) at
/usr/src/sys/kern/kern_event.c:1301
1301 lwkt_gettoken(&kq_token);
(kgdb) p *list->slh_first
$4 = {kn_link = {sle_next = 0xdeaf4e70}, kn_kqlink = {tqe_next = 0xde96b690,
tqe_prev = 0x10000}, kn_next = {
sle_next = 0x1003}, kn_tqe = {tqe_next = 0xdffd2708, tqe_prev = 0xc03c0060},
kn_kq = 0x1, kn_kevent = {ident = 0,
filter = 0, flags = 0, fflags = 0, data = 0, udata = 0xd5e124f8}, kn_status
= 39, kn_sfflags = 0,
kn_sdata = -972652552, kn_ptr = {p_fp = 0xd9e43d28, p_proc = 0xd9e43d28},
kn_fop = 0x0, kn_hook = 0x0}
Interestingly the filterops for both knotes is null and the pointer to their
parent kq is invalid. I'm not sure where these might be falling through the
cracks and being mangled in such a fashion and still being knote()'d.
Updated by tuxillo over 2 years ago
- Description updated (diff)
- Status changed from New to Closed
- Assignee changed from 0 to tuxillo
We no longer support i386.