When creating new processes (or performing exec), the new page directory is initialized too early. The kernel might grow before p_vmspace is initialized for the new process. Since pmap_growkernel() doesn't yet know about the new page directory, it isn't updated, and subsequent use causes a failure. In the following gdb trace, attemting to switch to the new process caused an immediate trap when attempting to access the pcb: GDB is free software and you are welcome to distribute copies of it under certain conditions; type "show copying" to see the conditions. There is absolutely no warranty for GDB; type "show warranty" for details. GDB 4.16 (i386-unknown-freebsd), Copyright 1996 Free Software Foundation, Inc... IdlePTD 2994176 initial pcb at 26c408 panicstr: page fault panic messages: --- Fatal trap 12: page fault while in kernel mode mp_lock = 00000004; cpuid = 0; lapic.id = 01000000 fault virtual address = 0xdffce078 fault code = supervisor read, page not present instruction pointer = 0x8:0xe0215143 stack pointer = 0x10:0xf37fbac8 frame pointer = 0x10:0xf37fbae0 code segment = base rx0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = Idle interrupt mask = net tty bio cam <- SMP: XXX trap number = 12 panic: page fault mp_lock = 00000004; cpuid = 0; lapic.id = 01000000 boot() called on cpu#0 syncing disks... Fatal trap 12: page fault while in kernel mode mp_lock = 00000006; cpuid = 0; lapic.id = 01000000 fault virtual address = 0xdffce000 fault code = supervisor read, page not present instruction pointer = 0x8:0xe0215143 stack pointer = 0x10:0xf37fb6ac frame pointer = 0x10:0xf37fb6c4 code segment = base rx0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = Idle interrupt mask = net tty bio cam <- SMP: XXX trap number = 12 panic: page fault mp_lock = 00000006; cpuid = 0; lapic.id = 01000000 boot() called on cpu#0 Fatal trap 12: page fault while in kernel mode mp_lock = 00000008; cpuid = 0; lapic.id = 01000000 fault virtual address = 0xb8 fault code = supervisor read, page not present instruction pointer = 0x8:0xe0152c63 stack pointer = 0x10:0xf37fafcc frame pointer = 0x10:0xf37fafe0 code segment = base rx0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = Idle interrupt mask = net tty bio cam <- SMP: XXX trap number = 12 panic: page fault mp_lock = 00000008; cpuid = 0; lapic.id = 01000000 boot() called on cpu#0 Fatal trap 12: page fault while in kernel mode mp_lock = 0000000a; cpuid = 0; lapic.id = 01000000 fault virtual address = 0xb8 fault code = supervisor read, page not present instruction pointer = 0x8:0xe0152c63 stack pointer = 0x10:0xf37fa8ec frame pointer = 0x10:0xf37fa900 code segment = base rx0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = Idle interrupt mask = net tty bio cam <- SMP: XXX trap number = 12 panic: page fault mp_lock = 0000000a; cpuid = 0; lapic.id = 01000000 boot() called on cpu#0 dumping to dev 50401, offset 1083718 [snip] --- #0 cpu_dump (pcb=0xe026c408) at ../../i386/i386/vm_machdep.c:703 #0 cpu_dump (pcb=0xe026c408) at ../../i386/i386/vm_machdep.c:703 #1 0xe0150c5d in boot (howto=260) at ../../kern/kern_shutdown.c:284 #2 0xe0150f11 in panic (fmt=0xe024b7bc "page fault") at ../../kern/kern_shutdown.c:443 #3 0xe02182e0 in trap_fatal (frame=0xf37fa8b0, eva=184) at ../../i386/i386/trap.c:944 #4 0xe0217f5b in trap_pfault (frame=0xf37fa8b0, usermode=0, eva=184) at ../../i386/i386/trap.c:837 #5 0xe0217bb6 in trap (frame={tf_es = -535560176, tf_ds = -534314992, tf_edi = 0, tf_esi = -524802280, tf_ebp = -209737472, tf_isp = -209737512, tf_ebx = 0, tf_edx = -524802280, tf_ecx = 1, tf_eax = -1, tf_trapno = 12, tf_err = 0, tf_eip = -535483293, tf_cs = 8, tf_eflags = 66118, tf_esp = 0, tf_ss = -1}) at ../../i386/i386/trap.c:438 #6 0xe0152c63 in tsleep (ident=0xe0b82718, priority=0, wmesg=0xe024583a "vmpfw", timo=0) at ../../kern/kern_synch.c:383 #7 0xe01eb10a in vm_fault (map=0xe0276974, vaddr=4085374976, fault_type=7 '\a', fault_flags=0) at ../../vm/vm_fault.c:308 #8 0xe0217f08 in trap_pfault (frame=0xf37faa1c, usermode=0, eva=4085378574) at ../../i386/i386/trap.c:826 #9 0xe0217bb6 in trap (frame={tf_es = -534642672, tf_ds = -534249456, tf_edi = -338861024, tf_esi = 1024, tf_ebp = -209737072, tf_isp = -209737148, tf_ebx = -209588784, tf_edx = 0, tf_ecx = -526171960, tf_eax = 252, tf_trapno = 12, tf_err = 2, tf_eip = -535361779, tf_cs = 8, tf_eflags = 66118, tf_esp = -338861024, tf_ss = -471714816}) at ../../i386/i386/trap.c:438 #10 0xe017070d in biodone (bp=0xebcd6420) at ../../kern/vfs_bio.c:2021 #11 0xe0124bb1 in dadone (periph=0xe3e24f80, done_ccb=0xe3f9a800) at ../../cam/scsi/scsi_da.c:1312 #12 0xe01207d7 in camisr (queue=0xe0269ce4) at ../../cam/cam_xpt.c:6147 #13 0xe01205e9 in swi_cambio () at ../../cam/cam_xpt.c:6054 #14 0xe011dc98 in xpt_polled_action (start_ccb=0xf37fad40) at ../../cam/cam_xpt.c:3342 #15 0xe0125081 in dashutdown (howto=260, arg=0x0) at ../../cam/scsi/scsi_da.c:1602 #16 0xe0150c29 in boot (howto=260) at ../../kern/kern_shutdown.c:280 #17 0xe0150f11 in panic (fmt=0xe024b7bc "page fault") at ../../kern/kern_shutdown.c:443 #18 0xe02182e0 in trap_fatal (frame=0xf37faf90, eva=184) at ../../i386/i386/trap.c:944 #19 0xe0217f5b in trap_pfault (frame=0xf37faf90, usermode=0, eva=184) at ../../i386/i386/trap.c:837 #20 0xe0217bb6 in trap (frame={tf_es = -535560176, tf_ds = -534314992, tf_edi = 0, tf_esi = -524802280, tf_ebp = -209735712, tf_isp = -209735752, tf_ebx = 0, tf_edx = -524802280, tf_ecx = 1, tf_eax = -1, tf_trapno = 12, tf_err = 0, tf_eip = -535483293, tf_cs = 8, tf_eflags = 66118, tf_esp = 0, tf_ss = -1}) at ../../i386/i386/trap.c:438 #21 0xe0152c63 in tsleep (ident=0xe0b82718, priority=0, wmesg=0xe024583a "vmpfw", timo=0) at ../../kern/kern_synch.c:383 #22 0xe01eb10a in vm_fault (map=0xe0276974, vaddr=4085374976, fault_type=7 '\a', fault_flags=0) at ../../vm/vm_fault.c:308 #23 0xe0217f08 in trap_pfault (frame=0xf37fb0fc, usermode=0, eva=4085378302) at ../../i386/i386/trap.c:826 #24 0xe0217bb6 in trap (frame={tf_es = -534642672, tf_ds = -534249456, tf_edi = -338867832, tf_esi = 1024, tf_ebp = -209735312, tf_isp = -209735388, tf_ebx = -209589056, tf_edx = 0, tf_ecx = -524263300, tf_eax = 252, tf_trapno = 12, tf_err = 2, tf_eip = -535361779, tf_cs = 8, tf_eflags = 66118, tf_esp = -338867832, tf_ss = -471720960}) at ../../i386/i386/trap.c:438 #25 0xe017070d in biodone (bp=0xebcd4988) at ../../kern/vfs_bio.c:2021 #26 0xe0124bb1 in dadone (periph=0xe3e14100, done_ccb=0xe3e31800) at ../../cam/scsi/scsi_da.c:1312 #27 0xe01207d7 in camisr (queue=0xe0269ce4) at ../../cam/cam_xpt.c:6147 #28 0xe01205e9 in swi_cambio () at ../../cam/cam_xpt.c:6054 #29 0xe011dc98 in xpt_polled_action (start_ccb=0xf37fb420) at ../../cam/cam_xpt.c:3342 #30 0xe0125081 in dashutdown (howto=260, arg=0x0) at ../../cam/scsi/scsi_da.c:1602 #31 0xe0150c29 in boot (howto=260) at ../../kern/kern_shutdown.c:280 #32 0xe0150f11 in panic (fmt=0xe024b7bc "page fault") at ../../kern/kern_shutdown.c:443 #33 0xe02182e0 in trap_fatal (frame=0xf37fb670, eva=3757891584) at ../../i386/i386/trap.c:944 #34 0xe0217f5b in trap_pfault (frame=0xf37fb670, usermode=0, eva=3757891584) at ../../i386/i386/trap.c:837 #35 0xe0217bb6 in trap (frame={tf_es = -209780720, tf_ds = -534904816, tf_edi = 890245120, tf_esi = -1, tf_ebp = -209733948, tf_isp = -209733992, tf_ebx = -209715200, tf_edx = -541065216, tf_ecx = -537075712, tf_eax = -537075712, tf_trapno = 12, tf_err = 0, tf_eip = -534687421, tf_cs = 8, tf_eflags = 66182, tf_esp = -534287904, tf_ss = -1}) at ../../i386/i386/trap.c:438 #36 0xe0215143 in pmap_enter (pmap=0xe028465c, va=4085252096, pa=890245120, prot=7 '\a', wired=1) at ../../i386/i386/pmap.c:2365 #37 0xe01eb75a in vm_fault (map=0xe0276974, vaddr=4085252096, fault_type=7 '\a', fault_flags=0) at ../../vm/vm_fault.c:749 #38 0xe0217f08 in trap_pfault (frame=0xf37fb7e4, usermode=0, eva=4085252656) at ../../i386/i386/trap.c:826 #39 0xe0217bb6 in trap (frame={tf_es = -209780720, tf_ds = -535756784, tf_edi = -1, tf_esi = -1, tf_ebp = -209733588, tf_isp = -209733620, tf_ebx = -534299712, tf_edx = -209714640, tf_ecx = 1, tf_eax = 117, tf_trapno = 12, tf_err = 0, tf_eip = -534807689, tf_cs = 8, tf_eflags = 66179, tf_esp = -335695872, tf_ss = -234924360}) at ../../i386/i386/trap.c:438 #40 0xe01f7b77 in zalloci (z=0xe0273bc0) at ../../vm/vm_zone.h:87 #41 0xe01ecbff in vm_map_entry_create (map=0xe0276848) at ../../vm/vm_zone.h:117 #42 0xe01ed71e in _vm_map_clip_end (map=0xe0276848, entry=0xf1ff56b8, end=3959271424) at ../../vm/vm_map.c:1063 #43 0xe01eeaff in vm_map_delete (map=0xe0276848, start=3959263232, end=3959271424) at ../../vm/vm_map.c:2000 #44 0xe016e472 in bfreekva (bp=0xebceb5c0) at ../../kern/vfs_bio.c:239 #45 0xe016f62b in getnewbuf (vp=0xf1c74ec0, blkno=1664, slpflag=0, slptimeo=0, size=1024, maxsize=4096) at ../../kern/vfs_bio.c:1157 #46 0xe016fd1c in getblk (vp=0xf1c74ec0, blkno=1664, size=1024, slpflag=0, slptimeo=0) at ../../kern/vfs_bio.c:1512 #47 0xe01e0c9a in ffs_sbupdate (mp=0xe3e2aa00, waitfor=2) at ../../ufs/ffs/ffs_vfsops.c:1261 #48 0xe01e08a0 in ffs_sync (mp=0xe3e28e00, waitfor=2, cred=0xe1e6b100, p=0xe02856a0) at ../../ufs/ffs/ffs_vfsops.c:1023 #49 0xe0177d4b in sync (p=0xe02856a0, uap=0x0) at ../../kern/vfs_syscalls.c:549 #50 0xe0150aa0 in boot (howto=256) at ../../kern/kern_shutdown.c:203 #51 0xe0150f11 in panic (fmt=0xe024b7bc "page fault") at ../../kern/kern_shutdown.c:443 #52 0xe02182e0 in trap_fatal (frame=0xf37fba8c, eva=3757891704) at ../../i386/i386/trap.c:944 #53 0xe0217f5b in trap_pfault (frame=0xf37fba8c, usermode=0, eva=3757891704) at ../../i386/i386/trap.c:837 #54 0xe0217bb6 in trap (frame={tf_es = -209780720, tf_ds = -534904816, tf_edi = 433451008, tf_esi = -1, tf_ebp = -209732896, tf_isp = -209732940, tf_ebx = -209592320, tf_edx = -541065216, tf_ecx = -537075592, tf_eax = -537075592, tf_trapno = 12, tf_err = 0, tf_eip = -534687421, tf_cs = 8, tf_eflags = 66182, tf_esp = -534287904, tf_ss = -1}) at ../../i386/i386/trap.c:438 #55 0xe0215143 in pmap_enter (pmap=0xe028465c, va=4085374976, pa=433451008, prot=7 '\a', wired=1) at ../../i386/i386/pmap.c:2365 #56 0xe01eb75a in vm_fault (map=0xe0276974, vaddr=4085374976, fault_type=7 '\a', fault_flags=0) at ../../vm/vm_fault.c:749 #57 0xe0217f08 in trap_pfault (frame=0xf37fbc00, usermode=0, eva=4085376064) at ../../i386/i386/trap.c:826 #58 0xe0217bb6 in trap (frame={tf_es = 2037514256, tf_ds = 1162280976, tf_edi = -1, tf_esi = -1, tf_ebp = -209732536, tf_isp = -209732568, tf_ebx = -534287616, tf_edx = -209591232, tf_ecx = 1, tf_eax = 39, tf_trapno = 12, tf_err = 0, tf_eip = -534807689, tf_cs = 8, tf_eflags = 66179, tf_esp = 3, tf_ss = 0}) at ../../i386/i386/trap.c:438 #59 0xe01f7b77 in zalloci (z=0xe0276b00) at ../../vm/vm_zone.h:87 #60 0xe01f10f3 in vm_object_allocate (type=OBJT_DEFAULT, size=3) at ../../vm/vm_object.c:225 #61 0xe01ef5e8 in vm_map_lookup (var_map=0xf37fbd1c, vaddr=4085256192, fault_typea=1 '\001', out_entry=0xf37fbd20, object=0xf37fbd14, pindex=0xf37fbd18, out_prot=0xf37fbd03 "", wired=0xf37fbcfc) at ../../vm/vm_map.c:2668 #62 0xe01eaf57 in vm_fault (map=0xe0276974, vaddr=4085256192, fault_type=1 '\001', fault_flags=0) at ../../vm/vm_fault.c:198 #63 0xe0217f08 in trap_pfault (frame=0xf37fbdd0, usermode=0, eva=4085256424) at ../../i386/i386/trap.c:826 #64 0xe0217bb6 in trap (frame={tf_es = -534249456, tf_ds = 16, tf_edi = 0, tf_esi = 6, tf_ebp = -209732052, tf_isp = -209732104, tf_ebx = 1026977792, tf_edx = -209711104, tf_ecx = -210500928, tf_eax = 3026979, tf_trapno = 12, tf_err = 0, tf_eip = -534679513, tf_cs = 8, tf_eflags = 65543, tf_esp = -535481203, tf_ss = -210500224}) at ../../i386/i386/trap.c:438 #65 0xe0217027 in swtch_com () #66 0xe0152d91 in tsleep (ident=0xf13afc44, priority=280, wmesg=0xe023cf9c "sbwait", timo=0) at ../../kern/kern_synch.c:443 #67 0xe016a29f in sbwait (sb=0xf13afc44) at ../../kern/uipc_socket2.c:278 #68 0xe0169187 in soreceive (so=0xf13afc00, psa=0x0, uio=0xf37fbf00, mp0=0x0, controlp=0x0, flagsp=0x0) at ../../kern/uipc_socket.c:676 #69 0xe015efe0 in soo_read (fp=0xe5686140, uio=0xf37fbf00, cred=0xe3fced00, flags=0) at ../../kern/sys_socket.c:70 #70 0xe015ba41 in dofileread (p=0xf3740580, fp=0xe5686140, fd=191, buf=0xdfbfd594, nbyte=996, offset=0xffffffffffffffff, flags=0) at ../../kern/sys_generic.c:179 #71 0xe015b94b in read (p=0xf3740580, uap=0xf37fbf84) at ../../kern/sys_generic.c:111 #72 0xe021855b in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 191, tf_esi = -541076076, tf_ebp = -541075076, tf_isp = -209731628, tf_ebx = 191, tf_edx = -541077092, tf_ecx = 9, tf_eax = 3, tf_trapno = 12, tf_err = 2, tf_eip = 973696924, tf_cs = 31, tf_eflags = 646, tf_esp = -541077132, tf_ss = 39}) at ../../i386/i386/trap.c:1102 #73 0xe02074bc in Xint0x80_syscall () (kgdb) disassemble swtch_com Dump of assembler code for function swtch_com: 0xe0216fc1 <swtch_com>: movl $0x0,%eax 0xe0216fc6 <swtch_com+5>: movl %eax,0xe0263fa4 0xe0216fcb <swtch_com+10>: movl %eax,0x4(%ecx) 0xe0216fce <swtch_com+13>: movl 0x11c(%ecx),%edx 0xe0216fd4 <swtch_com+19>: movl 0x60(%ecx),%eax 0xe0216fd7 <swtch_com+22>: movl 0x64(%eax),%esi 0xe0216fda <swtch_com+25>: cmpl %esi,0xff8000c0 0xe0216fe0 <swtch_com+31>: jne 0xe0216fee <swtch_com+45> 0xe0216fe2 <swtch_com+33>: movl 0xff8000bc,%edi 0xe0216fe8 <swtch_com+39>: btrl %edi,0x10(%esi) 0xe0216fec <swtch_com+43>: jmp 0xe0217021 <swtch_com+96> 0xe0216fee <swtch_com+45>: bsfl 0x10(%esi),%edi 0xe0216ff2 <swtch_com+49>: btrl %edi,0x10(%esi) 0xe0216ff6 <swtch_com+53>: movl $0xdff7f000,%eax 0xe0216ffb <swtch_com+58>: movl 0xff8(%eax),%eax 0xe0217001 <swtch_com+64>: movl 0x0(%esi,%edi,4),%ebx 0xe0217005 <swtch_com+68>: movl %eax,0xff8(%ebx) 0xe021700b <swtch_com+74>: movl 0x8(%esi,%edi,4),%ebx 0xe021700f <swtch_com+78>: movl %ebx,0x0(%edx) 0xe0217012 <swtch_com+81>: movl %ebx,%cr3 0xe0217015 <swtch_com+84>: movl %esi,0xff8000c0 0xe021701b <swtch_com+90>: movl %edi,0xff8000bc 0xe0217021 <swtch_com+96>: movl 0xff80008c,%esi 0xe0217027 <swtch_com+102>: cmpl $0x0,0xe8(%edx) (kgdb) print ((struct proc *) -210500928) $1 = (struct proc *) 0xf37402c0 (kgdb) print ((struct proc *) -210500928)->p_addr $2 = (struct user *) 0xf3801000 (kgdb) print ((struct proc *) -210500928)->p_vmspace.vm_pmap->pm_pdirs[0] $3 = (unsigned int **) 0xf37ff000 Fix: Clear p_vmspace early, to stop pmap_growkernel from stomping on memory. Defer part of the initialization of new page directories until p_vmspace is initialized. (diff for 4.0-current) How-To-Repeat: Start many processes on a newly rebooted machine. Add a suitable amount of bad luck.
State Changed From-To: open->closed The supplied patch has been applied to 3.2-STABLE and 4.0-CURRENT.