Bug 16171

Summary: mmap(2) of /dev/kmem cause kernel panic
Product: Base System Reporter: romanp <romanp>
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description romanp 2000-01-18 11:00:01 UTC 
When test code executes, it cause kernel panic in memmmap().
This is kernel panic message with backtrace. If you need more
information feel free to contact me.

IdlePTD 2686976
initial pcb at 216028
panicstr: page fault
panic messages:
---
Fatal trap 12: page fault while in kernel mode
fault virtual address	= 0xbfc00000
fault code		= supervisor read, page not present
instruction pointer	= 0x8:0xc01ca911
stack pointer	        = 0x10:0xc306cd80
frame pointer	        = 0x10:0xc306cd80
code segment		= base rx0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 2137 (t_mmap)
interrupt mask		= 
trap number		= 12
panic: page fault

syncing disks... 8 4 2 done

dumping to dev 30011, offset 39296
dump 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 
---
#0  boot (howto=256) at ../../kern/kern_shutdown.c:285
285			dumppcb.pcb_cr3 = rcr3();
(kgdb) bt
#0  boot (howto=256) at ../../kern/kern_shutdown.c:285
#1  0xc012773c in at_shutdown (
    function=0xc01faab2 <__set_sysinit_set_sym_memdev_sys_init+1050>, 
    arg=0xc3069e60, queue=-1023928320) at ../../kern/kern_shutdown.c:446
#2  0xc01cef11 in trap_fatal (frame=0xc306cd44, eva=3217031168)
    at ../../i386/i386/trap.c:942
#3  0xc01cebef in trap_pfault (frame=0xc306cd44, usermode=0, eva=3217031168)
    at ../../i386/i386/trap.c:835
#4  0xc01ce866 in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = -1071863604, 
      tf_esi = 0, tf_ebp = -1022964352, tf_isp = -1022964372, tf_ebx = 19, 
      tf_edx = 0, tf_ecx = 0, tf_eax = 0, tf_trapno = 12, tf_err = 0, 
      tf_eip = -1071863535, tf_cs = 8, tf_eflags = 66134, 
      tf_esp = -1022964308, tf_ss = -1072000884}) at ../../i386/i386/trap.c:437
#5  0xc01ca911 in memmmap (dev=513, offset=0, nprot=1) at machine/pmap.h:171
#6  0xc01a908c in dev_pager_alloc (handle=0x201, size=81920, prot=1, foff=0)
    at ../../vm/device_pager.c:129
#7  0xc01b5bcc in vm_pager_allocate (type=OBJT_DEVICE, handle=0x201, 
    size=81920, prot=1, off=0) at ../../vm/vm_pager.c:238
#8  0xc01b11c4 in vm_mmap (map=0xc2f81800, addr=0xc306cee8, size=81920, 
    prot=1 '\001', maxprot=5 '\005', flags=1, handle=0x201, foff=0)
    at ../../vm/vm_mmap.c:1002
#9  0xc01b0911 in mmap (p=0xc3069e60, uap=0xc306cf94) at ../../vm/vm_mmap.c:334
#10 0xc01cf153 in syscall (frame={tf_es = 39, tf_ds = 39, 
      tf_edi = -1077945236, tf_esi = 2, tf_ebp = -1077945324, 
      tf_isp = -1022963740, tf_ebx = 671963100, tf_edx = 0, tf_ecx = 0, 
      tf_eax = 198, tf_trapno = 12, tf_err = 2, tf_eip = 671699592, 
      tf_cs = 31, tf_eflags = 530, tf_esp = -1077945372, tf_ss = 39})
    at ../../i386/i386/trap.c:1100
#11 0xc01c529c in Xint0x80_syscall ()
#12 0x80484b2 in ?? ()
#13 0x8048419 in ?? ()

How-To-Repeat: Compile and execute this program:

/* t_mmap.c */
#include <sys/types.h>
#include <sys/mman.h>
#include <fcntl.h>

main()
{
	int fd = open("/dev/kmem", O_RDONLY);
	void *ptr = mmap(0, 20*4096, PROT_READ, MAP_SHARED, fd, 0);
}
Comment 1 Mike Barcroft freebsd_committer freebsd_triage 2001-07-21 19:42:20 UTC 
State Changed
From-To: open->closed


I can't reproduce this panic on 5.0-CURRENT, so I assume it's fixed.