Bug 30495

Summary: ugen bug (?): "page fault while in kernel mode" when using a PPP over ATM program
Product: Base System Reporter: Tony Finch <dot>
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description Tony Finch 2001-09-11 00:30:01 UTC 
Unfortunately the machine crashed when I wasn't around, but it would have
been doing very little other than packet forwarding via user-ppp and
pppoa2m. I do, however have a crash dump, which says:

fanf@hand.dotat.at:~
:; gdb -k /boot/SHARP/kernel.debug /var/crash/vmcore.2
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
IdlePTD 4132864
initial pcb at 347980
panicstr: from debugger
panic messages:
---
Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x4521007c
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc015a1ad
stack pointer           = 0x10:0xcb6e1868
frame pointer           = 0x10:0xcb6e1890
code segment            = base rx0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 4615 (pppoa2m)
interrupt mask          = net tty bio cam
panic: from debugger
panic: from debugger
Uptime: 1d6h35m45s
dumping to dev #ad/0x20001, offset 766144
dump ata0: resetting devices .. ata0: mask=01 ostat0=50 ostat2=00
ata0-master: ATAPI probe a=00 b=00
ata0-slave: ATAPI probe a=00 b=00
ata0: mask=01 status0=50 status1=00
ata0-master: ATA probe a=01 b=a5
ata0: devices=01
ata0-master: success setting PIO4 on generic chip
done
127 126 125 124 123 122 121 120 119 118 117 116 115 114 113 112 111 110 109 108
107 106 105 104 103 102 101 100 99 98 97 96 95 94 93 92 91 90 89 88 87 86 85 84
83 82 81 80 79 78 77 76 75 74 73 72 71 70 69 68 67 66 65 64 63 62 61 60 59 58 57
 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 3
0 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
0
---
#0  dumpsys () at /FreeBSD/releng4/sys/kern/kern_shutdown.c:473
473             if (dumping++) {
(kgdb) bt
#0  dumpsys () at /FreeBSD/releng4/sys/kern/kern_shutdown.c:473
#1  0xc015eaa8 in boot (howto=260)
    at /FreeBSD/releng4/sys/kern/kern_shutdown.c:313
#2  0xc015ee9d in panic (fmt=0xc02c86a4 "from debugger")
    at /FreeBSD/releng4/sys/kern/kern_shutdown.c:581
#3  0xc0139b19 in db_panic (addr=-1072324179, have_addr=0, count=-1,
    modif=0xcb6e16d4 "") at /FreeBSD/releng4/sys/ddb/db_command.c:435
#4  0xc0139ab7 in db_command (last_cmdp=0xc0308a04, cmd_table=0xc0308844,
    aux_cmd_tablep=0xc03426f8) at /FreeBSD/releng4/sys/ddb/db_command.c:333
#5  0xc0139b7e in db_command_loop ()
    at /FreeBSD/releng4/sys/ddb/db_command.c:457
#6  0xc013bd37 in db_trap (type=12, code=0)
    at /FreeBSD/releng4/sys/ddb/db_trap.c:71
#7  0xc02a38ce in kdb_trap (type=12, code=0, regs=0xcb6e1828)
    at /FreeBSD/releng4/sys/i386/i386/db_interface.c:158
#8  0xc02b11fc in trap_fatal (frame=0xcb6e1828, eva=1159790716)
    at /FreeBSD/releng4/sys/i386/i386/trap.c:951
#9  0xc02b0ec5 in trap_pfault (frame=0xcb6e1828, usermode=0, eva=1159790716)
    at /FreeBSD/releng4/sys/i386/i386/trap.c:849
#10 0xc02b0a63 in trap (frame={tf_fs = 16, tf_es = -881983472,
      tf_ds = -881983472, tf_edi = -1048069120, tf_esi = -1070476896,
      tf_ebp = -881977200, tf_isp = -881977260, tf_ebx = -1048069120,
      tf_edx = -1070304376, tf_ecx = 10, tf_eax = 1159790680, tf_trapno = 12,
      tf_err = 0, tf_eip = -1072324179, tf_cs = 8, tf_eflags = 66182,
      tf_esp = -1051797572, tf_ss = 1024})
    at /FreeBSD/releng4/sys/i386/i386/trap.c:448
#11 0xc015a1ad in malloc (size=1024, type=0xc031d1a0, flags=1)
    at /FreeBSD/releng4/sys/kern/kern_malloc.c:237
#12 0xc0242fa7 in uhci_allocm (bus=0xc14ec000, dma=0xc14ed7bc, size=1024)
    at /FreeBSD/releng4/sys/dev/usb/uhci.c:493
#13 0xc02462da in usbd_transfer (xfer=0xc14ed780)
    at /FreeBSD/releng4/sys/dev/usb/usbdi.c:274
#14 0xc024770a in usbd_bulk_transfer (xfer=0xc14ed780, pipe=0xc1869680,
    flags=4, timeout=1000, buf=0xcb6e19b8, size=0xcb6e1934,
    lbl=0xc02ea1d5 "ugenrb") at /FreeBSD/releng4/sys/dev/usb/usbdi_util.c:511
#15 0xc024a2fa in ugen_do_read (sc=0xc074b000, endpt=7, uio=0xcb6e1ed8,
    flag=8323072) at /FreeBSD/releng4/sys/dev/usb/ugen.c:580
#16 0xc024a4af in ugenread (dev=0xc15cd480, uio=0xcb6e1ed8, flag=8323072)
    at /FreeBSD/releng4/sys/dev/usb/ugen.c:656
#17 0xc0199b26 in spec_read (ap=0xcb6e1e6c)
    at /FreeBSD/releng4/sys/miscfs/specfs/spec_vnops.c:253
#18 0xc02326a4 in ufsspec_read (ap=0xcb6e1e6c)
    at /FreeBSD/releng4/sys/ufs/ufs/ufs_vnops.c:1843
#19 0xc0232d31 in ufs_vnoperatespec (ap=0xcb6e1e6c)
    at /FreeBSD/releng4/sys/ufs/ufs/ufs_vnops.c:2400
#20 0xc019511c in vn_read (fp=0xc18e3300, uio=0xcb6e1ed8, cred=0xc161b080,
    flags=0, p=0xcb5fbd40) at vnode_if.h:334
#21 0xc016d9cb in dofileread (p=0xcb5fbd40, fp=0xc18e3300, fd=6,
    buf=0xbfbfed90, nbyte=3392, offset=-1, flags=0)
---Type <return> to continue, or q <return> to quit---
    at /FreeBSD/releng4/sys/sys/file.h:146
#22 0xc016d88f in read (p=0xcb5fbd40, uap=0xcb6e1f80)
    at /FreeBSD/releng4/sys/kern/sys_generic.c:117
#23 0xc02b14e9 in syscall2 (frame={tf_fs = -1078001617, tf_es = -1078001617,
      tf_ds = -1078001617, tf_edi = -1077937260, tf_esi = -1077937292,
      tf_ebp = -1077940896, tf_isp = -881975340, tf_ebx = 7, tf_edx = 6,
      tf_ecx = 60, tf_eax = 3, tf_trapno = 7, tf_err = 2, tf_eip = 1208884752,
      tf_cs = 31, tf_eflags = 663, tf_esp = -1077940940, tf_ss = 47})
    at /FreeBSD/releng4/sys/i386/i386/trap.c:1155
#24 0xc02a46c5 in Xint0x80_syscall ()
#25 0x80499bf in ?? ()
#26 0x804a3d0 in ?? ()
#27 0x8048ba9 in ?? ()
(kgdb)
Comment 1 Tony Finch 2001-09-30 10:39:57 UTC 
I recently did a little diagnosis using the core files this bug
has produced for me. The trap is occurring inside some INVARIANTS
code in malloc(), so I tried turning off INVARIANTS. It was not
surprising that this failed to improve matters: it only made the
crashes more random :-) (Sometimes the machine locked up completely,
sometimes the USB died but everything else continued to work --
LEDs on the ADSL modem turned off and `usbdevs` would hang when I
tried to run it and unplugging and replugging the modem didn't fix
things -- and sometimes I got a normal page fault panic.)

The crashes don't seem to be related to memory pressure; in fact
I haven't noticed any particular trigger for them even though
several have happened while I have been using the machine. I have
recently started running ntpd and the crashes seem to happen more
often now, however they haven't happened when I have been doing
bulk downloads...

Tony.
-- 
f.a.n.finch <dot@dotat.at>
FAIR ISLE FAEROES SOUTHEAST ICELAND: SOUTHEAST 5 TO 7, OCCASIONALLY GALE 8,
DECREASING 4 OR 5. OCCASIONAL RAIN. MODERATE OR POOR.
Comment 2 iedowse freebsd_committer freebsd_triage 2002-12-01 13:25:29 UTC 
State Changed
From-To: open->feedback


Do you know if this still happens or if the behaviour is any different 
on -CURRENT?
Comment 3 Hiten Pandya freebsd_committer freebsd_triage 2003-05-28 15:14:14 UTC 
State Changed
From-To: feedback->closed

This issue has been resolved, see rev. 1.70 of sys/dev/usb/ugen.c.  Thanks.