Created attachment 158594 [details] core.txt This code causes kernel panic in FreeBSD 10.2-BETA1. (same as with GENERIC kernel) #!/usr/local/bin/ruby21 require 'shell' Shell.def_system_command("ifconfig", path = "/sbin/ifconfig") sh=Shell.new sh.ifconfig('epair','create') ------------------------------------------------------- freebsd102 dumped core - see /var/crash/vmcore.0 Sat Jul 11 06:49:32 JST 2015 FreeBSD freebsd102 10.2-BETA1 FreeBSD 10.2-BETA1 #0 r285358: Sat Jul 11 04:42:16 JST 2015 root@freebsd102:/usr/obj/usr/src/sys/VIMAGE i386 panic: page fault GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd"... Unread portion of the kernel message buffer: Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x0 fault code = supervisor read, page not present instruction pointer = 0x20:0x0 stack pointer = 0x28:0xd341c8c4 frame pointer = 0x28:0xd341c8e4 code segment = base rx0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 1056 (ifconfig) trap number = 12 panic: page fault cpuid = 0 KDB: stack backtrace: #0 0xc0b74292 at kdb_backtrace+0x52 #1 0xc0b3509b at vpanic+0x11b #2 0xc0b34f7b at panic+0x1b #3 0xc106dc5b at trap_fatal+0x30b #4 0xc106dfc5 at trap_pfault+0x355 #5 0xc106d694 at trap+0x674 #6 0xc10589dc at calltrap+0x6 #7 0xc3fe3aa0 at epair_ioctl+0x70 #8 0xc0c02392 at ifioctl+0x1392 #9 0xc0b95138 at soo_ioctl+0x2c8 #10 0xc0b8d068 at kern_ioctl+0x258 #11 0xc0b8cd6c at sys_ioctl+0xec #12 0xc106e726 at syscall+0x4a6 #13 0xc1058a71 at Xint0x80_syscall+0x21 Uptime: 1h37m40s Physical memory: 231 MB Dumping 72 MB: 57 41 25 9 Reading symbols from /boot/kernel/uhid.ko.symbols...done. Loaded symbols for /boot/kernel/uhid.ko.symbols Reading symbols from /boot/kernel/if_epair.ko.symbols...done. Loaded symbols for /boot/kernel/if_epair.ko.symbols #0 0x00000000 in ?? () (kgdb) #0 0x00000000 in ?? () (kgdb)
Created attachment 158595 [details] core.txt of GENERIC kernel
BETA2 looks like having no problem. Thank you.
Crash occurs again. In BETA1, it occurs 100%. In BETA2, it occurs sometime.
# dtruss -af ./test.rb PID/LWP RELATIVE ELAPSD CPU SYSCALL(args) = return 801/100072: 62 623 35 mmap(0x0, 0x8000, 0x3) = 671494144 0 801/100072: 122 6 0 issetugid(0x0, 0x0, 0x0) = 0 0 801/100072: 188 23 20 lstat("/etc\0", 0xBFBFD608, 0x0) = 0 0 801/100072: 200 13 11 lstat("/etc/libmap.conf\0", 0xBFBFD608, 0x0) = 0 0 dtrace: error on enabled probe ID 1084 (ID 51569: syscall:freebsd:openat:return): invalid address (0xffffff9c) in action #12 at DIF offset 24 801/100072: 219 4 2 fstat(0x3, 0xBFBFE2A8, 0x0) = 0 0shell(#<Th:0x28cd1c48>): /sbin/ifconfig epair create 801/100072: 270 53 51 mmap(0x0, 0x6B, 0x1) = shell(#<Th:0x28cd1c48>): Process finishing, but active shell exists You can use Shell#transact or Shell#check_point for more safe execution.
This sh one-liner allows me to reproduce a similar crash consistently (usually 2-3 iterations: for i in $(jot 100); do result=$(ifconfig epair create); sleep 0.25; ifconfig $result destroy; done With a sleep time over 0.5 seconds, it seems to be fine. This is reproducible on 11-CURRENT as well. FreeBSD 102rc1 10.2-RC1 FreeBSD 10.2-RC1 #0 r285832: Fri Jul 24 01:08:13 UTC 201 5 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 panic: page fault Unread portion of the kernel message buffer: epair1a: Ethernet address: 02:ff:70:00:05:0a Fatal trap 12: page fault while in kernel mode cpuid = 2; apic id = 02 fault virtual address = 0x0 fault code = supervisor read instruction, page not present instruction pointer = 0x20:0x0 stack pointer = 0x28:0xfffffe00f7181870 frame pointer = 0x28:0xfffffe00f71818c0 code segment = base rx0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 1072 (ifconfig) trap number = 12 panic: page fault cpuid = 2 KDB: stack backtrace: #0 0xffffffff80a15f70 at kdb_backtrace+0x60 #1 0xffffffff809d9b26 at vpanic+0x126 #2 0xffffffff809d99f3 at panic+0x43 #3 0xffffffff80ddbcab at trap_fatal+0x36b #4 0xffffffff80ddbfad at trap_pfault+0x2ed #5 0xffffffff80ddb64a at trap+0x47a #6 0xffffffff80dc19c2 at calltrap+0x8 #7 0xffffffff80a9c39b at ifioctl+0x13ab #8 0xffffffff80a2de65 at kern_ioctl+0x255 #9 0xffffffff80a2db60 at sys_ioctl+0x140 #10 0xffffffff80ddc5c7 at amd64_syscall+0x357 #11 0xffffffff80dc1cab at Xfast_syscall+0xfb Uptime: 2m48s Dumping 272 out of 4067 MB:..6%..12%..24%..36%..42%..53%..65%..71%..83%..95% Reading symbols from /boot/kernel/if_epair.ko.symbols...done. Loaded symbols for /boot/kernel/if_epair.ko.symbols #0 doadump (textdump=<value optimized out>) at pcpu.h:219 219 pcpu.h: No such file or directory. in pcpu.h (kgdb) #0 doadump (textdump=<value optimized out>) at pcpu.h:219 #1 0xffffffff809d9782 in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:451 #2 0xffffffff809d9b65 in vpanic (fmt=<value optimized out>, ap=<value optimized out>) at /usr/src/sys/kern/kern_shutdown.c:758 #3 0xffffffff809d99f3 in panic (fmt=0x0) at /usr/src/sys/kern/kern_shutdown.c:687 #4 0xffffffff80ddbcab in trap_fatal (frame=<value optimized out>, eva=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:851 #5 0xffffffff80ddbfad in trap_pfault (frame=0xfffffe00f71817c0, usermode=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:674 #6 0xffffffff80ddb64a in trap (frame=0xfffffe00f71817c0) at /usr/src/sys/amd64/amd64/trap.c:440 #7 0xffffffff80dc19c2 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:236 #8 0x0000000000000000 in ?? ()
9.3 STABLE, RELENG, RELEASE also crashed. RELENG 9.2 do not crash.
I could not reproduce this with the given one liner by Allan Jude (comment #5) on FreeBSD 11.1 (AMD64). root@freebsd-gateway:~ # sh # for i in $(jot 100); do result=$(ifconfig epair create); sleep 0.25; ifconfig $result destroy; done # uname -a FreeBSD freebsd-gateway 11.1-RELEASE-p4 FreeBSD 11.1-RELEASE-p4 #0: Tue Nov 14 06:12:40 UTC 2017 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 #
I did some more testing with other time intervals (0.05 as well as no delay). Still could not reproduce on FreeBSD 11.1 AMD64. root@freebsd-gateway:~ # sh # for i in $(jot 100); do result=$(ifconfig epair create); sleep 0.25; ifconfig $result destroy; done # uname -a FreeBSD freebsd-gateway 11.1-RELEASE-p4 FreeBSD 11.1-RELEASE-p4 #0: Tue Nov 14 06:12:40 UTC 2017 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 # for i in $(jot 100); do result=$(ifconfig epair create); sleep 0.05; ifconfig $result destroy; done # echo "Still fine" Still fine # for i in $(jot 100); do result=$(ifconfig epair create); ifconfig $result destroy; done # echo "Again, still fine" Again, still fine # whoami root #
I'm sorry we didn't root caused it in reasonable time. Epair handling/creation code changed significantly at least two times since FreeBSD 10. Also, FreeBSD 10.2 EOL happened 5 years ago. I'm going to close this one. Please do reopen the issue if you encounter the crash during epair creation on any of the supported FreeBSD version.