Bug 245697 - Page fault in frag6_slowtimo
Summary: Page fault in frag6_slowtimo
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 12.1-STABLE
Hardware: amd64 Any
: --- Affects Only Me
Assignee: freebsd-net (Nobody)
Depends on:
Reported: 2020-04-17 14:45 UTC by Etienne Bagnoud
Modified: 2020-05-24 21:53 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Etienne Bagnoud 2020-04-17 14:45:18 UTC

I have experienced a page fault in the unmodified release kernel. I think my problem might be the same as bug #240710.

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address	= 0x40
fault code		= supervisor read data, page not present
instruction pointer	= 0x20:0xffffffff80e0a277
stack pointer	        = 0x28:0xfffffe00004a78c0
frame pointer	        = 0x28:0xfffffe00004a7910
code segment		= base rx0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 12 (swi4: clock (0))
trap number		= 12
panic: page fault
cpuid = 0
time = 1587137909
KDB: stack backtrace:
#0 0xffffffff80c1d2f7 at kdb_backtrace+0x67
#1 0xffffffff80bd062d at vpanic+0x19d
#2 0xffffffff80bd0483 at panic+0x43
#3 0xffffffff810a7dcc at trap_fatal+0x39c
#4 0xffffffff810a7e19 at trap_pfault+0x49
#5 0xffffffff810a740f at trap+0x29f
#6 0xffffffff81081bdc at calltrap+0x8
#7 0xffffffff80c5c804 at pfslowtimo+0x54
#8 0xffffffff80bea783 at softclock_call_cc+0x143
#9 0xffffffff80beac49 at softclock+0x79
#10 0xffffffff80b93dd4 at ithread_loop+0x1d4
#11 0xffffffff80b90c43 at fork_exit+0x83
#12 0xffffffff81082c1e at fork_trampoline+0xe
Uptime: 10h4m43s
Dumping 745 out of 14242 MB:..3%..11%..22%..31%..41%..52%..61%..71%..82%..91%

__curthread () at /usr/src/sys/amd64/include/pcpu.h:234
234		__asm("movq %%gs:%P1,%0" : "=r" (td) : "n" (OFFSETOF_CURTHREAD));
(kgdb) list *0xffffffff80e0a277
0xffffffff80e0a277 is in frag6_slowtimo (/usr/src/sys/netinet6/frag6.c:863).
858					continue;
859				}
860				while (q6 != head) {
861					--q6->ip6q_ttl;
862					q6 = q6->ip6q_next;
863					if (q6->ip6q_prev->ip6q_ttl == 0) {
864						IP6STAT_INC(ip6s_fragtimeout);
865						/* XXX in6_ifstat_inc(ifp, ifs6_reass_fail) */
866						frag6_freef(q6->ip6q_prev, i);
867					}
(kgdb) bt
#0  __curthread () at /usr/src/sys/amd64/include/pcpu.h:234
#1  doadump (textdump=<optimized out>) at /usr/src/sys/kern/kern_shutdown.c:371
#2  0xffffffff80bd0228 in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:451
#3  0xffffffff80bd0689 in vpanic (fmt=<optimized out>, ap=<optimized out>)
    at /usr/src/sys/kern/kern_shutdown.c:877
#4  0xffffffff80bd0483 in panic (fmt=<unavailable>) at /usr/src/sys/kern/kern_shutdown.c:804
#5  0xffffffff810a7dcc in trap_fatal (frame=0xfffffe00004a7800, eva=64)
    at /usr/src/sys/amd64/amd64/trap.c:943
#6  0xffffffff810a7e19 in trap_pfault (frame=0xfffffe00004a7800, usermode=0)
    at /usr/src/sys/amd64/amd64/trap.c:767
#7  0xffffffff810a740f in trap (frame=0xfffffe00004a7800) at /usr/src/sys/amd64/amd64/trap.c:443
#8  <signal handler called>
#9  frag6_slowtimo () at /usr/src/sys/netinet6/frag6.c:863
#10 0xffffffff80c5c804 in pfslowtimo (arg=0xffffffff8200d158 <vnet_rwlock>)
    at /usr/src/sys/kern/uipc_domain.c:508
#11 0xffffffff80bea783 in softclock_call_cc (c=0xffffffff81f94510 <pfslow_callout>, 
    cc=0xffffffff81ff7880 <cc_cpu>, direct=0) at /usr/src/sys/kern/kern_timeout.c:731
#12 0xffffffff80beac49 in softclock (arg=0xffffffff81ff7880 <cc_cpu>)
    at /usr/src/sys/kern/kern_timeout.c:869
#13 0xffffffff80b93dd4 in intr_event_execute_handlers (p=<optimized out>, ie=<optimized out>)
    at /usr/src/sys/kern/kern_intr.c:1129
#14 ithread_execute_handlers (p=<optimized out>, ie=<optimized out>)
    at /usr/src/sys/kern/kern_intr.c:1142
#15 ithread_loop (arg=<optimized out>) at /usr/src/sys/kern/kern_intr.c:1222
#16 0xffffffff80b90c43 in fork_exit (callout=0xffffffff80b93c00 <ithread_loop>, arg=0xfffff800036a8060, 
    frame=0xfffffe00004a7ac0) at /usr/src/sys/kern/kern_fork.c:1065
#17 <signal handler called>
Comment 1 Bjoern A. Zeeb freebsd_committer 2020-04-18 08:15:34 UTC
The frag6 code has since been completely overhauled in HEAD and stable/12.

Any fix would need a direct Errata Notice commit to 12.1.  That's tricky but doable.  The alternative would be to try what is in stable/12 and see if the problem goes away.

If you need 12.1 + patch I can prepare one bringing the changes from stable/12 to a 12.1 branch with a bit of work.
Comment 2 Etienne Bagnoud 2020-04-18 13:08:50 UTC
I have no way to reproduce the problem. IPv6 is not even used. So I'll wait and see if it happen again and switch to stable/12 in that case.