From romanp@ghost.wuppy.eu.org  Tue Jan 18 02:56:55 2000
Return-Path: <romanp@ghost.wuppy.eu.org>
Received: from irga-gw.wuppy.net.ru (wuppy-gw.ineco.ryazan.su [195.9.65.177])
	by hub.freebsd.org (Postfix) with ESMTP id B923214C57
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 18 Jan 2000 02:56:50 -0800 (PST)
	(envelope-from romanp@ghost.wuppy.eu.org)
Received: (from uucp@localhost)
	by irga-gw.wuppy.net.ru (8.9.3.local/8.9.2) with UUCP id NAA18596
	for FreeBSD-gnats-submit@freebsd.org; Tue, 18 Jan 2000 13:56:46 +0300 (MSK)
	(envelope-from romanp@ghost.wuppy.eu.org)
Received: (from romanp@localhost)
	by ghost.wuppy.eu.org (8.10.0.Beta6/8.10.0.Beta6) id e0IAphX00970;
	Tue, 18 Jan 2000 13:51:43 +0300 (MSK)
Message-Id: <200001181051.e0IAphX00970@ghost.wuppy.eu.org>
Date: Tue, 18 Jan 2000 13:51:43 +0300 (MSK)
From: romanp@wuppy.net.ru
Sender: romanp@ghost.wuppy.eu.org
Reply-To: romanp@wuppy.net.ru
To: FreeBSD-gnats-submit@freebsd.org
Subject: mmap(2) of /dev/kmem cause kernel panic
X-Send-Pr-Version: 3.2

>Number:         16171
>Category:       kern
>Synopsis:       mmap(2) of /dev/kmem cause kernel panic
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 18 03:00:01 PST 2000
>Closed-Date:    Sat Jul 21 11:42:20 PDT 2001
>Last-Modified:  Sat Jul 21 11:43:28 PDT 2001
>Originator:     Roman V. Palagin
>Release:        FreeBSD 3.3-19991022-INRIA-991118E i386
>Organization:
	Speak for myself.
>Environment:
Systems: FreeBSD 3.3-19991022-STABLE with INRIA IPv6 patches, also tested
on 3.4-20000108-STABLE.
Architecture: i386 

>Description:
When test code executes, it cause kernel panic in memmmap().
This is kernel panic message with backtrace. If you need more
information feel free to contact me.

IdlePTD 2686976
initial pcb at 216028
panicstr: page fault
panic messages:
---
Fatal trap 12: page fault while in kernel mode
fault virtual address	= 0xbfc00000
fault code		= supervisor read, page not present
instruction pointer	= 0x8:0xc01ca911
stack pointer	        = 0x10:0xc306cd80
frame pointer	        = 0x10:0xc306cd80
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 2137 (t_mmap)
interrupt mask		= 
trap number		= 12
panic: page fault

syncing disks... 8 4 2 done

dumping to dev 30011, offset 39296
dump 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 
---
#0  boot (howto=256) at ../../kern/kern_shutdown.c:285
285			dumppcb.pcb_cr3 = rcr3();
(kgdb) bt
#0  boot (howto=256) at ../../kern/kern_shutdown.c:285
#1  0xc012773c in at_shutdown (
    function=0xc01faab2 <__set_sysinit_set_sym_memdev_sys_init+1050>, 
    arg=0xc3069e60, queue=-1023928320) at ../../kern/kern_shutdown.c:446
#2  0xc01cef11 in trap_fatal (frame=0xc306cd44, eva=3217031168)
    at ../../i386/i386/trap.c:942
#3  0xc01cebef in trap_pfault (frame=0xc306cd44, usermode=0, eva=3217031168)
    at ../../i386/i386/trap.c:835
#4  0xc01ce866 in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = -1071863604, 
      tf_esi = 0, tf_ebp = -1022964352, tf_isp = -1022964372, tf_ebx = 19, 
      tf_edx = 0, tf_ecx = 0, tf_eax = 0, tf_trapno = 12, tf_err = 0, 
      tf_eip = -1071863535, tf_cs = 8, tf_eflags = 66134, 
      tf_esp = -1022964308, tf_ss = -1072000884}) at ../../i386/i386/trap.c:437
#5  0xc01ca911 in memmmap (dev=513, offset=0, nprot=1) at machine/pmap.h:171
#6  0xc01a908c in dev_pager_alloc (handle=0x201, size=81920, prot=1, foff=0)
    at ../../vm/device_pager.c:129
#7  0xc01b5bcc in vm_pager_allocate (type=OBJT_DEVICE, handle=0x201, 
    size=81920, prot=1, off=0) at ../../vm/vm_pager.c:238
#8  0xc01b11c4 in vm_mmap (map=0xc2f81800, addr=0xc306cee8, size=81920, 
    prot=1 '\001', maxprot=5 '\005', flags=1, handle=0x201, foff=0)
    at ../../vm/vm_mmap.c:1002
#9  0xc01b0911 in mmap (p=0xc3069e60, uap=0xc306cf94) at ../../vm/vm_mmap.c:334
#10 0xc01cf153 in syscall (frame={tf_es = 39, tf_ds = 39, 
      tf_edi = -1077945236, tf_esi = 2, tf_ebp = -1077945324, 
      tf_isp = -1022963740, tf_ebx = 671963100, tf_edx = 0, tf_ecx = 0, 
      tf_eax = 198, tf_trapno = 12, tf_err = 2, tf_eip = 671699592, 
      tf_cs = 31, tf_eflags = 530, tf_esp = -1077945372, tf_ss = 39})
    at ../../i386/i386/trap.c:1100
#11 0xc01c529c in Xint0x80_syscall ()
#12 0x80484b2 in ?? ()
#13 0x8048419 in ?? ()
   

>How-To-Repeat:
Compile and execute this program:

/* t_mmap.c */
#include <sys/types.h>
#include <sys/mman.h>
#include <fcntl.h>

main()
{
	int fd = open("/dev/kmem", O_RDONLY);
	void *ptr = mmap(0, 20*4096, PROT_READ, MAP_SHARED, fd, 0);
}


>Fix:
	
	


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: mike 
State-Changed-When: Sat Jul 21 11:42:20 PDT 2001 
State-Changed-Why:  

I can't reproduce this panic on 5.0-CURRENT, so I assume it's fixed. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=16171 
>Unformatted:
