From hsu@clinet.fi  Fri Oct  4 16:44:53 1996
Received: from hauki.clinet.fi (root@hauki.clinet.fi [194.100.0.1])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA03582
          for <FreeBSD-gnats-submit@freebsd.org>; Fri, 4 Oct 1996 16:44:33 -0700 (PDT)
Received: from katiska.clinet.fi (root@katiska.clinet.fi [194.100.0.4]) by hauki.clinet.fi (8.7.6/8.6.4) with ESMTP id BAA08278 for <FreeBSD-gnats-submit@freebsd.org>; Sat, 5 Oct 1996 01:43:56 +0200 (EET)
Received: (root@localhost) by katiska.clinet.fi (8.7.6/8.6.4) id CAA01171; Sat, 5 Oct 1996 02:43:55 +0300 (EET DST)
Message-Id: <199610042343.CAA01171@katiska.clinet.fi>
Date: Sat, 5 Oct 1996 02:43:55 +0300 (EET DST)
From: Heikki Suonsivu <hsu@clinet.fi>
Reply-To: hsu@clinet.fi
To: FreeBSD-gnats-submit@freebsd.org
Subject: panic in kmem_malloc (dump available)
X-Send-Pr-Version: 3.2

>Number:         1726
>Category:       kern
>Synopsis:       panic in kmem_malloc (dump available)
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Oct  4 16:50:00 PDT 1996
>Closed-Date:    Mon Sep 25 13:03:51 PDT 2000
>Last-Modified:  Mon Sep 25 13:08:30 PDT 2000
>Originator:     Heikki Suonsivu
>Release:        FreeBSD 2.2-CURRENT i386
>Organization:
Clinet, Espoo, Finland
>Environment:

terminal/modem server with 32 ports with cyclades boards, kernel ppp,
dialup modems.  Current from 28th <21:58 sup.  I have couple of patches
which may or may have meaning (32 port cyclades patches, upping TTYHOG and
RS_IBUF_SIZE)

>Description:

dump and kernel are ftp://ftp.clinet.fi/pub/FreeBSD/crashdumps/ts/*.44.gz

Current directory is /usr/local/ftp/pub/FreeBSD/crashdumps/ts/
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.13 (i386-unknown-freebsd), 
Copyright 1994 Free Software Foundation, Inc...
IdlePTD 24b000
current pcb at 1f7e5c
panic: page fault
#0  boot (howto=256) at ../../kern/kern_shutdown.c:237
(kgdb) bt
#0  boot (howto=256) at ../../kern/kern_shutdown.c:237
#1  0xf010ea62 in panic (fmt=0xf01c5631 "page fault")
    at ../../kern/kern_shutdown.c:361
#2  0xf01c618e in trap_fatal (frame=0xefbffce8) at ../../i386/i386/trap.c:741
#3  0xf01c5c7c in trap_pfault (frame=0xefbffce8, usermode=0)
    at ../../i386/i386/trap.c:652
#4  0xf01c5963 in trap (frame={tf_es = -266010608, tf_ds = -221052912, 
      tf_edi = -1, tf_esi = 1, tf_ebp = -272630480, tf_isp = -272630512, 
      tf_ebx = 0, tf_edx = 0, tf_ecx = 12, tf_eax = 0, tf_trapno = 12, 
      tf_err = -266665984, tf_eip = -266625792, tf_cs = 8, tf_eflags = 66198, 
      tf_esp = 0, tf_ss = 0}) at ../../i386/i386/trap.c:311
#5  0xf01be5c1 in calltrap ()
#6  0xf01b4095 in kmem_malloc (map=0xf025c064, size=4096, waitflag=1)
    at ../../vm/vm_kern.c:333
#7  0xf010b16f in malloc (size=148, type=5, flags=1)
    at ../../kern/kern_malloc.c:145
#8  0xf0148ade in rtrequest (req=1, dst=0xf2d3615c, gateway=0xf2d3616c, 
    netmask=0xf2d3617c, flags=3, ret_nrt=0xefbffe1c) at ../../net/route.c:515
#9  0xf014957d in route_output (m=0xf19b7580, so=0xf2cb5700)
    at ../../net/rtsock.c:197
#10 0xf01482ce in raw_usrreq (so=0xf2cb5700, req=9, m=0xf19b7580, nam=0x0, 
    control=0x0) at ../../net/raw_usrreq.c:257
#11 0xf014930a in route_usrreq (so=0xf2cb5700, req=9, m=0xf19b7580, nam=0x0, 
    control=0x0) at ../../net/rtsock.c:115
#12 0xf0122f55 in old_send (so=0xf2cb5700, flags=0, m=0xf19b7580, addr=0x0, 
    control=0x0) at ../../kern/uipc_socket2.c:871
#13 0xf0120e56 in sosend (so=0xf2cb5700, addr=0x0, uio=0xefbfff34, 
    top=0xf19b7580, control=0x0, flags=0) at ../../kern/uipc_socket.c:461
#14 0xf01181b5 in soo_write (fp=0xf2cb9080, uio=0xefbfff34, cred=0xf09b2a80)
    at ../../kern/sys_socket.c:82
#15 0xf0115c83 in write (p=0xf2c7a600, uap=0xefbfff94, retval=0xefbfff84)
    at ../../kern/sys_generic.c:263
#16 0xf01c6427 in syscall (frame={tf_es = 720935, tf_ds = 720935, tf_edi = 0, 
      tf_esi = 750408, tf_ebp = -272639908, tf_isp = -272629788, 
      tf_ebx = 677028, tf_edx = 710264, tf_ecx = 750408, tf_eax = 4, 
      tf_trapno = 7, tf_err = 7, tf_eip = 135302529, tf_cs = 31, 
      tf_eflags = 582, tf_esp = -272639936, tf_ss = 39})
    at ../../i386/i386/trap.c:891
#17 0xf01be615 in Xsyscall ()
#18 0xfa39 in ?? ()
#19 0xfeda in ?? ()
#20 0xa839 in ?? ()
#21 0xb0a9 in ?? ()
#22 0x2760d in ?? ()
#23 0x300ba in ?? ()
#24 0x1096 in ?? ()
(kgdb) up
#1  0xf010ea62 in panic (fmt=0xf01c5631 "page fault")
    at ../../kern/kern_shutdown.c:361
(kgdb) up
#2  0xf01c618e in trap_fatal (frame=0xefbffce8) at ../../i386/i386/trap.c:741
(kgdb) print type
$1 = 12
(kgdb) up
#3  0xf01c5c7c in trap_pfault (frame=0xefbffce8, usermode=0)
    at ../../i386/i386/trap.c:652
(kgdb) up
#4  0xf01c5963 in trap (frame={tf_es = -266010608, tf_ds = -221052912, 
      tf_edi = -1, tf_esi = 1, tf_ebp = -272630480, tf_isp = -272630512, 
      tf_ebx = 0, tf_edx = 0, tf_ecx = 12, tf_eax = 0, tf_trapno = 12, 
      tf_err = -266665984, tf_eip = -266625792, tf_cs = 8, tf_eflags = 66198, 
      tf_esp = 0, tf_ss = 0}) at ../../i386/i386/trap.c:311
(kgdb) up
#5  0xf01be5c1 in calltrap ()
(kgdb) up
#6  0xf01b4095 in kmem_malloc (map=0xf025c064, size=4096, waitflag=1)
    at ../../vm/vm_kern.c:333
(kgdb) print offset
$2 = 47677440
(kgdb) set radix 16
Input and output radices now set to decimal 16, hex 10, octal 20.
(kgdb) print offset
$3 = 0x2d78000
(kgdb) print kmem_object
$4 = (struct vm_object *) 0xf0200b34
(kgdb) print *kmem_object
$5 = {object_list = {tqe_next = 0xf09b2a00, tqe_prev = 0xf0200ab4}, 
  cached_list = {tqe_next = 0x0, tqe_prev = 0x0}, shadow_head = {
    tqh_first = 0x0, tqh_last = 0xf0200b44}, shadow_list = {tqe_next = 0x0, 
    tqe_prev = 0x0}, memq = {tqh_first = 0xf025f998, tqh_last = 0xf028cd30}, 
  type = OBJT_DEFAULT, size = 0xfc41, ref_count = 0x6, shadow_count = 0x0, 
  pg_color = 0x5, flags = 0x0, paging_in_progress = 0x0, behavior = 0x0, 
  resident_page_count = 0x38a, paging_offset = 0x0000000000000000, 
  backing_object = 0x0, backing_object_offset = 0x0000000000000000, 
  last_read = 0x0, page_hint = 0xf028cd20, pager_object_list = {
    tqe_next = 0x0, tqe_prev = 0x0}, handle = 0x0, un_pager = {vnp = {
      vnp_size = 0x0000000000000000}, devp = {devp_pglist = {tqh_first = 0x0, 
        tqh_last = 0x0}}, swp = {swp_nblocks = 0x0, swp_allocsize = 0x0, 
      swp_blocks = 0x0, swp_poip = 0x0}}}
(kgdb) print i
$6 = 0x1
(kgdb) print size
$7 = 0xffffffff
(kgdb) up
#7  0xf010b16f in malloc (size=0x94, type=0x5, flags=0x1)
    at ../../kern/kern_malloc.c:145
(kgdb) print npg
$8 = 0x1
(kgdb) down
#6  0xf01b4095 in kmem_malloc (map=0xf025c064, size=0x1000, waitflag=0x1)
    at ../../vm/vm_kern.c:333
(kgdb) print size
$9 = 0xffffffff
(kgdb) bt
#0  boot (howto=0x100) at ../../kern/kern_shutdown.c:237
#1  0xf010ea62 in panic (fmt=0xf01c5631 "page fault")
    at ../../kern/kern_shutdown.c:361
#2  0xf01c618e in trap_fatal (frame=0xefbffce8) at ../../i386/i386/trap.c:741
#3  0xf01c5c7c in trap_pfault (frame=0xefbffce8, usermode=0x0)
    at ../../i386/i386/trap.c:652
#4  0xf01c5963 in trap (frame={tf_es = 0xf0250010, tf_ds = 0xf2d30010, 
      tf_edi = 0xffffffff, tf_esi = 0x1, tf_ebp = 0xefbffd30, 
      tf_isp = 0xefbffd10, tf_ebx = 0x0, tf_edx = 0x0, tf_ecx = 0xc, 
      tf_eax = 0x0, tf_trapno = 0xc, tf_err = 0xf01b0000, tf_eip = 0xf01b9d00, 
      tf_cs = 0x8, tf_eflags = 0x10296, tf_esp = 0x0, tf_ss = 0x0})
    at ../../i386/i386/trap.c:311
#5  0xf01be5c1 in calltrap ()
#6  0xf01b4095 in kmem_malloc (map=0xf025c064, size=0x1000, waitflag=0x1)
    at ../../vm/vm_kern.c:333
#7  0xf010b16f in malloc (size=0x94, type=0x5, flags=0x1)
    at ../../kern/kern_malloc.c:145
#8  0xf0148ade in rtrequest (req=0x1, dst=0xf2d3615c, gateway=0xf2d3616c, 
    netmask=0xf2d3617c, flags=0x3, ret_nrt=0xefbffe1c) at ../../net/route.c:515
#9  0xf014957d in route_output (m=0xf19b7580, so=0xf2cb5700)
    at ../../net/rtsock.c:197
#10 0xf01482ce in raw_usrreq (so=0xf2cb5700, req=0x9, m=0xf19b7580, nam=0x0, 
    control=0x0) at ../../net/raw_usrreq.c:257
#11 0xf014930a in route_usrreq (so=0xf2cb5700, req=0x9, m=0xf19b7580, nam=0x0, 
    control=0x0) at ../../net/rtsock.c:115
#12 0xf0122f55 in old_send (so=0xf2cb5700, flags=0x0, m=0xf19b7580, addr=0x0, 
    control=0x0) at ../../kern/uipc_socket2.c:871
#13 0xf0120e56 in sosend (so=0xf2cb5700, addr=0x0, uio=0xefbfff34, 
    top=0xf19b7580, control=0x0, flags=0x0) at ../../kern/uipc_socket.c:461
#14 0xf01181b5 in soo_write (fp=0xf2cb9080, uio=0xefbfff34, cred=0xf09b2a80)
    at ../../kern/sys_socket.c:82
#15 0xf0115c83 in write (p=0xf2c7a600, uap=0xefbfff94, retval=0xefbfff84)
    at ../../kern/sys_generic.c:263
#16 0xf01c6427 in syscall (frame={tf_es = 0xb0027, tf_ds = 0xb0027, 
      tf_edi = 0x0, tf_esi = 0xb7348, tf_ebp = 0xefbfd85c, 
      tf_isp = 0xefbfffe4, tf_ebx = 0xa54a4, tf_edx = 0xad678, 
      tf_ecx = 0xb7348, tf_eax = 0x4, tf_trapno = 0x7, tf_err = 0x7, 
      tf_eip = 0x8108d81, tf_cs = 0x1f, tf_eflags = 0x246, 
      tf_esp = 0xefbfd840, tf_ss = 0x27}) at ../../i386/i386/trap.c:891
#17 0xf01be615 in Xsyscall ()
#18 0xfa39 in ?? ()
#19 0xfeda in ?? ()
#20 0xa839 in ?? ()
#21 0xb0a9 in ?? ()
#22 0x2760d in ?? ()
#23 0x300ba in ?? ()
#24 0x1096 in ?? ()
(kgdb) 

This could explain frequent panics we are seeing on these machines and the
fact we do not see these with leased line routers, only dialup routers;
route changes occur much more frequently on dialup modems.

This is timing related, it happens at different frequency with different
hardware.  Faster machines may crash more often.  Using default TTYHOG and
RS_IBUF_SIZE values instead of 4-fold values I have been using the
frequency of panics increases.  I tried experimenting with different values
but I could not find a clear pattern.

>How-To-Repeat:

Build a terminal server with lots of ports.

>Fix:

It seems that ~16 modems is relatively safe figure; the more ports the more
problems.

>Release-Note:
>Audit-Trail:

From: Heikki Suonsivu <hsu@clinet.fi>
To: freebsd-gnats-submit@freebsd.org
Cc: hsu@clinet.fi
Subject: kern/1726 panic in kmem_malloc (dump available)
Date: Sat, 28 Mar 1998 04:37:37 +0200 (EET)

 This might be related to the double panic problem with the same hosts.  I
 haven't see this exact symptom often, but the computers keep panicing with
 unchanged frequency.
 
 Studded@dal.net writes:
  > Greetings, :)
  > 
  > 	I am writing to you in regards to your FreeBSD Problem
  > Report. The FreeBSD project is currently conducting a beta test on
  > version 2.2.6 and feedback as to whether you are still experiencing
  > your problem would be very valuable. 
  > 
  > 	If you are still experiencing the problem you reported, it
  > would help the project track the problem if you could upgrade to the
  > latest snapshot of 2.2.6-Beta (located at releng22.freebsd.org) and
  > test your problem again. 
  > 
  > 	If you have any feedback regarding this Problem Report,
  > whether you are still experiencing the problem or whether the PR can
  > be closed, please mail your response to
  > freebsd-gnats-submit@freebsd.org. Please do not respond directly to
  > me. I am merely a humble volunteer and have no official connection to
  > the FreeBSD project. Therefore I cannot make any changes to the status
  > of your Problem Report. It is also very important that you include 
  > the category and number of your Problem Report (kern/1726)
  > in the subject line of your response.
  > 
  > 	Another option if you need a refresher on the details of your
  > problem or would like to submit a followup is to use the web page
  > interface and look up your PR by number.
  > http://www.freebsd.org/cgi/query-pr-summary.cgi
  > 
  > 	Thank you for helping to make this the greatest release of
  > FreeBSD ever.
  > 
  > Doug
  > 
  > 
  > -- 
  > ***         Chief Operations Officer, DALnet IRC network       ***
  > *** Proud operator, designer and maintainer of the world's largest
  > *** Internet Relay Chat server.  5,328 clients and still growing.
  > *** Try spider.dal.net on ports 6662-4    (Powered by FreeBSD)
  > 
State-Changed-From-To: open->closed 
State-Changed-By: peter 
State-Changed-When: Mon Sep 25 13:03:51 PDT 2000 
State-Changed-Why:  
This trace looks suspiciously like the old pppd vs tty spl 
re-entrancy problems and should have been fixed for a while.  On -current 
it should be academic now. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=1726 
>Unformatted:
