From scrappy@hub.org  Thu Feb  6 23:06:31 2003
Return-Path: <scrappy@hub.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6B82C37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  6 Feb 2003 23:06:31 -0800 (PST)
Received: from hub.org (hub.org [64.49.215.141])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DFB3F43FAF
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  6 Feb 2003 23:06:30 -0800 (PST)
	(envelope-from scrappy@hub.org)
Received: by hub.org (Postfix, from userid 1002)
	id E30178A23B8; Fri,  7 Feb 2003 03:06:27 -0400 (AST)
Message-Id: <20030207070627.E30178A23B8@hub.org>
Date: Fri,  7 Feb 2003 03:06:27 -0400 (AST)
From: Marc G.Fournier <scrappy@hub.org>
Reply-To: Marc G.Fournier <scrappy@hub.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Fatal trap 12: page fault while in kernel mode
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         48029
>Category:       kern
>Synopsis:       Fatal trap 12: page fault while in kernel mode
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Feb 06 23:10:03 PST 2003
>Closed-Date:    Thu Jul 15 20:41:02 GMT 2004
>Last-Modified:  Thu Jul 15 20:41:02 GMT 2004
>Originator:     Marc G. Fournier
>Release:        FreeBSD 4.7-STABLE i386
>Organization:
Hub.Org Networking Services (http://www.hub.org)
>Environment:
System: FreeBSD hub.org 4.7-STABLE FreeBSD 4.7-STABLE #30: Sat Feb 1 23:55:13 CST 2003 root@venus.hub.org:/usr/obj/usr/src/sys/kernel i386


	
>Description:

SMP 2 cpus
IdlePTD at phsyical address 0x002dd000
initial pcb at physical address 0x00257c00
panicstr: page fault
panic messages:
---
Fatal trap 12: page fault while in kernel mode
mp_lock = 01000002; cpuid = 1; lapic.id = 01000000
fault virtual address   = 0x0
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc01fe4f6
stack pointer           = 0x10:0xea667c04
frame pointer           = 0x10:0xea667c30
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 5 (syncer)
interrupt mask          = none <- SMP: XXX
trap number             = 12
panic: page fault
mp_lock = 01000002; cpuid = 1; lapic.id = 01000000
boot() called on cpu#1


...


(kgdb) where
#0  0xc7c11256 in ?? ()
#1  0xc014e46c in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:223
#2  0xc014eb91 in panic (fmt=0xc022fc99 "%s") at /usr/src/sys/kern/kern_shutdown.c:595
#3  0xc01ffb29 in trap_fatal (frame=0xea667bc4, eva=0) at /usr/src/sys/i386/i386/trap.c:974
#4  0xc01ff795 in trap_pfault (frame=0xea667bc4, usermode=0, eva=0) at /usr/src/sys/i386/i386/trap.c:867
#5  0xc01ff2ef in trap (frame={tf_fs = -932970472, tf_es = -735379440, tf_ds = -735379440, tf_edi = -618967040, tf_esi = 0, tf_ebp = -362382288,
      tf_isp = -362382352, tf_ebx = 8192, tf_edx = -618967040, tf_ecx = 2048, tf_eax = -618967040, tf_trapno = 12, tf_err = 0, tf_eip = -1071651594,
      tf_cs = 8, tf_eflags = 66054, tf_esp = -362382048, tf_ss = -362382076}) at /usr/src/sys/i386/i386/trap.c:466
#6  0xc01fe4f6 in generic_bcopy ()
#7  0xc01be0c1 in ffs_write (ap=0xea667cc8) at /usr/src/sys/ufs/ufs/ufs_readwrite.c:531
#8  0xc7e8fd59 in ?? ()
#9  0xc01d51a4 in vnode_pager_generic_putpages (vp=0xecdb5380, m=0xea667de4, bytecount=8192, flags=12, rtvals=0xea667db0) at vnode_if.h:363
#10 0xc7e8fbca in ?? ()
#11 0xc01d4fc6 in vnode_pager_putpages (object=0xee2b5240, m=0xea667de4, count=2, sync=12, rtvals=0xea667db0) at vnode_if.h:1147
#12 0xc01d1f0b in vm_pageout_flush (mc=0xea667de4, count=2, flags=12) at /usr/src/sys/vm/vm_pager.h:147
#13 0xc01cee8b in vm_object_page_collect_flush (object=0xee2b5240, p=0xc1dd35f4, curgeneration=175, pagerflags=12) at /usr/src/sys/vm/vm_object.c:806
#14 0xc01cea69 in vm_object_page_clean (object=0xee2b5240, start=0, end=0, flags=4) at /usr/src/sys/vm/vm_object.c:605
#15 0xc017e4fc in vfs_msync (mp=0xc9931600, flags=2) at /usr/src/sys/kern/vfs_subr.c:2710
#16 0xc017e8ca in sync_fsync (ap=0xea667f7c) at /usr/src/sys/kern/vfs_subr.c:2971
#17 0xc017cbb3 in sched_sync () at vnode_if.h:558
(kgdb) up 5
#5  0xc01ff2ef in trap (frame={tf_fs = -932970472, tf_es = -735379440, tf_ds = -735379440, tf_edi = -618967040, tf_esi = 0, tf_ebp = -362382288,
      tf_isp = -362382352, tf_ebx = 8192, tf_edx = -618967040, tf_ecx = 2048, tf_eax = -618967040, tf_trapno = 12, tf_err = 0, tf_eip = -1071651594,
      tf_cs = 8, tf_eflags = 66054, tf_esp = -362382048, tf_ss = -362382076}) at /usr/src/sys/i386/i386/trap.c:466
466                             (void) trap_pfault(&frame, FALSE, eva);
(kgdb) frame frame->tf_ebp frame->tf_eip
#0  0xc01fe4f6 in generic_bcopy ()
(kgdb) list
461     kernel_trap:
462                     /* kernel trap */
463
464                     switch (type) {
465                     case T_PAGEFLT:                 /* page fault */
466                             (void) trap_pfault(&frame, FALSE, eva);
467                             return;
468
469                     case T_DNA:
470     #if NNPX > 0
(kgdb) up
#1  0x31372000 in ?? ()
(kgdb) up
#2  0xc01be0c1 in ffs_write (ap=0xea667cc8) at /usr/src/sys/ufs/ufs/ufs_readwrite.c:531
warning: Source file is more recent than executable.

531                     error =
(kgdb) list
526
527                     size = BLKSIZE(fs, ip, lbn) - bp->b_resid;
528                     if (size < xfersize)
529                             xfersize = size;
530
531                     error =
532                         uiomove((char *)bp->b_data + blkoffset, (int)xfersize, uio);
533                     if ((ioflag & (IO_VMIO|IO_DIRECT)) &&
534                         (LIST_FIRST(&bp->b_dep) == NULL)) {
535                             bp->b_flags |= B_RELBUF;

>How-To-Repeat:
	
>Fix:

	


>Release-Note:
>Audit-Trail:

From: David Schultz <dschultz@uclink.Berkeley.EDU>
To: "Marc G.Fournier" <scrappy@hub.org>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: kern/48029: Fatal trap 12: page fault while in kernel mode
Date: Mon, 10 Feb 2003 03:15:07 -0800

 Hmm...if my understanding is correct, it shouldn't be making that
 bcopy at all from the syncer daemon.  Can you please show me that
 uio structure (and maybe bp, too) in ffs_write()?  Is this problem
 reproduceable, and did it happen with kernels from before December
 31st?  I will see if I can figure out what is going on this
 weekend, but I'm no Matt Dillon, so there are no guarantees.

From: "Marc G. Fournier" <scrappy@hub.org>
To: David Schultz <dschultz@uclink.Berkeley.EDU>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: kern/48029: Fatal trap 12: page fault while in kernel mode
Date: Mon, 10 Feb 2003 16:06:57 -0400 (AST)

 On Mon, 10 Feb 2003, David Schultz wrote:
 
 > Hmm...if my understanding is correct, it shouldn't be making that
 > bcopy at all from the syncer daemon.  Can you please show me that
 > uio structure (and maybe bp, too) in ffs_write()?  Is this problem
 > reproduceable, and did it happen with kernels from before December
 > 31st?  I will see if I can figure out what is going on this
 > weekend, but I'm no Matt Dillon, so there are no guarantees.
 
 If I've done this wrong, please say so, but:
 
 (kgdb) print *uio
 $2 = {uio_iov = 0xea667d04, uio_iovcnt = 1, uio_offset = 0, uio_resid = 8192, uio_segflg = UIO_SYSSPACE, uio_rw = UIO_WRITE, uio_procp = 0x0}
 
 and
 
 (kgdb) print *bp
 $4 = {b_hash = {le_next = 0xd40eecec, le_prev = 0xd434485c}, b_vnbufs = {tqe_next = 0x0, tqe_prev = 0xece7a7ec}, b_freelist = {tqe_next = 0x0, tqe_prev = 0xc02429e0}, b_act = {tqe_next = 0x0, tqe_prev = 0xc76b84b4}, b_flags = 536870944,
   b_qindex = 0, b_xflags = 2 '\002', b_lock = {lk_interlock = {lock_data = 0}, lk_flags = 1024, lk_sharecount = 0, lk_waitcount = 0, lk_exclusivecount = 1, lk_prio = 20, lk_wmesg = 0xc02186f0 "bufwait", lk_timo = 0, lk_lockholder = 5},
   b_error = 0, b_bufsize = 8192, b_runningbufspace = 0, b_bcount = 8192, b_resid = 0, b_dev = 0xffffffff, b_data = 0xdb1b5000 "", b_kvabase = 0xdb1b5000 "", b_kvasize = 16384, b_lblkno = 0, b_blkno = 58729680, b_offset = 0, b_iodone = 0,
   b_iodone_chain = 0x0, b_vp = 0xece7a7c0, b_dirtyoff = 0, b_dirtyend = 0, b_rcred = 0x0, b_wcred = 0x0, b_pblkno = 49481871, b_saveaddr = 0x0, b_driver1 = 0x0, b_driver2 = 0x0, b_caller1 = 0x0, b_caller2 = 0x0, b_pager = {pg_spc = 0x0,
     pg_reqpage = 0}, b_cluster = {cluster_head = {tqh_first = 0xd41a1db8, tqh_last = 0xd411bd64}, cluster_entry = {tqe_next = 0xd41a1db8, tqe_prev = 0xd411bd64}}, b_pages = {0xc1c9abec, 0xc1d37528, 0x0 <repeats 30 times>}, b_npages = 2, b_dep = {
     lh_first = 0x0}, b_chain = {parent = 0x0, count = 0}}
 
State-Changed-From-To: open->closed 
State-Changed-By: linimon 
State-Changed-When: Thu Jul 15 20:40:44 GMT 2004 
State-Changed-Why:  
This appears to be identical to kern/52745. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=48029 
>Unformatted:
