freebsd stable - Aug 2005 - 6.0-BETA1 LOR vm_fault: fault on nofault entry

kgdb -c /usr/crash/vmcore.25 kernel.debug
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so:
Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-marcel-freebsd".
#0  doadump () at pcpu.h:165
165             __asm __volatile("movl %%fs:0,%0" : "=r"
(td));
(kgdb) where full
#0  doadump () at pcpu.h:165
No locals.
#1  0xc0541228 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:397
        first_buf_printf = 1
#2  0xc0541586 in panic (
    fmt=0xc0723a06 "vm_fault: fault on nofault entry, addr: %lx")
    at /usr/src/sys/kern/kern_shutdown.c:553
        td = (struct thread *) 0xc47c7300
        bootopt = 260
        newpanic = 0
        ap = 0xeb0a8834 ""
        buf = "vm_fault: fault on nofault entry, addr: deadc000",
'\0' <repeats 207 times>
#3  0xc066d299 in vm_fault (map=0xc1060000, vaddr=3735928832,
    fault_type=1 '\001', fault_flags=0) at
/usr/src/sys/vm/vm_fault.c:277
        queue = -559038464
        prot = 7 '\a'
        is_first_object_locked = 2
        result = -559038464
        growstack = 1
        wired = 0
        map_generation = 1
        next_object = 0xdeadc000
        marray = {0xc056b650, 0xc078e918, 0xc078edf0, 0x4e, 0x4e8904,
  0xc07aed60, 0x2, 0x0, 0xeb0a8914, 0xc056b5e7, 0xc078ee18, 0xc078edf0,
  0xc056b5e7, 0x1120, 0xc07aef00, 0x2}
        hardfault = 0
        faultcount = -991025104
        fs = {m = 0x0, object = 0x0, pindex = 13859465361936255180,
  first_m = 0xc078ea30, first_object = 0x0, first_pindex = 736,
  map = 0xc1042180, entry = 0xc105fe14, lookup_still_valid = 0,
  vp = 0xeb0a88f0}
#4  0xc06cb4e7 in trap_pfault (frame=0xeb0a898c, usermode=0, eva=3735929054)
    at /usr/src/sys/i386/i386/trap.c:741
        va = 3735928832
        vm = (struct vmspace *) 0x0
        map = 0xc1060000
        rv = 1
        ftype = 1 '\001'
        td = (struct thread *) 0xc47c7300
        p = (struct proc *) 0xc4ee2830
#5  0xc06cb177 in trap (frame      {tf_fs = -1068302328, tf_es = -1065877464,
tf_ds = 40, tf_edi = -1056695968, tf_esi = -1014770176, tf_ebp = -351630884,
tf_isp = -351630920, tf_ebx = -559038242, tf_edx = 0, tf_ecx = -998579968,
tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1067957036, tf_cs = 32,
tf_eflags = 66182, tf_esp = -351630868, tf_ss = -1068062756}) at
/usr/src/sys/i386/i386/trap.c:442
        td = (struct thread *) 0xc47c7300
        p = (struct proc *) 0xc4ee2830
        sticks = 3228637104
        i = 0
        ucode = 0
        type = 12
        code = 0
        eva = 3735929054
#6  0xc06b767a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
No locals.
#7  0xc0530008 in ktrace (td=0xc383d600, uap=0xc383d600)
    at /usr/src/sys/kern/kern_ktrace.c:530
        vp = (struct vnode *) 0x0
        p = (struct proc *) 0xc383d600
        pg = (struct pgrp *) 0xdeadc0de
        facs = -559038242
        ops = -1056695968
        descend = -351630980
        nfound = -559038242
        ret = 0
        flags = 0
        error = -351630964
        nd = {
  ni_dirp = 0xc1041960 "\017fq??C\004??C\004?
\035\004??C\004?<:??",
  ni_segflg = 3943336412, ni_startdir = 0xc06b767a, ni_rootdir = 0xc0530008,
  ni_topdir = 0xc0780028, ni_vp = 0x28, ni_dvp = 0xc1041960,
  ni_pathlen = 3280197120, ni_next = 0xeb0a89dc "?\211\n?\003gS?",
  ni_loopcnt = 3943336376, ni_cnd = {cn_nameiop = 3735929054, cn_flags = 0,
    cn_thread = 0xc47ae100, cn_cred = 0x0, cn_lkflags = 12, cn_pnbuf = 0x0,
    cn_nameptr = 0xc05844d4
"\213\003\205?t\022\211D$\004\2114$?a???\213\003\205?u?\211\\$\004\2114$?O???\203?\b[^]?U\211?VS\203?\b\213u\b\213F,\205?t\033\213\030?@\005\b>u\f\211D$\004\2114$?!???\211?\205?u?\203?\b[^]?U\211?S\203?\004\213U\b\213M\f\213]\020\213E\024\205?>u\f?\004$?eq??????\205?>u\t\213R,?\006\211??
\213\020\205?t\0259J\b>u\t\017?B\0049?.t?\213\022\205?u??", cn_namelen =
32,
    cn_consume = 66182}}
        cred = (struct ucred *) 0xdeadc0de
#8  0xc0536703 in mb_dtor_mbuf (mem=0xc056a7dc, size=0, arg=0x0)
    at /usr/src/sys/kern/kern_mbuf.c:244
No locals.
#9  0xc0669e37 in uma_zfree_arg (zone=0xeb0a8a94, item=0xc383d600, udata=0x0)
    at /usr/src/sys/vm/uma_core.c:2279
        keg = 0xc10443c0
        cache = 0xc383d600
        bucket = 0xdeadc0de
        bflags = 0
        cpu = 0
#10 0xc0582177 in m_freem (mb=0x0) at uma.h:303
No locals.
#11 0xc05c7058 in arpresolve (ifp=0xc368d000, rt0=0xc4c5f108, m=0xc3af7700,
    dst=0xeb0a8af4, desten=0xeb0a8a94 "?\212\n?\n\206]?")
    at /usr/src/sys/netinet/if_ether.c:442
        la = (struct llinfo_arp *) 0xc47ae100
        sdl = (struct sockaddr_dl *) 0xc469d310
        error = -999697648
        rt = (struct rtentry *) 0xc4c5f108
#12 0xc05bdc11 in ether_output (ifp=0xc368d000, m=0xc3af7700, dst=0xeb0a8af4,
    rt0=0x0) at /usr/src/sys/net/if_ethersubr.c:173
        type = -15512
        error = 50
        hdrcmplt = 0
        esrc = "\024\000\000\000K"
        edst = "?\212\n?\n\206"
        eh = (struct ether_header *) 0x32
        loop_copy = 0
        __func__ = "ether_output"
#13 0xc05d8093 in ip_output (m=0xc3af7700, opt=0xc3af77b0, ro=0xeb0a8af0,
    flags=0, imo=0x0, inp=0xc3b63870) at /usr/src/sys/netinet/ip_output.c:772
        ip = (struct ip *) 0xc3af77b0
        ifp = (struct ifnet *) 0xc368d000
        m0 = (struct mbuf *) 0xc3af77b0
        hlen = 20
        len = -1065554452
        error = 0
        dst = (struct sockaddr_in *) 0xeb0a8af4
        ia = (struct in_ifaddr *) 0xc3942300
        isbroadcast = 0
        sw_csum = 1
        iproute = {ro_rt = 0xc4c5f108, ro_dst = {sa_len = 16 '\020',
    sa_family = 2 '\002',
    sa_data = "\000\000?\020\000l\000\000\000\000\000\000\000"}}
        odst = {s_addr = 1}
        __func__ = "ip_output"
#14 0xc05e9bc2 in udp_output (inp=0xc3b63870, m=0xc3af7700, addr=0xc384c6e0,
    control=0x0, td=0xc47c7300) at /usr/src/sys/netinet/udp_usrreq.c:874
        ui = (struct udpiphdr *) 0xc3af77b0
        len = 50
        faddr = {s_addr = 1811943596}
        laddr = {s_addr = 2130710700}
        cm = (struct cmsghdr *) 0xc3af77b0
        src = {sin_len = 0 '\0', sin_family = 119 'w', sin_port
= 50095,
  sin_addr = {s_addr = 0}, sin_zero = "4\214\n??\214\n?"}
        error = 55
        ipflags = 0
        fport = 41216
        lport = 41701
        unlock_udbinfo = 1
        __func__ = "udp_output"
#15 0xc05ea368 in udp_send (so=0x0, flags=0, m=0x0, addr=0x0, control=0x0,
    td=0x0) at /usr/src/sys/netinet/udp_usrreq.c:1051
        inp = (struct inpcb *) 0x0
#16 0xc0585e0e in sosend (so=0xc3b62858, addr=0xc384c6e0, uio=0xeb0a8c34,
    top=0xc3af7700, control=0x0, flags=0, td=0xc47c7300)
    at /usr/src/sys/kern/uipc_socket.c:829
        mp = (struct mbuf **) 0xc3af7700
        m = (struct mbuf *) 0xc3af7700
        space = 9166
        len = 50
        resid = 0
        clen = -1011910912
        error = 0
        dontroute = 0
        atomic = 1
        cow_send = 0
#17 0xc058c08e in kern_sendit (td=0xc47c7300, s=3, mp=0xeb0a8cb4, flags=0,
    control=0x0, segflg=UIO_USERSPACE) at /usr/src/sys/kern/uipc_syscalls.c:772
        fp = (struct file *) 0xc4c0a3a8
        auio = {uio_iov = 0xeb0a8cac, uio_iovcnt = 1, uio_offset = 50,
  uio_resid = 0, uio_segflg = UIO_USERSPACE, uio_rw = UIO_WRITE,
  uio_td = 0xc47c7300}
        iov = (struct iovec *) 0x0
        so = (struct socket *) 0xc3b62858
        i = 0
        len = 50
        error = 0
        ktruio = (struct uio *) 0x0
#18 0xc058bf33 in sendit (td=0x0, s=0, mp=0xeb0a8cb4, flags=0)
    at /usr/src/sys/kern/uipc_syscalls.c:712
        control = (struct mbuf *) 0x0
        to = (struct sockaddr *) 0xc384c6e0
        error = 0
        __func__ = "sendit"
#19 0xc058c211 in sendto (td=0x0, uap=0x0)
    at /usr/src/sys/kern/uipc_syscalls.c:830
        msg = {msg_name = 0xc384c6e0, msg_namelen = 16, msg_iov = 0xeb0a8cac,
  msg_iovlen = 1, msg_control = 0x0, msg_controllen = 0, msg_flags = 0}
        aiov = {iov_base = 0x813f800, iov_len = 0}
        error = 0
#20 0xc06cbb6f in syscall (frame      {tf_fs = 59, tf_es = 135004219, tf_ds =
-1078001605, tf_edi = 134635648, tf_esi = -1, tf_ebp = -1077942664, tf_isp =
-351629980, tf_ebx = 672105172, tf_edx = 0, tf_ecx = 0, tf_eax = 133, tf_trapno
= 12, tf_err = 2, tf_eip = 673781315, tf_cs = 51, tf_eflags = 642, tf_esp =
-1077942740, tf_ss = 59})
    at /usr/src/sys/i386/i386/trap.c:986
        params = 0xbfbfe630 <Address 0xbfbfe630 out of bounds>
        callp = (struct sysent *) 0xc07416fc
        td = (struct thread *) 0xc47c7300
        p = (struct proc *) 0xc4ee2830
        orig_tf_eflags = 642
        sticks = 26
        error = 0
        narg = 6
        args = {3, 135526350, 50, 0, 135544208, 16, 26, -991025104}
        code = 133

On Mon, Aug 01, 2005 at 05:51:49AM +0200, Evgueni V. Gavrilov wrote:

EVG> #14 0xc05e9bc2 in udp_output (inp=0xc3b63870, m=0xc3af7700,
addr=0xc384c6e0,
EVG>     control=0x0, td=0xc47c7300) at /usr/src/sys/netinet/udp_usrreq.c:874
EVG>         ui = (struct udpiphdr *) 0xc3af77b0
EVG>         len = 50
EVG>         faddr = {s_addr = 1811943596}
EVG>         laddr = {s_addr = 2130710700}
EVG>         cm = (struct cmsghdr *) 0xc3af77b0
EVG>         src = {sin_len = 0 '\0', sin_family = 119 'w',
sin_port = 50095,
EVG>   sin_addr = {s_addr = 0}, sin_zero = "4\214\n??\214\n?"}
EVG>         error = 55
^^^^^^^^^^^^^^^^^^^^^^^
EVG>         ipflags = 0
EVG>         fport = 41216
EVG>         lport = 41701
EVG>         unlock_udbinfo = 1
EVG>         __func__ = "udp_output"

sorry, I forgot to point out netstat -m

# netstat -m
259/1149/1408 mbufs in use (current/cache/total)
256/847/1103/25600 mbuf clusters in use (current/cache/total/max)
0/5/6656 sfbufs in use (current/peak/max)
576K/1981K/2558K bytes allocated to network (current/cache/total)
0 requests for sfbufs denied
0 requests for sfbufs delayed
0 requests for I/O initiated by sendfile
0 calls to protocol drain routines

On Mon, Aug 01, 2005 at 05:51:49AM +0200, Evgueni V. Gavrilov
wrote:
> kgdb -c /usr/crash/vmcore.25 kernel.debug
> [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so:
Undefined symbol "ps_pglobal_lookup"]
> GNU gdb 6.1.1 [FreeBSD]
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you
are
> welcome to change it and/or distribute copies of it under certain
conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty"
for details.
> This GDB was configured as "i386-marcel-freebsd".
> #0  doadump () at pcpu.h:165
> 165             __asm __volatile("movl %%fs:0,%0" :
"=r" (td));
> (kgdb) where full
> #0  doadump () at pcpu.h:165
> No locals.
> #1  0xc0541228 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:397
>         first_buf_printf = 1
> #2  0xc0541586 in panic (
>     fmt=0xc0723a06 "vm_fault: fault on nofault entry, addr: %lx")
>     at /usr/src/sys/kern/kern_shutdown.c:553
>         td = (struct thread *) 0xc47c7300
>         bootopt = 260
>         newpanic = 0
>         ap = 0xeb0a8834 ""
>         buf = "vm_fault: fault on nofault entry, addr: deadc000",
'\0' <repeats 207 times>
This is a panic, not a lock order reversal.

Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20050801/1e217259/attachment.bin