On Monday 18 July 2011, Insan Praja SW wrote:
> Hi,
> The machine repeatedly panic with the following;
>
> uvm_fault(0xd09fe5e0, 0xefffa000, 0, 1) ->d
> kernel: page fault trap, code=0
> Stopped at tcp_input+0x44a: mvzbl 0xad(%edi),%eax
> ddb{0}> trace
> tcp_input(d8865400,14,0,0,0) at tcp_input+0x44a
> ipv4_input(d8865400,6,de6f4ef4,d0203776) at ipv4_input+0x568
> ipintr(d0203776,d2f5b5c0,de6f4f14md057442f,0) at ipintr+0x73
> netintr(0,282,0,0,d020226e) at netintr+0xc5
> softintr_dispatch(1) at softintr_dispatch+0x4f
> Xsodtnet() at Xsoftnet+0x17
> --- interrupt ---
> cpu_idle_cycle(d0adb7e0) at cpu_idle_cycle+0xf
> Bad frame pointer: 0xd0b91e48
> ddb{0}>ps
> PID PPID PGTP OID FLAGS
> WAIT COMMAND
> 18737 1 18737 0 3 0x80
> nanosleep symon
> 4255 23487 23487 85 3 0x80
> kqread ospfd
> 5985 23487 23487 85 3 0x80
> kqread ospfd
> 23487 1 23487 0 3 0x80
> kqread ospfd
> 22766 1 22766 0 3 0x80
> select sendmail
> 13936 1 1 0 3 0x80
> ttyopn getty
> 26878 1 26878 0 3 0x80
> ttyin getty
> 24454 1 24454 0 3 0x80
> ttyin getty
> 21950 1 21950 0 3 0x80
> ttyin getty
> 8274 1 8274 0 3 0x80
> ttyin getty
> 2724 1 2724 0 3 0x80
> ttyin getty
> 24163 1 24163 0 3 0x80
> ttyin getty
> 4240 1 4240 0 3 0x80
> select cron
> 32715 1 32715 0 3 0x80
> select inetd
> 26962 8165 8165 75 3 0x80
> poll bgpd
> 11339 8165 8165 75 3 0x80
> poll bgpd
> 8165 1 8165 0 3 0x80
> poll bgpd
> 9743 11870 11870 90 3 0x80
> kqread ldpd
> 26437 11870 11870 90 3 0x80
> kqread ldpd
> 11870 1 11870 0 3 0x80
> kqread ldpd
> 30235 14883 14883 91 3 0x80
> kqread snmpd
> --db_more--
>
> I was trying to capture more of "ps" output, but the phone keep ringing so
> this is most of it. /var/crash/ is empty.
>
> Trying to identified the panic by following FAQ with the following result;
>
>
> # cd /usr/src/sys/arch/i386/compile/GENERIC.MP/
> # rm tcp_input.o
> # make DEBUG=-g tcp_input.o
> # objdump --line --disassemble --reloc tcp_input.o >tcp_input.dis
> # grep "<tcp_input>:" tcp_input.dis
> 00003550 <tcp_input>:
>
> 0x03550 + 0x44a = 399A
>
>
> ../../../../netinet/tcp_input.c:662
> 3977: c7 85 38 ff ff ff 00 movl $0x0,0xffffff38(%ebp)
> 397e: 00 00 00
> 3981: 66 c7 85 4a ff ff ff movw $0x0,0xffffff4a(%ebp)
> 3988: 00 00
> 398a: c7 85 4c ff ff ff 00 movl $0x0,0xffffff4c(%ebp)
> 3991: 00 00 00
> ../../../../netinet/tcp_input.c:667
> 3994: 8b bd 28 ff ff ff mov 0xffffff28(%ebp),%edi
> 399a: 0f b6 87 ad 00 00 00 movzbl 0xad(%edi),%eax
> 39a1: 84 c0 test %al,%al
> 39a3: 74 0f je 39b4 <tcp_input+0x464>
> 39a5: 8b 95 24 ff ff ff mov 0xffffff24(%ebp),%edx
> 39ab: 3a 42 08 cmp 0x8(%edx),%al
> 39ae: 0f 87 33 06 00 00 ja 3fe7 <tcp_input+0xa97>
>
>
> # cd /usr/src/sys/netinet/
> # cat -n tcp_input.c | head -n 667 | tail -n 1
> 667 if (inp->inp_ip_minttl && inp->inp_ip_minttl > ip->ip_ttl)
The ip pointer should not be dereferenced outside of a AF_INET block - are
you able to try the following (compile tested only) diff?
Index: tcp_input.c
===================================================================
RCS file: /cvs/src/sys/netinet/tcp_input.c,v
retrieving revision 1.250
diff -u -p -u -p -r1.250 tcp_input.c
--- tcp_input.c 13 May 2011 14:31:16 -0000 1.250
+++ tcp_input.c 17 Jul 2011 17:55:39 -0000
@@ -664,8 +664,18 @@ findpcb:
}
/* Check the minimum TTL for socket. */
- if (inp->inp_ip_minttl && inp->inp_ip_minttl > ip->ip_ttl)
- goto drop;
+ switch (af) {
+#ifdef INET6
+ case AF_INET6:
+ if (inp->inp_ip_minttl && inp->inp_ip_minttl > ip6->ip6_hlim)
+ goto drop;
+ break;
+#endif /* INET6 */
+ case AF_INET:
+ if (inp->inp_ip_minttl && inp->inp_ip_minttl > ip->ip_ttl)
+ goto drop;
+ break;
+ }
tp = intotcpcb(inp);
if (tp == 0)
> # cd /usr/src/sys/arch/i386/compile/GENERIC.MP/
> # rm ip_input.o
> # make DEBUG=-g ip_input.o
> # objdump --line --disassemble --reloc ip_input.o >ip_input.dis
> # grep "<ipv4_input>:" ip_input.dis
> 00001bb0 <ipv4_input>:
>
> 0x1bb0 + 0x568 = 2118
>
> ../../../../netinet/ip_input.c:660
> 20ea: 0f b6 46 09 movzbl 0x9(%esi),%eax
> 20ee: 8b 4d e0 mov 0xffffffe0(%ebp),%ecx
> 20f1: c7 44 24 0c 00 00 00 movl $0x0,0xc(%esp)
> 20f8: 00
> 20f9: c7 44 24 08 00 00 00 movl $0x0,0x8(%esp)
> 2100: 00
> 2101: 0f b6 80 00 00 00 00 movzbl 0x0(%eax),%eax
> 2104: R_386_32 ip_protox
> 2108: 89 4c 24 04 mov %ecx,0x4(%esp)
> 210c: 89 14 24 mov %edx,(%esp)
> 210f: 6b c0 34 imul $0x34,%eax,%eax
> 2112: ff 90 0c 00 00 00 call *0xc(%eax)
> 2114: R_386_32 inetsw
> 2118: e9 db fa ff ff jmp 1bf8 <ipv4_input+0x48>
>
>
> # cd /usr/src/sys/netinet/
> # cat -n ip_input.c | head -n 660 | tail -n 1
> 660 (*inetsw[ip_protox[ip->ip_p]].pr_input)(m, hlen, NULL, 0);
>
> # cd /usr/src/sys/arch/i386/compile/GENERIC.MP/
> # grep "<ipintr>:" ip_input.dis
> 00002360 <ipintr>:
>
> 0x2360 + 0x73 = 23d3
>
> ../../../../netinet/ip_input.c:247
> 23c5: f6 43 12 02 testb $0x2,0x12(%ebx)
> 23c9: 74 2d je 23f8 <ipintr+0x98>
> ../../../../netinet/ip_input.c:250
> 23cb: 89 1c 24 mov %ebx,(%esp)
> 23ce: e8 fc ff ff ff call 23cf <ipintr+0x6f>
> 23cf: R_386_PC32 ipv4_input
> 23d3: eb 92 jmp 2367 <ipintr+0x7>
> ../../../../netinet/ip_input.c:242
> 23d5: c7 04 d5 04 00 00 00 movl $0x0,0x4(,%edx,8)
> 23dc: 00 00 00 00
> 23d8: R_386_32 ipintrq
> 23e0: c7 43 04 00 00 00 00 movl $0x0,0x4(%ebx)
>
>
> # cd /usr/src/sys/netinet/
> # cat -n ip_input.c | head -n 250 | tail -n 1
> 250 ipv4_input(m);
>
>
> DMESG:
> ------
> OpenBSD 4.9-current (GENERIC.MP) #24: Sun Jul 17 01:10:16 WIT 2011
>
> [email protected]:/usr/src/sys/arch/i386/compile/GENERIC
>.MP RTC BIOS diagnostic error e<fixed_disk,invalid_time>
> cpu0: Intel(R) Xeon(R) CPU E3110 @ 3.00GHz ("GenuineIntel" 686-class) 3 GHz
> cpu0:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFL
>USH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,S
> SE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1
> real mem = 2143801344 (2044MB)
> avail mem = 2098651136 (2001MB)
> mainbus0 at root
> bios0 at mainbus0: AT/286+ BIOS, date 12/12/07, SMBIOS rev. 2.5 @
> 0x7fdfd000 (63 entries)
> bios0: vendor Intel Corporation version
> "S3200X38.86B.00.00.0045.082820081329" date 08/28/2008
> bios0: Intel Corporation S3210SH
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S1 S4 S5
> acpi0: tables DSDT SLIC FACP APIC WDDT MCFG HPET SPCR SSDT SSDT SSDT SSDT
> SSDT HEST BERT ERST EINJ DMAR
> acpi0: wakeup devices SLPB(S5) NPE1(S5) NPE6(S5) P32_(S5) PS2M(S1)
> PS2K(S1) ILAN(S5) PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5) PEX4(
> S5) PEX5(S5) UHC1(S1) UHC2(S1) UHC3(S1) UHC4(S1) EHCI(S1) EHC2(S1)
> UH42(S1) UHC5(S1) UHC6(S1) AZAL(S4)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: apic clock running at 332MHz
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Intel(R) Xeon(R) CPU E3110 @ 3.00GHz ("GenuineIntel" 686-class) 3 GHz
> cpu1:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFL
>USH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,S
> SE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1
> ioapic0 at mainbus0: apid 5 pa 0xfec00000, version 20, 24 pins
> ioapic0: misconfigured as apic 0, remapped to apid 5
> acpimcfg0 at acpi0 addr 0xf0000000, bus 0-63
> acpihpet0 at acpi0: 14318179 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus -1 (NPE1)
> acpiprt2 at acpi0: bus 1 (NPE6)
> acpiprt3 at acpi0: bus 4 (P32_)
> acpiprt4 at acpi0: bus 2 (PEX0)
> acpiprt5 at acpi0: bus -1 (PEX1)
> acpiprt6 at acpi0: bus -1 (PEX2)
> acpiprt7 at acpi0: bus -1 (PEX3)
> acpiprt8 at acpi0: bus 3 (PEX4)
> acpiprt9 at acpi0: bus -1 (PEX5)
> acpicpu0 at acpi0: PSS
> acpicpu1 at acpi0: PSS
> acpibtn0 at acpi0: SLPB
> acpibtn1 at acpi0: PWRB
> bios0: ROM list: 0xc0000/0x8000 0xc8000/0x1000 0xc9000/0x1000
> 0xca000/0x1000 0xcb000/0x1800 0xcc800/0x1000
> ipmi at mainbus0 not configured
> cpu0: Enhanced SpeedStep 2993 MHz: speeds: 3000, 2000 MHz
> pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
> pchb0 at pci0 dev 0 function 0 "Intel 3200/3210 Host" rev 0x00
> ppb0 at pci0 dev 6 function 0 "Intel 3210 PCIE" rev 0x00: apic 5 int 16
> pci1 at ppb0 bus 1
> em0 at pci1 dev 0 function 0 "Intel PRO/1000 PT (82571EB)" rev 0x06: msi,
> address 00:24:81:7d:11:f4
> em1 at pci1 dev 0 function 1 "Intel PRO/1000 PT (82571EB)" rev 0x06: msi,
> address 00:24:81:7d:11:f5
> em2 at pci0 dev 25 function 0 "Intel ICH9 IGP AMT" rev 0x02: msi, address
> 00:15:17:8d:4c:c5
> uhci0 at pci0 dev 26 function 0 "Intel 82801I USB" rev 0x02: apic 5 int 18
> uhci1 at pci0 dev 26 function 1 "Intel 82801I USB" rev 0x02: apic 5 int 21
> ehci0 at pci0 dev 26 function 7 "Intel 82801I USB" rev 0x02: apic 5 int 17
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
> ppb1 at pci0 dev 28 function 0 "Intel 82801I PCIE" rev 0x02: apic 5 int 17
> pci2 at ppb1 bus 2
> ppb2 at pci0 dev 28 function 4 "Intel 82801I PCIE" rev 0x02: apic 5 int 17
> pci3 at ppb2 bus 3
> vga1 at pci3 dev 0 function 0 "Matrox MGA G200e (ServerEngines)" rev 0x02
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> uhci2 at pci0 dev 29 function 0 "Intel 82801I USB" rev 0x02: apic 5 int 23
> uhci3 at pci0 dev 29 function 1 "Intel 82801I USB" rev 0x02: apic 5 int 19
> uhci4 at pci0 dev 29 function 2 "Intel 82801I USB" rev 0x02: apic 5 int 18
> ehci1 at pci0 dev 29 function 7 "Intel 82801I USB" rev 0x02: apic 5 int 23
> usb1 at ehci1: USB revision 2.0
> uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
> ppb3 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x92
> pci4 at ppb3 bus 4
> em3 at pci4 dev 0 function 0 "Intel PRO/1000MT (82540EM)" rev 0x02: apic 5
> int 16, address 00:07:e9:0f:44:37
> skc0 at pci4 dev 1 function 0 "D-Link DGE-530T B1" rev 0x11, Yukon Lite
> (0x9): apic 5 int 17
> sk0 at skc0 port A: address 00:1b:11:10:07:6e
> eephy0 at sk0 phy 0: 88E1011 Gigabit PHY, rev. 5
> em4 at pci4 dev 2 function 0 "Intel PRO/1000MT (82541GI)" rev 0x05: apic 5
> int 18, address 00:15:17:8d:4c:c3
> ichpcib0 at pci0 dev 31 function 0 "Intel 82801IR LPC" rev 0x02: PM
> disabled
> pciide0 at pci0 dev 31 function 2 "Intel 82801I SATA" rev 0x02: DMA,
> channel 0 configured to native-PCI, channel 1 configured to native-PCI
> pciide0: using apic 5 int 21 for native-PCI interrupt
> wd0 at pciide0 channel 0 drive 0: <MAXTOR STM380215AS>
> wd0: 16-sector PIO, LBA48, 76318MB, 156299375 sectors
> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6
> ichiic0 at pci0 dev 31 function 3 "Intel 82801I SMBus" rev 0x02: apic 5
> int 18
> iic0 at ichiic0
> spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM ECC PC2-5300CL5
> spdmem1 at iic0 addr 0x52: 1GB DDR2 SDRAM ECC PC2-5300CL5
> pciide1 at pci0 dev 31 function 5 "Intel 82801I SATA" rev 0x02: DMA,
> channel 0 wired to native-PCI, channel 1 wired to native-PCI
> pciide1: using apic 5 int 21 for native-PCI interrupt
> usb2 at uhci0: USB revision 1.0
> uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> usb3 at uhci1: USB revision 1.0
> uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> usb4 at uhci2: USB revision 1.0
> uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> usb5 at uhci3: USB revision 1.0
> uhub5 at usb5 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> usb6 at uhci4: USB revision 1.0
> uhub6 at usb6 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> isa0 at ichpcib0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> pckbc0 at isa0 port 0x60/5
> pckbd0 at pckbc0 (kbd slot)
> pckbc0: using irq 1 for kbd slot
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
> mtrr: Pentium Pro MTRR support
> vscsi0 at root
> scsibus0 at vscsi0: 256 targets
> softraid0 at root
> scsibus1 at softraid0: 256 targets
> root on wd0a swap on wd0b dump on wd0b
> WARNING: / was not properly unmounted
>
>
>
> Thanks,
>
>
> Insan Praja
--
"Reason is not automatic. Those who deny it cannot be conquered by it.
Do not count on them. Leave them alone." -- Ayn Rand
