netbsd-bugs: port-i386/13487: panic when killing ntpd

Subject: port-i386/13487: panic when killing ntpd
To: None <gnats-bugs@gnats.netbsd.org>
From: Anthony Mallet <toto@ficus.yi.org>
List: netbsd-bugs
Date: 07/17/2001 00:29:56
>Number:         13487
>Category:       port-i386
>Synopsis:       panic when killing ntpd
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    port-i386-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jul 16 15:27:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Anthony Mallet
>Release:        NetBSD 1.5.1
>Organization:
>Environment:
System: NetBSD ficus 1.5.1 NetBSD 1.5.1 (FICUS) #16: Mon Jul 16 03:56:55 CEST 2001 toto@ficus:/home/src/netbsd-1.5/sys/arch/i386/compile/FICUS i386

>Description:

Kernel panics (backtrace below) in uvm_fault_unwire_locked() when I kill
ntpd under certain cicumstances. This occurs when ntpd calls exit().
This problem is *reproductible* and occur when:

a) I've been using a Mesa application (Mesa comes from XFree-4, the
   application is home-made)
b) I kill ntpd (e.g. with /etc/rc.d/ntpd restart)

If I do not use the Mesa application, "ntpd restart" works ok.

This problem is not new for me (can't remember exactly when it started to
happen), but it's been a long time before I figure out what was
happening. Today I was able to switch to the console just before the
problem occur and I get the chance to see a ddb (I'm usually running
under X).

I have a core dump and a "netbsd.gdb" kernel if necessary, and here is the
backtrace (exit() called from ntpd):

#10 0xc0150af8 in panic (fmt=0xc02e2420 "pmap_unwire: invalid (unmapped) va")
    at ../../../../kern/subr_prf.c:224
#11 0xc0263783 in pmap_unwire (pmap=0xc9c14e14, va=1208864768)
    at ../../../../arch/i386/i386/pmap.c:2928
#12 0xc024f16c in uvm_fault_unwire_locked (map=0xca09081c, start=1208696832, 
    end=1209204736) at ../../../../uvm/uvm_fault.c:1941
#13 0xc0251979 in uvm_unmap_remove (map=0xca09081c, start=0, end=3217022976, 
    entry_list=0xca1a0ee0) at ../../../../uvm/uvm_map.c:285
#14 0xc0250e01 in uvm_unmap (map=0xca09081c, start=0, end=3217022976)
    at ../../../../uvm/uvm_map_i.h:179
#15 0xc025a300 in uvm_deallocate (map=0xca09081c, start=0, size=3217022976)
    at ../../../../uvm/uvm_user.c:66
#16 0xc01401c7 in exit1 (p=0xca18a340, rv=0)
    at ../../../../kern/kern_exit.c:206
#17 0xc0140084 in sys_exit (p=0xca18a340, v=0xca1a0f80, retval=0xca1a0f78)
    at ../../../../kern/kern_exit.c:138
#18 0xc0264d18 in syscall (frame={tf_gs = 43, tf_fs = 43, tf_es = 43, 
      tf_ds = 43, tf_edi = 0, tf_esi = -1, tf_ebp = -1077945424, 
      tf_ebx = 1209216092, tf_edx = 0, tf_ecx = -1077950608, tf_eax = 1, 
      tf_trapno = 3, tf_err = 2, tf_eip = 1209171443, tf_cs = 35, 
      tf_eflags = 582, tf_esp = -1077945448, tf_ss = 43, tf_vm86_es = 0, 
      tf_vm86_ds = 0, tf_vm86_fs = 0, tf_vm86_gs = 0})
    at ../../../../arch/i386/i386/trap.c:801
#19 0xc0100d8d in syscall1 ()

>How-To-Repeat:
This is likely to work only for me, but you can try to run some
Mesa application and an ntpd daemon and see if killing ntpd does
something...

>Fix:
	Maybe...
>Release-Note:
>Audit-Trail:
>Unformatted: