netbsd-bugs: kern/10363: kernel panics on shutdown with pmap

Subject: kern/10363: kernel panics on shutdown with pmap_unwire: invalid (unmapped) va
To: None <gnats-bugs@gnats.netbsd.org>
From: None <blymn@baesystems.com.au>
List: netbsd-bugs
Date: 06/14/2000 03:14:18
>Number:         10363
>Category:       kern
>Synopsis:       kernel panics on shutdown
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jun 14 03:15:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Brett Lymn (Master of the Siren)
>Release:        NetBSD-current 05052000
>Organization:
Brett Lymn
>Environment:

System: NetBSD siren 1.4X NetBSD 1.4X (SIREN) #20: Mon Jun 12 15:41:48 CST 2000 root@siren:/usr/src/sys/arch/i386/compile/SIREN i386


>Description:
	When shutting down the system it _sometimes_ panics with a
"pmap_unwire: invalid (unmapped) va"

message.  This panic, when it happens, seems to always happen when the ntpd
is exiting as this is the process that is always mentioned during the panic.
The panic does not always happen, it happens once every ten or so shutdowns
so I suspect there is some sort of race that is sometimes lost.

Analysing a kernel core dump I get the following traceback:

panic: pmap_unwire: invalid (unmapped) va
#0  0x4 in ?? ()
(gdb) bt
#0  0x4 in ?? ()
#1  0xc02b40a1 in cpu_reboot (howto=256, bootstr=0x0)
    at ../../../../arch/i386/i386/machdep.c:1111
#2  0xc013a79b in db_sync_cmd (addr=-942773052, have_addr=0, 
    count=-1069748256, modif=0xc7ce6ca4 "ý\0231Ààï<À\001")
    at ../../../../ddb/db_command.c:651
#3  0xc013a382 in db_command (last_cmdp=0xc03b4ef4, cmd_table=0x0)
    at ../../../../ddb/db_command.c:316
#4  0xc013a57f in db_command_loop () at ../../../../ddb/db_command.c:544
#5  0xc013da82 in db_trap (type=1, code=0) at ../../../../ddb/db_trap.c:78
#6  0xc02b0a30 in kdb_trap (type=1, code=0, regs=0xc7ce6dec)
    at ../../../../arch/i386/i386/db_interface.c:119
#7  0xc02bf09c in trap (frame={tf_es = 16, tf_ds = -942800880, 
      tf_edi = -942788208, tf_esi = -942846388, tf_ebp = -942772700, 
      tf_ebx = -942804616, tf_edx = 0, tf_ecx = -1069748256, tf_eax = 0, 
      tf_trapno = 1, tf_err = 0, tf_eip = -1070920856, tf_cs = 8, 
      tf_eflags = 514, tf_esp = -942772692, tf_ss = -1070920932, 
      tf_vm86_es = -942772676, tf_vm86_ds = -1072229682, 
      tf_vm86_fs = -942772664, tf_vm86_gs = 256})
    at ../../../../arch/i386/i386/trap.c:298
#8  0xc0100ce5 in calltrap ()
#9  0xc02b0b1c in cpu_Debugger ()
    at ../../../../arch/i386/i386/db_interface.c:148
---Type <return> to continue, or q <return> to quit---
#10 0xc01712ce in panic (fmt=0xc038fe00 "pmap_unwire: invalid (unmapped) va")
    at ../../../../kern/subr_prf.c:216
#11 0xc02bc52e in pmap_unwire (pmap=0xc7a45c38, va=1208856576)
    at ../../../../arch/i386/i386/pmap.c:2908
#12 0xc02999d7 in uvm_fault_unwire_locked (map=0xc7cdf178, start=1208684544, 
    end=1209155584) at ../../../../uvm/uvm_fault.c:1929
#13 0xc02a0ea0 in uvm_map_entry_unwire (map=0xc7cdf178, entry=0xc7cd4e4c)
    at ../../../../uvm/uvm_map.c:284
#14 0xc029d8b5 in uvm_unmap_remove (map=0xc7cdf178, start=0, end=3217022976, 
    entry_list=0xc7ce6ed0) at ../../../../uvm/uvm_map.c:977
#15 0xc029ca43 in uvm_unmap (map=0xc7cdf178, start=0, end=3217022976)
    at ../../../../uvm/uvm_map_i.h:175
#16 0xc02aa444 in uvm_deallocate (map=0xc7cdf178, start=0, size=3217022976)
    at ../../../../uvm/uvm_user.c:66
#17 0xc0159769 in exit1 (p=0xc7ce3190, rv=0)
    at ../../../../kern/kern_exit.c:206
#18 0xc01595b2 in sys_exit (p=0xc7ce3190, v=0xc7ce6f74, retval=0xc7ce6f6c)
    at ../../../../kern/kern_exit.c:138
#19 0xc02bf81c in syscall (frame={tf_es = 43, tf_ds = 43, tf_edi = 0, 
      tf_esi = -1, tf_ebp = -1077945324, tf_ebx = 1209167152, tf_edx = 0, 
      tf_ecx = -1077950508, tf_eax = 1, tf_trapno = 3, tf_err = 2, 
      tf_eip = 1209124491, tf_cs = 35, tf_eflags = 598, tf_esp = -1077945348, 
      tf_ss = 43, tf_vm86_es = 0, tf_vm86_ds = 0, tf_vm86_fs = 0, 
---Type <return> to continue, or q <return> to quit---
      tf_vm86_gs = 0}) at ../../../../arch/i386/i386/trap.c:760
#20 0xc0100d91 in syscall1 ()
can not access 0xbfbfdc14, invalid translation (invalid PDE)
can not access 0xbfbfdc14, invalid translation (invalid PDE)
Cannot access memory at address 0xbfbfdc14.

>How-To-Repeat:
	This panic does not seem to have any real pattern, I don't know
how to repeat it apart from rebooting until it panics.

>Fix:
	Unknown.

>Release-Note:
>Audit-Trail:
>Unformatted: