Subject: kern/21574: kernel panicked with ACPI and IPv6 connectivity via gif tunnel.
To: None <gnats-bugs@gnats.netbsd.org>
From: None <kanaoka@ann.hi-ho.ne.jp>
List: netbsd-bugs
Date: 05/14/2003 13:33:32
>Number: 21574
>Category: kern
>Synopsis: kernel panicked with ACPI and IPv6 connectivity via gif tunnel.
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed May 14 13:34:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator: Masanori Kanaoka
>Release: -current/i386
>Organization:
>Environment:
-current(about 2003.04.30) port-i386
>Description:
kochi san and I investigated port-i386/20897.
I applied next patch(nsalloc.2.diff)and tested kernel long time.
When I tested kernel, kernel got IPv6 connectivity via gif tunnel.
kernel ran for long time, then panicked.
I have seen this twice. One, I got ddb messages and
other, I got a kernel core file.
"db>bt" shows below:(Copy by hand)
uvm_fault(0xc049cfa0, 0xc0913000, 0, 1) --> e
kernel page fault trap, code=0
Stopped in pid 23165.1 (ifconfig) at netbsd: memcpy+0x15 repe movsl(%esi) %esi(%edi)
db>bt
memcpy
rt_msg1
rt_missmsg
defrouter_addreq
nd6_prefix_onlink
nd6_prelist_add
in6_ifattach_loopback
in6_ifdetach
in6_if_up
if_slowtimo
ifioctl
syscall_plain
syscall1
GDB shows below:
idea# pwd
/usr/src/sys/arch/i386/compile/IDEA
idea# gdb netbsd.gdb
GNU gdb 5.0nb1
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386--netbsdelf"...Deprecated bfd_read called at /usr/src/gnu/dist/toolchain/gdb/dbxread.c line 2638 in elfstab_build_psymtabs
Deprecated bfd_read called at /usr/src/gnu/dist/toolchain/gdb/dbxread.c line 976 in fill_symbuf
(gdb) exec-file /var/crash/netbsd.20
(gdb) target kcore /var/crash/netbsd.20.core
#0 0x1 in ?? ()
(gdb) bt
#0 0x1 in ?? ()
#1 0xc02cda3f in cpu_reboot (howto=256, bootstr=0x0)
at ../../../../arch/i386/i386/machdep.c:891
#2 0xc02219eb in db_examine_cmd (addr=-1068687836, have_addr=0,
count=-903120824, modif=0xca2b7830 "\b") at ../../../../ddb/db_examine.c:67
#3 0xc02215f0 in db_command (last_cmdp=0xc048019c, cmd_table=0xc03e994c)
at ../../../../ddb/db_command.c:464
#4 0xc02211ef in db_command_loop () at ../../../../ddb/db_command.c:251
#5 0xc02244f4 in db_trap (type=6, code=0) at ../../../../ddb/db_trap.c:100
#6 0xc02cb40f in kdb_trap (type=6, code=0, regs=0xca2b7a20) at x86/intr.h:162
#7 0xc02d89df in trap (frame={tf_gs = 16, tf_fs = -1072562128,
tf_es = -1064501232, tf_ds = -1064108016, tf_edi = -1064081248,
tf_esi = -1064095744, tf_ebp = -903120240, tf_ebx = 184, tf_edx = 184,
tf_ecx = 14, tf_eax = 184, tf_trapno = 6, tf_err = 0,
tf_eip = -1069847951, tf_cs = 8, tf_eflags = 66070,
tf_esp = -1064081408, tf_ss = -1071223275, tf_vm86_es = -1064081376,
tf_vm86_ds = -1064095872, tf_vm86_fs = 184, tf_vm86_gs = -1070960241})
at ../../../../arch/i386/i386/trap.c:289
#8 0xc0102b98 in calltrap ()
#9 0xc02a86b6 in rt_msg1 (type=1, rtinfo=0xca2b7b7c, data=0xca2b7b04 "",
datalen=76) at ../../../../net/rtsock.c:582
#10 0xc02a88c2 in rt_missmsg (type=1, rtinfo=0xca2b7b7c, flags=257, error=0)
at ../../../../net/rtsock.c:705
---Type <return> to continue, or q <return> to quit---
#11 0xc013c2ed in defrouter_addreq (new=0x1)
at ../../../../netinet6/nd6_rtr.c:465
#12 0xc013d775 in nd6_prefix_onlink (pr=0xc0932500)
at ../../../../netinet6/nd6_rtr.c:1664
#13 0xc013ce19 in nd6_prelist_add (pr=0xca2b7c68, dr=0x0, newp=0x0)
at ../../../../netinet6/nd6_rtr.c:1064
#14 0xc012e144 in in6_ifattach_loopback (ifp=0xc08ba800)
at ../../../../netinet6/in6_ifattach.c:472
#15 0xc012e48e in in6_ifdetach (ifp=0xc08ba800)
at ../../../../netinet6/in6_ifattach.c:677
#16 0xc012d981 in in6_if_up (ifp=0xc08ba800) at ../../../../netinet6/in6.c:2637
#17 0xc0285548 in if_slowtimo (arg=0xc08ba800) at x86/intr.h:142
#18 0xc0285ab4 in ifioctl (so=0xc08c0bf8, cmd=2149607696,
data=0xca2b7ec0 "gif0", p=0xca1869cc) at x86/intr.h:163
#19 0xc025bc4c in soo_ioctl (fp=0xc9e19ab8, cmd=2149607696, data=0xca2b7ec0,
p=0xca1869cc) at ../../../../kern/sys_socket.c:143
#20 0xc025905c in sys_ioctl (l=0xc9de8d80, v=0xca2b7f80, retval=0xca2b7f78)
at ../../../../kern/sys_generic.c:646
#21 0xc02d8427 in syscall_plain (frame={tf_gs = 31, tf_fs = 31, tf_es = 31,
tf_ds = 31, tf_edi = 134539727, tf_esi = 1, tf_ebp = -1077937104,
tf_ebx = -1077937136, tf_edx = -1077968815, tf_ecx = -1077937136,
tf_eax = 54, tf_trapno = 3, tf_err = 2, tf_eip = 1208970575, tf_cs = 23,
tf_eflags = 659, tf_esp = -1077937180, tf_ss = 31, tf_vm86_es = 0,
---Type <return> to continue, or q <return> to quit---
tf_vm86_ds = 0, tf_vm86_fs = 0, tf_vm86_gs = 0})
at ../../../../arch/i386/i386/syscall.c:163
#22 0xc0100ab3 in syscall1 ()
can not access 0xbfbffc30, invalid translation (invalid PDE)
can not access 0xbfbffc30, invalid translation (invalid PDE)
Cannot access memory at address 0xbfbffc30
(gdb) frame 9
#9 0xc02a86b6 in rt_msg1 (type=1, rtinfo=0xca2b7b7c, data=0xca2b7b04 "",
datalen=76) at ../../../../net/rtsock.c:582
582 return (m);
(gdb) l
577 return (NULL);
578 }
579 rtm->rtm_msglen = len;
580 rtm->rtm_version = RTM_VERSION;
581 rtm->rtm_type = type;
582 return (m);
583 }
584
585 /*
586 * rt_msg2
(gdb) p m
$2 = (struct mbuf *) 0x3960000
(gdb) p *m
can not access 0x3960000, invalid translation (invalid PDE)
can not access 0x3960000, invalid translation (invalid PDE)
Cannot access memory at address 0x3960000
Here is nsalloc.2.diff.
---- nsalloc.2.diff ------------
--- nsalloc.c.orig 2003-03-05 02:33:38.000000000 +0900
+++ nsalloc.c 2003-04-25 20:11:13.000000000 +0900
@@ -210,7 +210,14 @@
}
else
{
- ParentNode->Child = NextNode->Peer;
+ if (NextNode->Flags & ANOBJ_END_OF_PEER_LIST)
+ {
+ ParentNode->Child = NULL;
+ }
+ else
+ {
+ ParentNode->Child = NextNode->Peer;
+ }
}
@@ -517,6 +524,62 @@
/*******************************************************************************
*
+ * FUNCTION: AcpiNsRemoveReference
+ *
+ * PARAMETERS: Node - Named node whose reference count is to be
+ * decremented
+ *
+ * RETURN: None.
+ *
+ * DESCRIPTION: Remove a Node reference. Decrements the reference count
+ * of all parent Nodes up to the root. Any node along
+ * the way that reaches zero references is freed.
+ *
+ ******************************************************************************/
+
+static void
+AcpiNsRemoveReference (
+ ACPI_NAMESPACE_NODE *Node)
+{
+ ACPI_NAMESPACE_NODE *ParentNode;
+ ACPI_NAMESPACE_NODE *ThisNode;
+
+
+ ACPI_FUNCTION_ENTRY ();
+
+
+ /*
+ * Decrement the reference count(s) of this node and all
+ * nodes up to the root, Delete anything with zero remaining references.
+ */
+ ThisNode = Node;
+ while (ThisNode)
+ {
+ /* Prepare to move up to parent */
+
+ ParentNode = AcpiNsGetParentNode (ThisNode);
+
+ /* Decrement the reference count on this node */
+
+ ThisNode->ReferenceCount--;
+
+ /* Delete the node if no more references */
+
+ if (!ThisNode->ReferenceCount)
+ {
+ /* Delete all children and delete the node */
+
+ AcpiNsDeleteChildren (ThisNode);
+ AcpiNsDeleteNode (ThisNode);
+ }
+
+ ThisNode = ParentNode;
+ }
+}
+
+
+/*******************************************************************************
+ *
* FUNCTION: AcpiNsDeleteNamespaceSubtree
*
* PARAMETERS: ParentNode - Root of the subtree to be deleted
@@ -532,8 +595,9 @@
AcpiNsDeleteNamespaceSubtree (
ACPI_NAMESPACE_NODE *ParentNode)
{
- ACPI_NAMESPACE_NODE *ChildNode = NULL;
- UINT32 Level = 1;
+ ACPI_NAMESPACE_NODE *ChildNode;
+ ACPI_NAMESPACE_NODE *DeletionNode;
+ UINT32 Level;
ACPI_FUNCTION_TRACE ("NsDeleteNamespaceSubtree");
@@ -544,6 +608,10 @@
return_VOID;
}
+ ChildNode = NULL;
+ DeletionNode = NULL;
+ Level = 1;
+
/*
* Traverse the tree of objects until we bubble back up
* to where we started.
@@ -554,6 +622,12 @@
ChildNode = AcpiNsGetNextNode (ACPI_TYPE_ANY, ParentNode,
ChildNode);
+ if (DeletionNode)
+ {
+ AcpiNsRemoveReference (DeletionNode);
+ DeletionNode = NULL;
+ }
+
if (ChildNode)
{
/* Found a child node - detach any attached object */
@@ -572,6 +646,10 @@
ParentNode = ChildNode;
ChildNode = 0;
}
+ else
+ {
+ DeletionNode = ChildNode;
+ }
}
else
{
@@ -585,7 +663,10 @@
* Now delete all of the children of this parent
* all at the same time.
*/
- AcpiNsDeleteChildren (ParentNode);
+ if (Level != 0)
+ {
+ DeletionNode = ParentNode;
+ }
/* New "last child" is this parent node */
@@ -603,62 +684,6 @@
/*******************************************************************************
*
- * FUNCTION: AcpiNsRemoveReference
- *
- * PARAMETERS: Node - Named node whose reference count is to be
- * decremented
- *
- * RETURN: None.
- *
- * DESCRIPTION: Remove a Node reference. Decrements the reference count
- * of all parent Nodes up to the root. Any node along
- * the way that reaches zero references is freed.
- *
- ******************************************************************************/
-
-static void
-AcpiNsRemoveReference (
- ACPI_NAMESPACE_NODE *Node)
-{
- ACPI_NAMESPACE_NODE *ParentNode;
- ACPI_NAMESPACE_NODE *ThisNode;
-
-
- ACPI_FUNCTION_ENTRY ();
-
-
- /*
- * Decrement the reference count(s) of this node and all
- * nodes up to the root, Delete anything with zero remaining references.
- */
- ThisNode = Node;
- while (ThisNode)
- {
- /* Prepare to move up to parent */
-
- ParentNode = AcpiNsGetParentNode (ThisNode);
-
- /* Decrement the reference count on this node */
-
- ThisNode->ReferenceCount--;
-
- /* Delete the node if no more references */
-
- if (!ThisNode->ReferenceCount)
- {
- /* Delete all children and delete the node */
-
- AcpiNsDeleteChildren (ThisNode);
- AcpiNsDeleteNode (ThisNode);
- }
-
- ThisNode = ParentNode;
- }
-}
-
-
-/*******************************************************************************
- *
* FUNCTION: AcpiNsDeleteNamespaceByOwner
*
* PARAMETERS: OwnerId - All nodes with this owner will be deleted
>How-To-Repeat:
1.Apply nsalloc.2.diff if nsalloc.c is before 2003.05.13 13:29:01 UTC.
2.Configure a kernel on a Libretto L3 with all the ACPI devices.
3.Get IPv6 connectivity via gif tunnel.
4.Stay on the console and wait.
>Fix:
Sorry, I don't know
>Release-Note:
>Audit-Trail:
>Unformatted: