Instant painc from recvfrom() while running /usr/libexec/named-xfer

Paul Herman pherman at frenchfries.net
Fri Dec 19 09:57:52 PST 2003 

OK, I still haven't found out how to dump to an ATA RAID device,
but luckily it turns out this panic is pretty egregious and I got a
backtrace on another machine with a crashdump.

All you have to do is transfer a DNS zone.  You should be able to
do the same thing at home with something like:

   /usr/libexec/named-xfer -z foo.org -f fo.zone ns1.foo.org

Looks like in recvfrom() that maybe the change to kern_recvmsg()
can leave sa still pointing to NULL.  I'm not really familiar with
the new msg changes, but maybe this should be checked for? Here's
the trace:

Fatal trap 12: page fault while in kernel mode
fault virtual address	= 0x0
fault code		= supervisor read, page not present
instruction pointer	= 0x8:0xc02644a6
stack pointer	        = 0x10:0xd161dbd8
frame pointer	        = 0x10:0xd161dc14
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 633 (named-xfer)
current thread          = pri 10
interrupt mask		= none
trap number		= 12
panic: page fault

---
#0  dumpsys () at ../../kern/kern_shutdown.c:500
500		if (dumping++) {
(kgdb) bt
#0  dumpsys () at ../../kern/kern_shutdown.c:500
#1  0xc0240533 in boot (howto=256) at ../../kern/kern_shutdown.c:333
#2  0xc0240964 in poweroff_wait (junk=0xc044730a, howto=-1069257458)
    at ../../kern/kern_shutdown.c:612
#3  0xc03bd251 in trap_fatal (frame=0xd161db98, eva=0)
    at ../../i386/i386/trap.c:1130
#4  0xc03bce55 in trap_pfault (frame=0xd161db98, usermode=0, eva=0)
    at ../../i386/i386/trap.c:1019
#5  0xc03bcad0 in trap (frame={tf_fs = -782172136, tf_es = 16,
      tf_ds = -1040318448, tf_edi = -905731392, tf_esi = -782115764,
      tf_ebp = -782115820, tf_isp = -782115900, tf_ebx = 0,
      tf_edx = -782115852, tf_ecx = -905731392, tf_eax = 0, tf_trapno = 12,
      tf_err = 0, tf_eip = -1071233882, tf_cs = 8, tf_eflags = 66178,
      tf_esp = -1069070488, tf_ss = -905769152}) at ../../i386/i386/trap.c:603
#6  0xc02644a6 in recvfrom (uap=0xd161dc4c) at ../../kern/uipc_syscalls.c:778
#7  0xc03bd5aa in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47,
      tf_edi = 135141376, tf_esi = 2, tf_ebp = -1077938768,
      tf_isp = -782115468, tf_ebx = 135141376, tf_edx = -1077938452,
      tf_ecx = -1077938866, tf_eax = 29, tf_trapno = 12, tf_err = 2,
      tf_eip = 671993164, tf_cs = 31, tf_eflags = 663, tf_esp = -1077938876,
      tf_ss = 47}) at ../../i386/i386/trap.c:1340
#8  0xc03ac93a in Xint0x80_syscall ()
#9  0x804c5c9 in ?? ()
#10 0x804ce69 in ?? ()
---Type <return> to continue, or q <return> to quit---
#11 0x804bde7 in ?? ()
#12 0x804af1a in ?? ()
(kgdb) up 6
#6  0xc02644a6 in recvfrom (uap=0xd161dc4c) at ../../kern/uipc_syscalls.c:778
778			fromlen = MIN(fromlen, sa->sa_len);
(kgdb) list
773
774		error = kern_recvmsg(uap->s, uap->from ? &sa : NULL, &auio, NULL,
775		    &uap->flags, &uap->sysmsg_result);
776
777		if (error == 0 && uap->from) {
778			fromlen = MIN(fromlen, sa->sa_len);
779			error = copyout(sa, uap->from, fromlen);
780			if (error == 0)
781				error = copyout(&fromlen, uap->fromlenaddr,
782				    sizeof(fromlen));
(kgdb) print sa
$1 = (struct sockaddr *) 0x0
(kgdb)

-Paul.

More information about the Kernel mailing list