Subject: kern/20180: kernel stack overflow on i386
To: None <gnats-bugs@gnats.netbsd.org>
From: SAITOH Masanobu <masanobu@iij.ad.jp>
List: netbsd-bugs
Date: 02/03/2003 19:38:14
>Number:         20180
>Category:       kern
>Synopsis:       kernel stack overflow on i386
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Feb 03 02:39:00 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     SAITOH Masanobu
>Release:        1.6 and -curretn
>Organization:
----------------------------------------------------------
		SAITOH Masanobu (masanobu@iij.ad.jp)
>Environment:
>Description:

 When I send heavy traffic to many gif interfaces, the system freezes
or automatically resets. It seems it occures a kernel stack overflow.
It occurs on the 1.6 release kernel.

following log was made with
          netbsd-1-6
        + KSTACK_CHECH patch
	+ disable USE_ENCAPCHECK in in_gif.c

Perhaps it occurs when softnetintr() works heavily.
I observed on i386 only. At least it doesn't occur on macppc.
Perhaps there is a race condition in doreti() or any other routine.

-------------------------------------------
panic: trap on DR0: maybe kernel stack overflow

Stopped at      cpu_Debugger+0x4:       leave
db> trace
cpu_Debugger(e800ff6c,0,5,0,83) at cpu_Debugger+0x4
32: panic(c049a9c0,0,0,0,e800ff6c) at panic+0xad
80: trap() at trap+0x185
--- trap (number 5) ---
80: pmap_extract(c05ff520,d2e3a000,d3a3f450,d3a3f468) at pmap_extract+0x5
80: _bus_dmamap_load_buffer(c05b0200,c0b326c0,d2e3a000,800,0) at _bus_dmamap_loa
d_buffer+0x68
80: _bus_dmamap_load(c05b0200,c0b326c0,d2e3a000,800,0,101,c0b21038,d3a3f508) at
_
bus_dmamap_load+0x4f
80: fxp_add_rfabuf(c0b21000,c0b326c0,1,c0b32800) at fxp_add_rfabuf+0x179
112: fxp_rxintr(c0b21000,0,c0d33500,d3a3f5b8) at fxp_rxintr+0x58f
64: fxp_intr(c0b21000) at fxp_intr+0xca
8: Xintr11() at Xintr11+0x82
--- interrupt ---
180: m_copydata(c0d33500,0,29,d3a3f6c8) at m_copydata
48: ip6_lasthdr(c0d33500,0,29,d3a3f6c8,c0d33500) at ip6_lasthdr+0x2d
80: ipsec6_get_ulp(c0d33500,d3a3f798,0,d3a3f85c,d3a3f798) at ipsec6_get_ulp+0x79

64: ipsec_setspidx(c0d33500,d3a3f798,0,c0c1d300,d3a3f798) at ipsec_setspidx+0x11
f
48: ipsec_setspidx_mbuf(d3a3f798,1,18,c0d33500,0) at ipsec_setspidx_mbuf+0x3f
336: ipsec6_getpolicybyaddr(c0d33500,1,0,d3a3f8cc,40) at ipsec6_getpolicybyaddr+
0x5e
48: ipsec6_in_reject_so(c0d33500,0,7,0,c0c655c4) at ipsec6_in_reject_so+0x24
32: ipsec6_in_reject(c0d33500,0,c0b0d038,2) at ipsec6_in_reject+0x1b
96: ip6_forward(c0d33500,0,c0cee200,1,c0d33500) at ip6_forward+0x2d
80: ip6_input(c0d33500,d3a3f9d0,80000000,80000000) at ip6_input+0x917
48: ip6intr(10,10,d3a30010,c02b0010,4) at ip6intr+0x6b
0: Xsoftnet() at Xsoftnet+0x39
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xdoreti() at Xdoreti+0x24
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xdoreti() at Xdoreti+0x22
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xdoreti() at Xdoreti+0x22
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet+0x5
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xdoreti() at Xdoreti+0x22
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xdoreti() at Xdoreti+0x22
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet+0x5
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xdoreti() at Xdoreti+0x24
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
132: pfslowtimo(0,1000004,c01bf8f4,c0b07000) at pfslowtimo
48: softintr_dispatch(0) at softintr_dispatch+0x99
4: Xsoftclock() at Xsoftclock+0x11
--- interrupt ---
64: Xsoftnet() at Xsoftnet+0x5
--- interrupt ---
64: Xdoreti() at Xdoreti+0x24
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xdoreti() at Xdoreti+0x24
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet+0x5
--- interrupt ---
64: Xsoftnet() at Xsoftnet+0x49
--- interrupt ---
64: Xsoftnet() at Xsoftnet+0x5
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xdoreti() at Xdoreti+0x24
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet+0x49
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xdoreti() at Xdoreti+0x22
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet+0x5
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xdoreti() at Xdoreti+0x24
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xdoreti() at Xdoreti+0x22
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xdoreti() at Xdoreti+0x22
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xdoreti() at Xdoreti+0x22
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet+0x5
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet+0x5
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xdoreti() at Xdoreti+0x1b
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xdoreti() at Xdoreti+0x24
--- interrupt ---
64: Xdoreti() at Xdoreti+0x22
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xdoreti() at Xdoreti+0x24
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet+0x49
--- interrupt ---
64: Xdoreti() at Xdoreti+0xe
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xdoreti() at Xdoreti+0x24
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xdoreti() at Xdoreti+0x24
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xdoreti() at Xdoreti+0x24
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
64: Xsoftnet() at Xsoftnet
--- interrupt ---
148: idle(d3a1ec94,64,c024c83c,d3a1ec94) at idle+0x1b
48: bpendtsleep(c05c3eb0,28,c047dcb0,64,0,6,0,d3a1ec94) at bpendtsleep
64: sched_sync(d3a1ec94) at sched_sync+0x172
db>
-------------------------------------------



>How-To-Repeat:
	see above
>Fix:
	I don't know
>Release-Note:
>Audit-Trail:
>Unformatted: