From owner-freebsd-net@freebsd.org  Thu Oct 13 04:51:25 2016
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 44673C0FD12
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Thu, 13 Oct 2016 04:51:25 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 294929EE
 for <freebsd-net@FreeBSD.org>; Thu, 13 Oct 2016 04:51:25 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u9D4pN0k023845
 for <freebsd-net@FreeBSD.org>; Thu, 13 Oct 2016 04:51:25 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-net@FreeBSD.org
Subject: [Bug 148807] [panic] "panic: sbdrop" and "panic: sbsndptr: sockbuf _
 and mbuf _ clashing" (8.1-RELEASE/10.1-STABLE/11-CURRENT)
Date: Thu, 13 Oct 2016 04:51:24 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 10.1-STABLE
X-Bugzilla-Keywords: crash, needs-qa, patch
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: hiren@FreeBSD.org
X-Bugzilla-Status: Open
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: Normal
X-Bugzilla-Assigned-To: freebsd-net@FreeBSD.org
X-Bugzilla-Flags: mfc-stable9? mfc-stable10? mfc-stable11?
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-148807-2472-9eW6hNnuKW@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-148807-2472@https.bugs.freebsd.org/bugzilla/>
References: <bug-148807-2472@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2016 04:51:25 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D148807

--- Comment #31 from Hiren Panchasara <hiren@FreeBSD.org> ---
(In reply to Robert Watson from comment #29)

Robert,

Thanks for your response.

 On a slightly modified (nothing in driver space) stable/11, I am seeing
repeated panic in sbsndptr() with igb while box is pretty much idle or doing
very low traffic.

(kgdb) bt
#0  __curthread () at ./machine/pcpu.h:221
#1  doadump (textdump=3D-2121667464) at
/d2/hiren/freebsd/sys/kern/kern_shutdown.c:298
#2  0xffffffff80389f86 in db_fncall_generic (nargs=3D0, addr=3D<optimized o=
ut>,
rv=3D<optimized out>,=20
    args=3D<optimized out>) at /d2/hiren/freebsd/sys/ddb/db_command.c:568
#3  db_fncall (dummy1=3D<optimized out>, dummy2=3D<optimized out>,
dummy3=3D<optimized out>, dummy4=3D<optimized out>)
    at /d2/hiren/freebsd/sys/ddb/db_command.c:616
#4  0xffffffff80389a29 in db_command (last_cmdp=3D<optimized out>,
cmd_table=3D<optimized out>,=20
    dopager=3D<optimized out>) at /d2/hiren/freebsd/sys/ddb/db_command.c:440
#5  0xffffffff80389784 in db_command_loop () at
/d2/hiren/freebsd/sys/ddb/db_command.c:493
#6  0xffffffff8038c76b in db_trap (type=3D<optimized out>, code=3D<optimize=
d out>)
    at /d2/hiren/freebsd/sys/ddb/db_main.c:251
#7  0xffffffff809a6f33 in kdb_trap (type=3D<optimized out>, code=3D<optimiz=
ed out>,
tf=3D<optimized out>)
    at /d2/hiren/freebsd/sys/kern/subr_kdb.c:654
#8  0xffffffff80d93521 in trap_fatal (frame=3D0xfffffe1f2bb38210, eva=3D24)
    at /d2/hiren/freebsd/sys/amd64/amd64/trap.c:836
#9  0xffffffff80d93753 in trap_pfault (frame=3D0xfffffe1f2bb38210, usermode=
=3D0)
    at /d2/hiren/freebsd/sys/amd64/amd64/trap.c:691
#10 0xffffffff80d92cdc in trap (frame=3D0xfffffe1f2bb38210) at
/d2/hiren/freebsd/sys/amd64/amd64/trap.c:442
#11 <signal handler called>
#12 sbsndptr (sb=3D0xfffff8060f8a5518, off=3D0, len=3D4294967287,
moff=3D0xfffffe1f2bb38420)
    at /d2/hiren/freebsd/sys/kern/uipc_sockbuf.c:1191
#13 0xffffffff80ab9382 in tcp_output (tp=3D<optimized out>) at
/d2/hiren/freebsd/sys/netinet/tcp_output.c:1099
#14 0xffffffff80ab6105 in tcp_do_segment (m=3D<optimized out>, th=3D<optimi=
zed
out>, so=3D0xfffff8060f8a5360,=20
    tp=3D<optimized out>, drop_hdrlen=3D60, tlen=3D<optimized out>, iptos=
=3D<optimized
out>,=20
    ti_locked=3D<error reading variable: Cannot access memory at address 0x=
1>)
    at /d2/hiren/freebsd/sys/netinet/tcp_input.c:3182
#15 0xffffffff80ab2803 in tcp_input (mp=3D<optimized out>, offp=3D<optimize=
d out>,
proto=3D<optimized out>)
    at /d2/hiren/freebsd/sys/netinet/tcp_input.c:1444
#16 0xffffffff80aa6bc5 in ip_input (m=3D<error reading variable: Cannot acc=
ess
memory at address 0x0>)
    at /d2/hiren/freebsd/sys/netinet/ip_input.c:809
#17 0xffffffff80a82b35 in netisr_dispatch_src (proto=3D1, source=3D<optimiz=
ed out>,
m=3D0x0)
    at /d2/hiren/freebsd/sys/net/netisr.c:1120
#18 0xffffffff80a6c2ca in ether_demux (ifp=3D<optimized out>, m=3D0x0) at
/d2/hiren/freebsd/sys/net/if_ethersubr.c:850
#19 0xffffffff80a6cf22 in ether_input_internal (ifp=3D<optimized out>, m=3D=
0x0)
    at /d2/hiren/freebsd/sys/net/if_ethersubr.c:639
#20 ether_nh_input (m=3D<optimized out>) at
/d2/hiren/freebsd/sys/net/if_ethersubr.c:669
#21 0xffffffff80a82b35 in netisr_dispatch_src (proto=3D5, source=3D<optimiz=
ed out>,
m=3D0x0)
    at /d2/hiren/freebsd/sys/net/netisr.c:1120
#22 0xffffffff80a6c546 in ether_input (ifp=3D<optimized out>, m=3D0x0) at
/d2/hiren/freebsd/sys/net/if_ethersubr.c:759
#23 0xffffffff804e2b3c in igb_rx_input (rxr=3D<optimized out>,
ifp=3D0xfffff80115614800, m=3D0xfffff8014eee7600,=20
    ptype=3D<optimized out>) at /d2/hiren/freebsd/sys/dev/e1000/if_igb.c:49=
57
#24 igb_rxeof (que=3D<optimized out>, count=3D358700136, done=3D<optimized =
out>)
    at /d2/hiren/freebsd/sys/dev/e1000/if_igb.c:5185
#25 0xffffffff804e1daf in igb_msix_que (arg=3D<optimized out>) at
/d2/hiren/freebsd/sys/dev/e1000/if_igb.c:1612
#26 0xffffffff8091425f in intr_event_execute_handlers (p=3D<optimized out>,
ie=3D<optimized out>)
    at /d2/hiren/freebsd/sys/kern/kern_intr.c:1262
#27 0xffffffff80914876 in ithread_execute_handlers (ie=3D<optimized out>,
p=3D<optimized out>)
    at /d2/hiren/freebsd/sys/kern/kern_intr.c:1275
#28 ithread_loop (arg=3D<optimized out>) at
/d2/hiren/freebsd/sys/kern/kern_intr.c:1356
#29 0xffffffff80910ea5 in fork_exit (callout=3D0xffffffff809147b0 <ithread_=
loop>,
arg=3D0xfffff8011561a0e0,=20
    frame=3D0xfffffe1f2bb38ac0) at /d2/hiren/freebsd/sys/kern/kern_fork.c:1=
040
#30 <signal handler called>

----------------------------------------------------------------

Most interesting frames are these 2:

#22 0xffffffff80a6c546 in ether_input (ifp=3D<optimized out>, m=3D0x0) at
/d2/hiren/freebsd/sys/net/if_ethersubr.c:759
#23 0xffffffff804e2b3c in igb_rx_input (rxr=3D<optimized out>,
ifp=3D0xfffff80115614800, m=3D0xfffff8014eee7600,=20
    ptype=3D<optimized out>) at /d2/hiren/freebsd/sys/dev/e1000/if_igb.c:49=
57

#23 has an mbuf while #22 has it null.

Does this point to your hunch of
"device-driver bugs involving modifications to the mbuf chain after submitt=
ing
the mbuf to the network stack (e.g., due to concurrency bugs in the device
driver)" ?

OR something else is going on?

--=20
You are receiving this mail because:
You are the assignee for the bug.=