Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 19 Jul 2005 22:03:02 -0400
From:      Edwin <edwin@verolan.com>
To:        freebsd-hackers@freebsd.org
Cc:        edwin@verolan.com
Subject:   Re: help w/panic under heavy load - 5.4
Message-ID:  <20050720020302.GA24474@asx01.verolan.com>
In-Reply-To: <200507191120.37526.jhb@FreeBSD.org>
References:  <20050719034215.GB20752@asx01.verolan.com> <200507191120.37526.jhb@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi John,

Updated the kernel, same crash under load, looks like m is null, you're right.

Not quite sure where to go from here. I'm happy to do the footwork - just still real
hazy on the BSD kernel part of things.

Thanks for the help!

/Edwin


Results from KDB/DDB/INVARIANTS/INVARIANT_SUPPORT - same crash (ddb and kdb output)


panic: m_copym, offset > size of mbuf chain
KDB: enter: panic
[thread pid 27 tid 100021 ]
Stopped at      kdb_enter+0x2b: nop     
db> where
Tracing pid 27 tid 100021 td 0xc0ed0180
kdb_enter(c0821a6a) at kdb_enter+0x2b
panic(c0826049,0,c076b79c,c102d600,100) at panic+0xbb
m_copym(0,5dc,5c8,1,14) at m_copym+0x60
ip_fragment(c123180e,c76d1c38,5dc,0,1) at ip_fragment+0x214
ip_fastforward(c11fee00) at ip_fastforward+0x6ed
ether_demux(c0f90000,c11fee00,52,c0f8aad0,1f) at ether_demux+0x259
ether_input(c0f90000,c11fee00,c0f902d0,0,c08336ab) at ether_input+0x25d
sis_rxeof(c0f90000,1,5,c08e5500,c76d1ce0) at sis_rxeof+0x1ab
sis_poll(c0f90000,0,5) at sis_poll+0x7f
netisr_poll(0) at netisr_poll+0x188
swi_net(0) at swi_net+0x81
ithread_loop(c0ec6580,c76d1d48,c0ec6580,c060030c,0) at ithread_loop+0x124
fork_exit(c060030c,c0ec6580,c76d1d48) at fork_exit+0xa4
fork_trampoline() at fork_trampoline+0x8
--- trap 0x1, eip = 0, esp = 0xc76d1d7c, ebp = 0 ---
db> call doadump
Dumping 128 MB
 16 32 48 64 80 96 112
Dump complete
0xf
db> reset






mbsd05# kgdb kernel.debug /tmp/crash/vmcore.1 
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".
#0  doadump () at pcpu.h:159
159             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) where
#0  doadump () at pcpu.h:159
#1  0xc04611f6 in db_fncall (dummy1=0, dummy2=0, dummy3=43, dummy4=0xc76d19c0 "�\031m�")
    at /usr/src/sys/ddb/db_command.c:531
#2  0xc0461004 in db_command (last_cmdp=0xc08c9264, cmd_table=0x0, 
    aux_cmd_tablep=0xc08483b8, aux_cmd_tablep_end=0xc08483d4)
    at /usr/src/sys/ddb/db_command.c:349
#3  0xc04610cc in db_command_loop () at /usr/src/sys/ddb/db_command.c:455
#4  0xc0462c51 in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_main.c:221
#5  0xc0627af2 in kdb_trap (type=3, code=0, tf=0xc76d1afc)
    at /usr/src/sys/kern/subr_kdb.c:468
#6  0xc07b6394 in trap (frame=
      {tf_fs = -949157864, tf_es = -1067319280, tf_ds = -1065222128, tf_edi = 1, tf_esi = -
1065197495, tf_ebp = -949150916, tf_isp = -949150936, tf_ebx = -949150872, tf_edx = 0, tf_e
cx = -1060921344, tf_eax = 18, tf_trapno = 3, tf_err = 0, tf_eip = -1067288461, tf_cs = -1065222136, tf_eflags = 646, tf_esp = -949150884, tf_ss = -1067376657})
    at /usr/src/sys/i386/i386/trap.c:584
#7  0xc07a69ca in calltrap () at /usr/src/sys/i386/i386/exception.s:140
#8  0xc76d0018 in ?? ()
#9  0xc0620010 in schedcpu () at /usr/src/sys/kern/sched_4bsd.c:461
#10 0xc0611fef in panic (fmt=0xc0820008 "default")
    at /usr/src/sys/kern/kern_shutdown.c:550
#11 0xc0641a2c in m_copym (m=0x0, off0=1500, len=1480, wait=1)
    at /usr/src/sys/kern/uipc_mbuf.c:385
#12 0xc069b694 in ip_fragment (ip=0xc123180e, m_frag=0xc76d1c38, mtu=-1056778752, 
    if_hwassist_flags=0, sw_csum=1) at /usr/src/sys/netinet/ip_output.c:967
#13 0xc06933c1 in ip_fastforward (m=0xc11fee00) at /usr/src/sys/netinet/ip_fastfwd.c:572
#14 0xc0672a59 in ether_demux (ifp=0xc0f90000, m=0xc11fee00)
    at /usr/src/sys/net/if_ethersubr.c:770
#15 0xc06727f5 in ether_input (ifp=0xc0f90000, m=0xc11fee00)
    at /usr/src/sys/net/if_ethersubr.c:631
#16 0xc0713507 in sis_rxeof (sc=0xc0f90000) at /usr/src/sys/pci/if_sis.c:1636
#17 0xc07137cf in sis_poll (ifp=0xc0f90000, cmd=POLL_ONLY, count=0)
    at /usr/src/sys/pci/if_sis.c:1769
#18 0xc05f8280 in netisr_poll () at /usr/src/sys/kern/kern_poll.c:384
#19 0xc0679985 in swi_net (dummy=0x0) at /usr/src/sys/net/netisr.c:338
#20 0xc0600430 in ithread_loop (arg=0xc0ec6580) at /usr/src/sys/kern/kern_intr.c:547
#21 0xc05ff8a4 in fork_exit (callout=0xc060030c <ithread_loop>, arg=0xc0ec6580, 
    frame=0xc76d1d48) at /usr/src/sys/kern/kern_fork.c:791
#22 0xc07a6a2c in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:209
(kgdb) f 12
#12 0xc069b694 in ip_fragment (ip=0xc123180e, m_frag=0xc76d1c38, mtu=-1056778752, 
    if_hwassist_flags=0, sw_csum=1) at /usr/src/sys/netinet/ip_output.c:967
967                     m->m_next = m_copy(m0, off, len);
(kgdb) f 11
#11 0xc0641a2c in m_copym (m=0x0, off0=1500, len=1480, wait=1)
    at /usr/src/sys/kern/uipc_mbuf.c:385
385                     KASSERT(m != NULL, ("m_copym, offset > size of mbuf chain"));
(kgdb) l
380             KASSERT(len >= 0, ("m_copym, negative len %d", len));
381             MBUF_CHECKSLEEP(wait);
382             if (off == 0 && m->m_flags & M_PKTHDR)
383                     copyhdr = 1;
384             while (off > 0) {
385                     KASSERT(m != NULL, ("m_copym, offset > size of mbuf chain"));
386                     if (off < m->m_len)
387                             break;
388                     off -= m->m_len;
389                     m = m->m_next;
(kgdb) i loc
n = (struct mbuf *) 0xc102d600
np = (struct mbuf **) 0xc102d654
off = 1432
top = (struct mbuf *) 0x1
copyhdr = 0
(kgdb) p m
$14 = (struct mbuf *) 0x0
(kgdb) 
(kgdb) f 12
#12 0xc069b694 in ip_fragment (ip=0xc123180e, m_frag=0xc76d1c38, mtu=-1056778752, 
    if_hwassist_flags=0, sw_csum=1) at /usr/src/sys/netinet/ip_output.c:967
967                     m->m_next = m_copy(m0, off, len);
(kgdb) l
962                             len = ip->ip_len - off;
963                             m->m_flags |= M_LASTFRAG;
964                     } else
965                             mhip->ip_off |= IP_MF;
966                     mhip->ip_len = htons((u_short)(len + mhlen));
967                     m->m_next = m_copy(m0, off, len);
968                     if (m->m_next == NULL) {        /* copy failed */
969                             m_free(m);
970                             error = ENOBUFS;        /* ??? */
971                             ipstat.ips_odropped++;
(kgdb) i loc
mhip = (struct ip *) 0xc102d640
m = (struct mbuf *) 0xc102d600
mhlen = 20
error = 0
hlen = 20
len = 1480
off = 1500
m0 = (struct mbuf *) 0xc11fee00
firstlen = 1480
mnext = (struct mbuf **) 0xc11fee04
nfrags = 1
(kgdb) p *m0
$13 = {m_hdr = {mh_next = 0x0, mh_nextpkt = 0x0, mh_data = 0xc123180e "E", mh_len = 68, 
    mh_flags = 3, mh_type = 1}, M_dat = {MH = {MH_pkthdr = {rcvif = 0xc0f90000, len = 68, 
        header = 0x0, csum_flags = 769, csum_data = 0, tags = {slh_first = 0x0}}, 
      MH_dat = {MH_ext = {ext_buf = 0xc1231800 "", ext_free = 0, ext_args = 0x0, 
          ext_size = 2048, ref_cnt = 0x0, ext_type = 3}, 
        MH_databuf = "\000\030#�\000\000\000\000\000\000\000\000\000\b\000\000\000\000\00
0\                                                                                        \000\003", '\0' <repeats 186 times>}}, 
    M_databuf = "\000\000��D\000\000\000\000\000\000\000\001\003", '\0' <repeats 11 tim
es>,                                                                                      , "\030#�\000\000\000\000\000\000\000\000\000\b\000\000\000\000\000\000\003", '\0' <repeat
s                                                                                          186 times>}}
(kgdb) 

John Baldwin (jhb@FreeBSD.org) wrote:
> On Monday 18 July 2005 11:42 pm, Edwin wrote:
> > Hi,
> >
> > I have a recurring (re-producible) panic on the 5.3/5.4 kernels and I would
> > like to ask for some help in tracking it down. :) - it could be some
> > misconfig on my part - but i have tried several different configs of the
> > kernel - ultimately w/ polling on/off, ipfw on/off, ipfastforwarding on/off
> > - although with ipff off - the box still crashes but in a different
> > location - it will even crash w/ GENERIC kernel under heavy load.
> >
> > I'm not quite sure where to look past the below (ie. what variables/etc to
> > present to the list).
> 
> Try turning INVARIANTS and INVARIANT_SUPPORT on in your kernel and see if you 
> can reproduce this.  Also, try to get a traceback in ddb if possible as 
> sometimes ddb gives more reliable stack traces.  It looks like your m is 
> NULL, in which case the KASSERT() on the previous line should fire if 
> INVARIANTS is on.
> 
> -- 
> John Baldwin <jhb@FreeBSD.org>  <><  http://www.FreeBSD.org/~jhb/
> "Power Users Use the Power to Serve"  =  http://www.FreeBSD.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050720020302.GA24474>