Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 11 Jul 2000 17:34:30 +0200
From:      Udo Erdelhoff <ue@nathan.ruhr.de>
To:        freebsd-current@freebsd.org
Subject:   ppp-related panic in sbdrop()
Message-ID:  <20000711173429.A247@nathan.ruhr.de>
next in thread | raw e-mail | index | archive | help 
Hi,
I've finally managed to capture a crashdump after a panic in sbdrop(). The
machine in question uses ppp/ipfw/natd to connect a small LAN to the
outside world via a DSL link. ppp started to misbehave: NS queries were
sent out but didn't come back (I had tcpdumps running on both tun0 and
ed1). I tried to terminate ppp by sending a SIGTERM. ppp (pid 78) was
still around after a minute, so I send a SIGTERM. The machine crashed
immediately.

The machine world as of 7/7, I've only added the latest type fix to
ppp/bundle.c (rev 1.99).

The point of doom:

bash# gdb -k /sys/compile/UE/kernel.debug /var/crash/vmcore.0 
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
IdlePTD 3952640
initial pcb at 325320
panicstr: sbdrop
panic messages:
---
panic: sbdrop

syncing disks... 
done
Uptime: 1h4m5s

dumping to dev #da/0x20001, offset 190228
dump 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 
---
#0  boot (howto=256) at ../../kern/kern_shutdown.c:303
303			dumppcb.pcb_cr3 = rcr3();
(kgdb) wwhheerree
#0  boot (howto=256) at ../../kern/kern_shutdown.c:303
#1  0xc01717f4 in poweroff_wait (junk=0xc02b3a26, howto=-946356848)
    at ../../kern/kern_shutdown.c:553
#2  0xc01931c8 in sbdrop (sb=0xc797bd90, len=158)
    at ../../kern/uipc_socket2.c:793
#3  0xc0193058 in sbflush (sb=0xc797bd90) at ../../kern/uipc_socket2.c:772
#4  0xc0192b11 in sbrelease (sb=0xc797bd90, so=0xc6d59b40)
    at ../../kern/uipc_socket2.c:455
#5  0xc0191443 in sorflush (so=0xc6d59b40) at ../../kern/uipc_socket.c:988
#6  0xc01900ad in sofree (so=0xc6d59b40) at ../../kern/uipc_socket.c:262
#7  0xc01901de in soclose (so=0xc6d59b40) at ../../kern/uipc_socket.c:327
#8  0xc018553a in soo_close (fp=0xc0f8fe40, p=0xc74b32a0)
    at ../../kern/sys_socket.c:193
#9  0xc0166165 in fdrop (fp=0xc0f8fe40, p=0xc74b32a0) at ../../sys/file.h:212
#10 0xc01660ab in closef (fp=0xc0f8fe40, p=0xc74b32a0)
    at ../../kern/kern_descrip.c:1079
#11 0xc0165dfc in fdfree (p=0xc74b32a0) at ../../kern/kern_descrip.c:945
#12 0xc016854d in exit1 (p=0xc74b32a0, rv=9) at ../../kern/kern_exit.c:186
#13 0xc01732d2 in sigexit (p=0xc74b32a0, sig=9) at ../../kern/kern_sig.c:1499
#14 0xc017304c in postsig (sig=9) at ../../kern/kern_sig.c:1402
#15 0xc028e6f0 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47, 
      tf_edi = -1077940036, tf_esi = 134920284, tf_ebp = -1077940004, 
      tf_isp = -946356268, tf_ebx = 672838652, tf_edx = 134909952, 
      tf_ecx = 2048, tf_eax = 29, tf_trapno = 7, tf_err = 2, 
      tf_eip = 673074366, tf_cs = 31, tf_eflags = 647, tf_esp = -1077940096, 
      tf_ss = 47}) at ../../i386/i386/trap.c:164
#16 0xc02838f5 in Xint0x80_syscall ()
#17 0x80781c6 in ?? ()
#18 0x806eaa9 in ?? ()
#19 0x806e1fb in ?? ()
#20 0x8078778 in ?? ()
#21 0x805996f in ?? ()
#22 0x804ccd8 in ?? ()
#23 0x806a776 in ?? ()
#24 0x806a35f in ?? ()
#25 0x804b0a1 in ?? ()
(kgdb) frame 2
#2  0xc01931c8 in sbdrop (sb=0xc797bd90, len=158)
    at ../../kern/uipc_socket2.c:793
793					panic("sbdrop");
(kgdb) print sb
$1 = (struct sockbuf *) 0xc797bd90
(kgdb) print *sb
$2 = {sb_cc = 158, sb_hiwat = 20480, sb_mbcnt = 512, sb_mbmax = 163840, 
  sb_lowat = 1, sb_mb = 0x0, sb_sel = {si_pid = 0, si_note = {
      slh_first = 0x0}, si_flags = 0}, sb_flags = 64, sb_timeo = 0}
(kgdb) print len
$3 = 158
(kgdb) print m
$4 = (struct mbuf *) 0xc02b3a26
(kgdb) print *m
$5 = {m_hdr = {mh_next = 0x72646273, mh_nextpkt = 0x4e00706f, 
    mh_data = 0x63706900 <Address 0x63706900 out of bounds>, 
    mh_len = -1377828864, mh_type = -16336, mh_flags = 73}, M_dat = {MH = {
      MH_pkthdr = {rcvif = 0x6d6d7564, len = -1373634439, 
        header = 0x616dc030 <Address 0x616dc030 out of bounds>, 
        csum_flags = 1668248440, csum_data = 1718968939, aux = 0xae600000}, 
      MH_dat = {MH_ext = {
          ext_buf = 0x616dc030 <Address 0x616dc030 out of bounds>, 
          ext_free = 0x636f7378, ext_size = 1937007979, ext_ref = 0xaea00000}, 
        MH_databuf = "0Àmaxsockets\000\000 ®0Àsockbuf_waste_factor\000\000\000\000à®0Àkern.ipc.maxsockets\000\004¯0À\000\000\000\000\000\000\000\000\024¯0Àaccept\000connec\000sfbufa\000\000\000\000\000\000\000\000sf_buf_ref: referencing a free sf_buf", '\000' <repeats 27 times>, "sf_buf_free: freeing free sf_buf\000sfpbs"}}, 
    M_databuf = "dummy\000 ®0Àmaxsockbuf\000\000`®0Àmaxsockets\000\000 ®0Àsockbuf_waste_factor\000\000\000\000à®0Àkern.ipc.maxsockets\000\004¯0À\000\000\000\000\000\000\000\000\024¯0Àaccept\000connec\000sfbufa\000\000\000\000\000\000\000\000sf_buf_ref: referencing a free sf_buf", '\000' <repeats 27 times>, "sf_buf_free: freein"...}}
(kgdb) print mn
$6 = (struct mbuf *) 0xc02b3a26
(kgdb) print *mn
$7 = {m_hdr = {mh_next = 0x72646273, mh_nextpkt = 0x4e00706f, 
    mh_data = 0x63706900 <Address 0x63706900 out of bounds>, 
    mh_len = -1377828864, mh_type = -16336, mh_flags = 73}, M_dat = {MH = {
      MH_pkthdr = {rcvif = 0x6d6d7564, len = -1373634439, 
        header = 0x616dc030 <Address 0x616dc030 out of bounds>, 
        csum_flags = 1668248440, csum_data = 1718968939, aux = 0xae600000}, 
      MH_dat = {MH_ext = {
          ext_buf = 0x616dc030 <Address 0x616dc030 out of bounds>, 
          ext_free = 0x636f7378, ext_size = 1937007979, ext_ref = 0xaea00000}, 
        MH_databuf = "0Àmaxsockets\000\000 ®0Àsockbuf_waste_factor\000\000\000\000à®0Àkern.ipc.maxsockets\000\004¯0À\000\000\000\000\000\000\000\000\024¯0Àaccept\000connec\000sfbufa\000\000\000\000\000\000\000\000sf_buf_ref: referencing a free sf_buf", '\000' <repeats 27 times>, "sf_buf_free: freeing free sf_buf\000sfpbs"}}, 
    M_databuf = "dummy\000 ®0Àmaxsockbuf\000\000`®0Àmaxsockets\000\000 ®0Àsockbuf_waste_factor\000\000\000\000à®0Àkern.ipc.maxsockets\000\004¯0À\000\000\000\000\000\000\000\000\024¯0Àaccept\000connec\000sfbufa\000\000\000\000\000\000\000\000sf_buf_ref: referencing a free sf_buf", '\000' <repeats 27 times>, "sf_buf_free: freein"...}}
(kgdb) print next
$8 = (struct mbuf *) 0x0

The "adress out of bounds" messages looks strange.

I'll try to reproduce the bug after updating kernel, sources and world.
I have stored the kernel, modules (build with kernel, only ng_ether used)
and the dump on tape so I should be able to produce additional details if
needed.

/s/Udo
PS: One strange thing about dumping: savecore never found a dump during
"normal" startup. After this crash, I booted single-user, fsck'ed and
mount'ed my filesystems, set the dump device, called savecore and voila,
one crashdump stored in /var/crash. The machine has 64 MBytes of RAM
and 156 MByte swap (da0s1b).

-- 
Getting a SCSI chain working is perfectly simple if you remember that there
must be exactly three terminations: one on one end of the cable, one on the
far end, and the goat, terminated over the SCSI chain with a silver-handled
knife whilst burning *black* candles.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000711173429.A247>