Date: Tue, 4 Apr 2006 00:38:33 +0200 (CEST) From: Marcin Gryszkalis <mg@fork.pl> To: FreeBSD-gnats-submit@FreeBSD.org Cc: mg@math.ui.lodz.pl Subject: kern/95288: panic in sys/kern/tty_subr.c putc() Message-ID: <20060403223833.1933E37583D@imul.math.uni.lodz.pl> Resent-Message-ID: <200604032240.k33MeD6b059336@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 95288 >Category: kern >Synopsis: panic in sys/kern/tty_subr.c putc() >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Apr 03 22:40:13 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Marcin Gryszkalis >Release: FreeBSD 6.1-PRERELEASE i386 >Organization: >Environment: System: FreeBSD imul.math.uni.lodz.pl 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #9: Fri Mar 24 09:41:54 CET 2006 root@imul.math.uni.lodz.pl:/usr/obj/usr/src/sys/imul i386 >Description: I got panic during ppp connection, the backtrace is: #0 doadump () at pcpu.h:165 #1 0xc04ff027 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:402 #2 0xc04ff369 in panic (fmt=0xc06b308b "%s") at /usr/src/sys/kern/kern_shutdown.c:558 #3 0xc06899bc in trap_fatal (frame=0xd43bda80, eva=0) at /usr/src/sys/i386/i386/trap.c:836 #4 0xc0689692 in trap_pfault (frame=0xd43bda80, usermode=0, eva=6) at /usr/src/sys/i386/i386/trap.c:744 #5 0xc068924f in trap (frame= {tf_fs = -1017249784, tf_es = 40, tf_ds = 4915240, tf_edi = 209, tf_esi = -1019750344, tf_ebp = -734274864, tf_isp = -734274900, tf_ebx = 0, tf_edx = 2, tf_ecx = 5, tf_eax = -33, tf_trapno = 12, tf_err = 2, tf_eip = -1068239194, tf_cs = 32, tf_eflags = 590343, tf_esp = 0, tf_ss = -734274812}) at /usr/src/sys/i386/i386/trap.c:434 #6 0xc067622a in calltrap () at /usr/src/sys/i386/i386/exception.s:139 #7 0xc053f6a6 in putc (chr=209, clistp=0xc337d838) at /usr/src/sys/kern/tty_subr.c:416 #8 0xc05924cd in pppasyncstart (sc=0xc39c7400) at /usr/src/sys/net/ppp_tty.c:649 #9 0xc058c64d in pppoutput (ifp=0xc33d2800, m0=0xc35b4a00, dst=0xd43bdb88, rtp=0xc3563528) at /usr/src/sys/net/if_ppp.c:961 #10 0xc05b0907 in ip_output (m=0xc35b4a00, opt=0xc33d2800, ro=0xd43bdb84, flags=1, imo=0x0, inp=0x0) at /usr/src/sys/netinet/ip_output.c:777 #11 0xc05afc00 in ip_forward (m=0xc35b4a00, srcrt=0) at /usr/src/sys/netinet/ip_input.c:1907 #12 0xc05ae32c in ip_input (m=0xc35b4a00) at /usr/src/sys/netinet/ip_input.c:689 #13 0xc05917c9 in netisr_processqueue (ni=0xc0717ad8) at /usr/src/sys/net/netisr.c:236 #14 0xc0591a2f in swi_net (dummy=0x0) at /usr/src/sys/net/netisr.c:349 #15 0xc04e4918 in ithread_execute_handlers (p=0xc32a7830, ie=0xc32e5280) at /usr/src/sys/kern/kern_intr.c:673 #16 0xc04e4a86 in ithread_loop (arg=0xc3291720) at /usr/src/sys/kern/kern_intr.c:756 #17 0xc04e346f in fork_exit (callout=0xc04e4a10 <ithread_loop>, arg=0xffffffdf, frame=0xffffffdf) at /usr/src/sys/kern/kern_fork.c:805 #18 0xc067628c in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:208 The problem seems to be here: (kgdb) frame 7 #7 0xc053f6a6 in putc (chr=209, clistp=0xc337d838) at /usr/src/sys/kern/tty_subr.c:416 416 clrbit(cblockp->c_quote, clistp->c_cl - (char *)cblockp->c_info); (kgdb) p cblockp $1 = (struct cblock *) 0x0 Additional info (kgdb) p chr $2 = 209 (kgdb) p *clistp $6 = {c_cc = 41, c_cbcount = 0, c_cbmax = 19, c_cbreserved = 19, c_cf = 0x0, c_cl = 0x29 <Address 0x29 out of bounds>} (kgdb) frame 8 #8 0xc05924cd in pppasyncstart (sc=0xc39c7400) at /usr/src/sys/net/ppp_tty.c:649 649 if (putc(*q, &tp->t_outq)) { (kgdb) p *tp $10 = {t_rawq = {c_cc = 0, c_cbcount = 0, c_cbmax = 0, c_cbreserved = 0, c_cf = 0x0, c_cl = 0x0}, t_rawcc = 6812, t_canq = {c_cc = 0, c_cbcount = 0, c_cbmax = 1, c_cbreserved = 1, c_cf = 0x0, c_cl = 0x0}, t_cancc = 14, t_outq = {c_cc = 41, c_cbcount = 0, c_cbmax = 19, c_cbreserved = 19, c_cf = 0x0, c_cl = 0x29 <Address 0x29 out of bounds>}, t_outcc = 2394, t_line = 5, t_dev = 0xc3897500, t_mdev = 0xc3922100, t_devunit = 2, t_state = 131112, t_flags = 0, t_timeout = 300000, t_pgrp = 0xc5935600, t_session = 0xc3a33880, t_sigio = 0x0, t_rsel = {si_thrlist = {tqe_next = 0x0, tqe_prev = 0xc51e2330}, si_thread = 0xc51e2300, si_note = {kl_list = {slh_first = 0x0}, kl_lock = 0xc04dc960 <knlist_mtx_lock>, kl_unlock = 0xc04dc9c0 <knlist_mtx_unlock>, kl_locked = 0xc04dca20 <knlist_mtx_locked>, kl_lockarg = 0xc337d9ec}, si_flags = 0}, t_wsel = {si_thrlist = {tqe_next = 0x0, tqe_prev = 0x0}, si_thread = 0x0, si_note = {kl_list = {slh_first = 0x0}, kl_lock = 0xc04dc960 <knlist_mtx_lock>, kl_unlock = 0xc04dc9c0 <knlist_mtx_unlock>, kl_locked = 0xc04dca20 <knlist_mtx_locked>, kl_lockarg = 0xc337d9ec}, si_flags = 0}, t_termios = {c_iflag = 5, c_oflag = 0, c_cflag = 215808, c_lflag = 0, c_cc = "\004\000ÿ\177\027\025\022\b\003\034\032\031\021\023\026\017\001\000\024ÿ", c_ispeed = 57600, c_ospeed = 57600}, t_init_in = {c_iflag = 11010, c_oflag = 3, c_cflag = 19200, c_lflag = 1408, c_cc = "\004ÿÿ\177\027\025\022\b\003\034\032\031\021\023\026\017\001\000\024ÿ", c_ispeed = 9600, c_ospeed = 9600}, t_init_out = {c_iflag = 11010, c_oflag = 3, c_cflag = 19200, c_lflag = 1408, c_cc = "\004ÿÿ\177\027\025\022\b\003\034\032\031\021\023\026\017\001\000\024ÿ", c_ispeed = 9600, c_ospeed = 9600}, t_lock_in = {c_iflag = 0, c_oflag = 0, c_cflag = 0, c_lflag = 0, c_cc = '\0' <repeats 19 times>, c_ispeed = 0, c_ospeed = 0}, t_lock_out = {c_iflag = 0, c_oflag = 0, c_cflag = 0, c_lflag = 0, c_cc = '\0' <repeats 19 times>, c_ispeed = 0, c_ospeed = 0}, t_winsize = {ws_row = 0, ws_col = 0, ws_xpixel = 0, ws_ypixel = 0}, t_sc = 0xc37e0800, t_lsc = 0xc39c7400, t_column = 39, t_rocount = 0, t_rocol = 0, t_ififosize = 512, t_ihiwat = 7680, t_ilowat = 6720, t_ispeedwat = 0, t_ohiwat = 2052, t_olowat = 256, t_ospeedwat = 0, t_gen = 29, t_list = {tqe_next = 0xc3392400, tqe_prev = 0xc33b5ddc}, t_actout = 1, t_wopeners = 0, t_mtx = {mtx_object = {lo_class = 0xc06edda4, lo_name = 0xc06bf0b1 "tty", lo_type = 0xc06bf0b1 "tty", lo_flags = 196608, lo_list = {tqe_next = 0x0, tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 4, mtx_recurse = 0}, t_refcnt = 3, t_hotchar = 126, t_dtr_wait = 3000, t_do_timestamp = 0, t_timestamp = {tv_sec = 0, tv_usec = 0}, t_pps = 0x0, t_oproc = 0xc048f070 <ucomstart>, t_stop = 0xc048f360 <ucomstop>, t_param = 0xc048eed0 <ucomparam>, t_modem = 0xc048ebf0 <ucommodem>, t_break = 0xc048ecd0 <ucombreak>, t_ioctl = 0xc048eb60 <ucomioctl>, t_open = 0xc048e8a0 <ucomopen>, t_purge = 0, t_close = 0xc048eae0 <ucomclose>, t_cioctl = 0} >How-To-Repeat: Happened just once (~100 ppp connections established so far on this box), bug may be related to USB-serial driver (as you can see above this modem is connected via ucom). >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060403223833.1933E37583D>