Date: Wed, 12 Jul 2000 14:50:45 +0100 From: Brian Somers <brian@Awfulhak.org> To: Udo Erdelhoff <ue@nathan.ruhr.de> Cc: freebsd-current@FreeBSD.org, brian@storm.FreeBSD.org.uk Subject: Re: ppp-related panic in sbdrop() Message-ID: <200007121350.OAA11795@hak.lan.Awfulhak.org> In-Reply-To: Message from Udo Erdelhoff <ue@nathan.ruhr.de> of "Tue, 11 Jul 2000 17:34:30 %2B0200." <20000711173429.A247@nathan.ruhr.de>
next in thread | previous in thread | raw e-mail | index | archive | help
I'd like to disclaim all responsibility :-I
I'd normally try to figure out what the problem is or ask for more =
info, but seen as ppp caused a kernel panic on me this morning on the =
train, and since then cvsup has caused a similar panic, htc panics =
and just about anything else interesting I do panics, I tend to =
suspect it's nothing to do with (user-land) ppp....
I'm trying to rebuild my machine by cvs update -D'ing to before the =
snapshot code commit at the moment....
> Hi,
> I've finally managed to capture a crashdump after a panic in sbdrop(). =
The
> machine in question uses ppp/ipfw/natd to connect a small LAN to the
> outside world via a DSL link. ppp started to misbehave: NS queries were=
> sent out but didn't come back (I had tcpdumps running on both tun0 and
> ed1). I tried to terminate ppp by sending a SIGTERM. ppp (pid 78) was
> still around after a minute, so I send a SIGTERM. The machine crashed
> immediately.
> =
> The machine world as of 7/7, I've only added the latest type fix to
> ppp/bundle.c (rev 1.99).
> =
> The point of doom:
> =
> bash# gdb -k /sys/compile/UE/kernel.debug /var/crash/vmcore.0 =
> GNU gdb 4.18
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and yo=
u are
> welcome to change it and/or distribute copies of it under certain condi=
tions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for deta=
ils.
> This GDB was configured as "i386-unknown-freebsd"...
> IdlePTD 3952640
> initial pcb at 325320
> panicstr: sbdrop
> panic messages:
> ---
> panic: sbdrop
> =
> syncing disks... =
> done
> Uptime: 1h4m5s
> =
> dumping to dev #da/0x20001, offset 190228
> dump 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 =
42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 1=
8 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 =
> ---
> #0 boot (howto=3D256) at ../../kern/kern_shutdown.c:303
> 303 dumppcb.pcb_cr3 =3D rcr3();
> (kgdb) wwhheerree
> #0 boot (howto=3D256) at ../../kern/kern_shutdown.c:303
> #1 0xc01717f4 in poweroff_wait (junk=3D0xc02b3a26, howto=3D-946356848)=
> at ../../kern/kern_shutdown.c:553
> #2 0xc01931c8 in sbdrop (sb=3D0xc797bd90, len=3D158)
> at ../../kern/uipc_socket2.c:793
> #3 0xc0193058 in sbflush (sb=3D0xc797bd90) at ../../kern/uipc_socket2.=
c:772
> #4 0xc0192b11 in sbrelease (sb=3D0xc797bd90, so=3D0xc6d59b40)
> at ../../kern/uipc_socket2.c:455
> #5 0xc0191443 in sorflush (so=3D0xc6d59b40) at ../../kern/uipc_socket.=
c:988
> #6 0xc01900ad in sofree (so=3D0xc6d59b40) at ../../kern/uipc_socket.c:=
262
> #7 0xc01901de in soclose (so=3D0xc6d59b40) at ../../kern/uipc_socket.c=
:327
> #8 0xc018553a in soo_close (fp=3D0xc0f8fe40, p=3D0xc74b32a0)
> at ../../kern/sys_socket.c:193
> #9 0xc0166165 in fdrop (fp=3D0xc0f8fe40, p=3D0xc74b32a0) at ../../sys/=
file.h:212
> #10 0xc01660ab in closef (fp=3D0xc0f8fe40, p=3D0xc74b32a0)
> at ../../kern/kern_descrip.c:1079
> #11 0xc0165dfc in fdfree (p=3D0xc74b32a0) at ../../kern/kern_descrip.c:=
945
> #12 0xc016854d in exit1 (p=3D0xc74b32a0, rv=3D9) at ../../kern/kern_exi=
t.c:186
> #13 0xc01732d2 in sigexit (p=3D0xc74b32a0, sig=3D9) at ../../kern/kern_=
sig.c:1499
> #14 0xc017304c in postsig (sig=3D9) at ../../kern/kern_sig.c:1402
> #15 0xc028e6f0 in syscall2 (frame=3D{tf_fs =3D 47, tf_es =3D 47, tf_ds =
=3D 47, =
> tf_edi =3D -1077940036, tf_esi =3D 134920284, tf_ebp =3D -1077940=
004, =
> tf_isp =3D -946356268, tf_ebx =3D 672838652, tf_edx =3D 134909952=
, =
> tf_ecx =3D 2048, tf_eax =3D 29, tf_trapno =3D 7, tf_err =3D 2, =
> tf_eip =3D 673074366, tf_cs =3D 31, tf_eflags =3D 647, tf_esp =3D=
-1077940096, =
> tf_ss =3D 47}) at ../../i386/i386/trap.c:164
> #16 0xc02838f5 in Xint0x80_syscall ()
> #17 0x80781c6 in ?? ()
> #18 0x806eaa9 in ?? ()
> #19 0x806e1fb in ?? ()
> #20 0x8078778 in ?? ()
> #21 0x805996f in ?? ()
> #22 0x804ccd8 in ?? ()
> #23 0x806a776 in ?? ()
> #24 0x806a35f in ?? ()
> #25 0x804b0a1 in ?? ()
> (kgdb) frame 2
> #2 0xc01931c8 in sbdrop (sb=3D0xc797bd90, len=3D158)
> at ../../kern/uipc_socket2.c:793
> 793 panic("sbdrop");
> (kgdb) print sb
> $1 =3D (struct sockbuf *) 0xc797bd90
> (kgdb) print *sb
> $2 =3D {sb_cc =3D 158, sb_hiwat =3D 20480, sb_mbcnt =3D 512, sb_mbmax =3D=
163840, =
> sb_lowat =3D 1, sb_mb =3D 0x0, sb_sel =3D {si_pid =3D 0, si_note =3D =
{
> slh_first =3D 0x0}, si_flags =3D 0}, sb_flags =3D 64, sb_timeo =3D=
0}
> (kgdb) print len
> $3 =3D 158
> (kgdb) print m
> $4 =3D (struct mbuf *) 0xc02b3a26
> (kgdb) print *m
> $5 =3D {m_hdr =3D {mh_next =3D 0x72646273, mh_nextpkt =3D 0x4e00706f, =
> mh_data =3D 0x63706900 <Address 0x63706900 out of bounds>, =
> mh_len =3D -1377828864, mh_type =3D -16336, mh_flags =3D 73}, M_dat=
=3D {MH =3D {
> MH_pkthdr =3D {rcvif =3D 0x6d6d7564, len =3D -1373634439, =
> header =3D 0x616dc030 <Address 0x616dc030 out of bounds>, =
> csum_flags =3D 1668248440, csum_data =3D 1718968939, aux =3D 0x=
ae600000}, =
> MH_dat =3D {MH_ext =3D {
> ext_buf =3D 0x616dc030 <Address 0x616dc030 out of bounds>, =
> ext_free =3D 0x636f7378, ext_size =3D 1937007979, ext_ref =3D=
0xaea00000}, =
> MH_databuf =3D "0=C0maxsockets\000\000=A0=AE0=C0sockbuf_waste_f=
actor\000\000\000\000=E0=AE0=C0kern.ipc.maxsockets\000\004=AF0=C0\000\000=
\000\000\000\000\000\000\024=AF0=C0accept\000connec\000sfbufa\000\000\000=
\000\000\000\000\000sf_buf_ref: referencing a free sf_buf", '\000' <repea=
ts 27 times>, "sf_buf_free: freeing free sf_buf\000sfpbs"}}, =
> M_databuf =3D "dummy\000 =AE0=C0maxsockbuf\000\000`=AE0=C0maxsocket=
s\000\000=A0=AE0=C0sockbuf_waste_factor\000\000\000\000=E0=AE0=C0kern.ipc=
=2Emaxsockets\000\004=AF0=C0\000\000\000\000\000\000\000\000\024=AF0=C0ac=
cept\000connec\000sfbufa\000\000\000\000\000\000\000\000sf_buf_ref: refer=
encing a free sf_buf", '\000' <repeats 27 times>, "sf_buf_free: freein"..=
=2E}}
> (kgdb) print mn
> $6 =3D (struct mbuf *) 0xc02b3a26
> (kgdb) print *mn
> $7 =3D {m_hdr =3D {mh_next =3D 0x72646273, mh_nextpkt =3D 0x4e00706f, =
> mh_data =3D 0x63706900 <Address 0x63706900 out of bounds>, =
> mh_len =3D -1377828864, mh_type =3D -16336, mh_flags =3D 73}, M_dat=
=3D {MH =3D {
> MH_pkthdr =3D {rcvif =3D 0x6d6d7564, len =3D -1373634439, =
> header =3D 0x616dc030 <Address 0x616dc030 out of bounds>, =
> csum_flags =3D 1668248440, csum_data =3D 1718968939, aux =3D 0x=
ae600000}, =
> MH_dat =3D {MH_ext =3D {
> ext_buf =3D 0x616dc030 <Address 0x616dc030 out of bounds>, =
> ext_free =3D 0x636f7378, ext_size =3D 1937007979, ext_ref =3D=
0xaea00000}, =
> MH_databuf =3D "0=C0maxsockets\000\000=A0=AE0=C0sockbuf_waste_f=
actor\000\000\000\000=E0=AE0=C0kern.ipc.maxsockets\000\004=AF0=C0\000\000=
\000\000\000\000\000\000\024=AF0=C0accept\000connec\000sfbufa\000\000\000=
\000\000\000\000\000sf_buf_ref: referencing a free sf_buf", '\000' <repea=
ts 27 times>, "sf_buf_free: freeing free sf_buf\000sfpbs"}}, =
> M_databuf =3D "dummy\000 =AE0=C0maxsockbuf\000\000`=AE0=C0maxsocket=
s\000\000=A0=AE0=C0sockbuf_waste_factor\000\000\000\000=E0=AE0=C0kern.ipc=
=2Emaxsockets\000\004=AF0=C0\000\000\000\000\000\000\000\000\024=AF0=C0ac=
cept\000connec\000sfbufa\000\000\000\000\000\000\000\000sf_buf_ref: refer=
encing a free sf_buf", '\000' <repeats 27 times>, "sf_buf_free: freein"..=
=2E}}
> (kgdb) print next
> $8 =3D (struct mbuf *) 0x0
> =
> The "adress out of bounds" messages looks strange.
> =
> I'll try to reproduce the bug after updating kernel, sources and world.=
> I have stored the kernel, modules (build with kernel, only ng_ether use=
d)
> and the dump on tape so I should be able to produce additional details =
if
> needed.
> =
> /s/Udo
> PS: One strange thing about dumping: savecore never found a dump during=
> "normal" startup. After this crash, I booted single-user, fsck'ed and
> mount'ed my filesystems, set the dump device, called savecore and voila=
,
> one crashdump stored in /var/crash. The machine has 64 MBytes of RAM
> and 156 MByte swap (da0s1b).
> =
> -- =
> Getting a SCSI chain working is perfectly simple if you remember that t=
here
> must be exactly three terminations: one on one end of the cable, one on=
the
> far end, and the goat, terminated over the SCSI chain with a silver-han=
dled
> knife whilst burning *black* candles.
-- =
Brian <brian@Awfulhak.org> <brian@[uk.]FreeBSD.org=
>
<http://www.Awfulhak.org>; <brian@[uk.]OpenBSD.org=
>
Don't _EVER_ lose your sense of humour !
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007121350.OAA11795>