From owner-freebsd-hackers Fri Oct 8 0:14: 3 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id A284B153D8 for ; Fri, 8 Oct 1999 00:13:53 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 25161 invoked by uid 1001); 8 Oct 1999 07:12:32 +0000 (GMT) To: freebsd-hackers@freebsd.org Subject: 3.3-STABLE panic in m_copym From: sthaug@nethelp.no X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Fri, 08 Oct 1999 09:12:32 +0200 Message-ID: <25159.939366752@verdi.nethelp.no> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I have a Compaq Proliant 3000 (2 x PII-333) running 3.3-STABLE which has crashed several times with the following backtrace: #0 boot (howto=256) at ../../kern/kern_shutdown.c:285 #1 0xc0144299 in panic (fmt=0xc023eb04 "m_copym") at ../../kern/kern_shutdown.c:446 #2 0xc015ac7e in m_copym (m=0xc141ae80, off0=10788, len=1216, wait=1) at ../../kern/uipc_mbuf.c:435 #3 0xc019286a in tcp_output (tp=0xd0be8960) at ../../netinet/tcp_output.c:505 #4 0xc0194106 in tcp_usr_send (so=0xd0ae9640, flags=0, m=0xc1420680, nam=0x0, control=0x0, p=0xd0e95b20) at ../../netinet/tcp_usrreq.c:395 #5 0xc015c4b2 in sosend (so=0xd0ae9640, addr=0x0, uio=0xd0ee5f10, top=0xc1420680, control=0x0, flags=0, p=0xd0e95b20) at ../../kern/uipc_socket.c:530 #6 0xc01525dc in soo_write (fp=0xc210c600, uio=0xd0ee5f10, cred=0xc1fce600, flags=0) at ../../kern/sys_socket.c:82 #7 0xc014f46a in dofilewrite (p=0xd0e95b20, fp=0xc210c600, fd=7, buf=0x806f0f4, nbyte=8192, offset=-1, flags=0) at ../../kern/sys_generic.c:363 #8 0xc014f373 in write (p=0xd0e95b20, uap=0xd0ee5f94) at ../../kern/sys_generic.c:298 #9 0xc021f39b in syscall (frame={tf_es = 39, tf_ds = -1078001625, tf_edi = 671806342, tf_esi = 7, tf_ebp = -1077949676, tf_isp = -789684252, tf_ebx = 0, tf_edx = 434759, tf_ecx = 0, tf_eax = 4, tf_trapno = 7, tf_err = 2, tf_eip = 134533700, tf_cs = 31, tf_eflags = 518, tf_esp = -1077949700, tf_ss = 39}) at ../../i386/i386/trap.c:1100 #10 0xc020b2ac in Xint0x80_syscall () The panic is the following loop in m_copym: while (off > 0) { if (m == 0) panic("m_copym"); if (off < m->m_len) break; off -= m->m_len; m = m->m_next; } so it seems to be running off the end of the mbuf chain before having verified the whole length. Following the m_next pointers, starting with the mbuf pointer from the calling routine, I get a total of 5 mbufs in this chain, with the following lengths: 0xc141ae80 2048 0xc13fef80 2008 0xc1446e00 2048 0xc147fe80 872 0xc1420680 1216 The total is 8192, so obviously copying 1216 bytes at offset 10788 won't work. The crash only happens occasionally, typically several days apart. The crash is not specific to 3.3-STABLE, it also happened with 3.2-STABLE. Does this ring a bell with anybody? Anything more I should check in the kernel dump? The machine is a news feeder box, running diablo-1.24 - thus it would be expected to be a heavy consumer of mbufs. It has NMBCLUSTERS=4096 in the kernel config. Steinar Haug, Nethelp consulting, sthaug@nethelp.no ---------------------------------------------------------------------- # From: $FreeBSD: src/sys/i386/conf/GENERIC,v 1.143.2.22 1999/09/14 22:53:30 jkh Exp $ machine "i386" cpu "I686_CPU" ident "NEWSFEED1" maxusers 50 options MATH_EMULATE #Support for x87 emulation options INET #InterNETworking options FFS #Berkeley Fast Filesystem options FFS_ROOT #FFS usable as root device [keep this!] options NFS #Network Filesystem options NFS_ROOT #NFS usable as root device, "NFS" req'ed options MSDOSFS #MSDOS Filesystem options "CD9660" #ISO 9660 Filesystem options "CD9660_ROOT" #CD-ROM usable as root. "CD9660" req'ed options PROCFS #Process filesystem options "COMPAT_43" #Compatible with BSD 4.3 [KEEP THIS!] options SCSI_DELAY=5000 #Be pessimistic about Joe SCSI device options UCONSOLE #Allow users to grab the console options USERCONFIG #boot -c editor options VISUAL_USERCONFIG #visual boot -c editor options KTRACE #ktrace(1) syscall trace support options SYSVSHM #SYSV-style shared memory options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores options MSGBUF_SIZE=32768 options INCLUDE_CONFIG_FILE # Include this file in kernel options "NMBCLUSTERS=4096" # default based on maxusers=50 is 1312 - not enough! options DDB options DDB_UNATTENDED options SOFTUPDATES options "MAXMEM=(576*1024)" # 64 MB + 512 MB, in kB config kernel root on da0 options SMP # Symmetric MultiProcessor Kernel options APIC_IO # Symmetric (APIC) I/O options NINTR=50 # number of INTs controller isa0 controller eisa0 controller pci0 controller fdc0 at isa? port "IO_FD1" bio irq 6 drq 2 disk fd0 at fdc0 drive 0 options "CMD640" # work around CMD640 chip deficiency controller wdc0 at isa? port "IO_WD1" bio irq 14 options ATAPI #Enable ATAPI support for IDE bus options ATAPI_STATIC #Don't do it as an LKM device acd0 #IDE CD-ROM controller ncr0 # NCR/Symbios Logic controller scbus0 # SCSI bus (required) device da0 # Direct Access (disks) device sa0 # Sequential Access (tape etc) device cd0 # CD device pass0 # Passthrough device (direct SCSI) controller atkbdc0 at isa? port IO_KBD tty device atkbd0 at isa? tty irq 1 device psm0 at isa? tty irq 12 device vga0 at isa? port ? conflicts device sc0 at isa? tty device npx0 at isa? port IO_NPX irq 13 device sio0 at isa? port "IO_COM1" flags 0x10 tty irq 4 device sio1 at isa? port "IO_COM2" tty irq 3 device de0 # DEC/Intel DC21x4x (``Tulip'') device fxp0 # Intel EtherExpress PRO/100B (82557, 82558) device tl0 # Texas Instruments ThunderLAN pseudo-device loop # Network loopback pseudo-device ether # Ethernet support pseudo-device ppp 1 # Kernel PPP pseudo-device tun 1 # Packet tunnel pseudo-device pty 16 # Pseudo-ttys (telnet etc) pseudo-device gzip # Exec gzipped a.out's pseudo-device bpfilter 4 #Berkeley packet filter pseudo-device ccd 4 #Concatenated disk driver ---------------------------------------------------------------------- Copyright (c) 1992-1999 FreeBSD Inc. Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. FreeBSD 3.3-STABLE #1: Sun Sep 19 13:08:57 CEST 1999 sthaug@newsfeed1.telia.no:/local/freebsd/src/sys/compile/NEWSFEED1 Timecounter "i8254" frequency 1193182 Hz CPU: Pentium II/Xeon/Celeron (686-class CPU) Origin = "GenuineIntel" Id = 0x651 Stepping = 1 Features=0x183fbff real memory = 603979776 (589824K bytes) avail memory = 584122368 (570432K bytes) Programming 28 pins in IOAPIC #0 EISA INTCONTROL = 00000620 IOAPIC #0 intpint 24 -> irq 5 FreeBSD/SMP: Multiprocessor motherboard cpu0 (BSP): apic id: 1, version: 0x00040011, at 0xfee00000 cpu1 (AP): apic id: 0, version: 0x00040011, at 0xfee00000 io0 (APIC): apic id: 8, version: 0x001b0011, at 0xfec00000 Preloaded elf kernel "kernel" at 0xc02d2000. Pentium Pro MTRR support enabled eisa0: Probing for devices on the EISA bus Probing for devices on PCI bus 0: chip0: rev 0x03 on pci0.0.0 vga0: rev 0x22 int a irq 255 on pci0.6.0 chip1: rev 0x07 on pci0.15.0 chip2: rev 0x03 on pci0.17.0 Probing for devices on PCI bus 1: ncr0: rev 0x14 int a irq 19 on pci1.4.0 ncr1: rev 0x14 int b irq 18 on pci1.4.1 fxp0: rev 0x05 int a irq 18 on pci1.7.0 fxp0: Ethernet address 00:90:27:13:f6:21 tl0: rev 0x10 int a irq 17 on pci1.8.0 tl0: Ethernet address: 00:08:c7:1e:a7:35 tl0: autoneg not complete, no carrier Probing for devices on PCI bus 2: Probing for devices on the ISA bus: sc0 on isa sc0: VGA color <16 virtual consoles, flags=0x0> atkbdc0 at 0x60-0x6f on motherboard atkbd0 irq 1 on isa psm0: failed to get data. psm0 irq 12 on isa psm0: model Generic PS/2 mouse, device ID 0 sio0 at 0x3f8-0x3ff irq 4 flags 0x10 on isa sio0: type 16550A sio1 at 0x2f8-0x2ff irq 3 on isa sio1: type 16550A fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa fdc0: FIFO enabled, 8 bytes threshold fd0: 1.44MB 3.5in wdc0 at 0x1f0-0x1f7 irq 14 on isa wdc0: unit 0 (atapi): , removable, accel, dma, iordis acd0: drive speed 1378KB/sec, 128KB cache acd0: supported read types: CD-DA acd0: Audio: play, 256 volume levels acd0: Mechanism: ejectable tray acd0: Medium: no/blank disc inside, unlocked vga0 at 0x3b0-0x3df maddr 0xa0000 msize 131072 on isa npx0 on motherboard npx0: INT 16 interface APIC_IO: Testing 8254 interrupt delivery APIC_IO: Broken MP table detected: 8254 is not connected to IO APIC int pin 2 APIC_IO: routing 8254 via 8259 on pin 0 ccd0-3: Concatenated disk drivers Waiting 5 seconds for SCSI devices to settle SMP: AP CPU #1 Launched! changing root device to da0s3da0 at ncr0 bus 0 target 0 lun 0 da0: Fixed Direct Access SCSI-2 device da0: 40.000MB/s transfers (20.000MHz, offset 15, 16bit), Tagged Queueing Enabled da0: 8678MB (17773500 512 byte sectors: 255H 63S/T 1106C) da2 at ncr0 bus 0 target 4 lun 0 da2: Fixed Direct Access SCSI-2 device da2: 40.000MB/s transfers (20.000MHz, offset 15, 16bit), Tagged Queueing Enabled da2: 8678MB (17773500 512 byte sectors: 255H 63S/T 1106C) da3 at ncr0 bus 0 target 5 lun 0 da3: Fixed Direct Access SCSI-2 device da3: 40.000MB/s transfers (20.000MHz, offset 15, 16bit), Tagged Queueing Enabled da3: 8678MB (17773500 512 byte sectors: 255H 63S/T 1106C) da1 at ncr0 bus 0 target 1 lun 0 da1: Fixed Direct Access SCSI-2 device da1: 40.000MB/s transfers (20.000MHz, offset 15, 16bit), Tagged Queueing Enabled da1: 8678MB (17773500 512 byte sectors: 255H 63S/T 1106C) a WARNING: / was not properly dismounted To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message