Date: Fri, 02 May 2003 20:28:05 -0000 From: Michael McGoldrick <michael@mcgoldrick.org> To: current@freebsd.org Subject: Re: mbuf double-free panic Message-ID: <20030502203559.GA658@uriel.mcgoldrick.org> In-Reply-To: <20030502203621.GA792@uriel.mcgoldrick.org> References: <20030502203621.GA792@uriel.mcgoldrick.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--k1lZvvs/B4yU6o8G
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Oooops, attached the wrong file. Ahh, the delights of embarassing yourself on
a public forum.
--
Michael McGoldrick: mmcgoldrick@linuxdriven.net
--k1lZvvs/B4yU6o8G
Content-Type: text/plain; charset=unknown-8bit
Content-Disposition: attachment; filename=crash
Content-Transfer-Encoding: quoted-printable
Script started on Fri May 2 21:21:59 2003
GNU gdb 5.2.1 (FreeBSD)=0D
Copyright 2002 Free Software Foundation, Inc.=0D
GDB is free software, covered by the GNU General Public License, and you ar=
e=0D
welcome to change it and/or distribute copies of it under certain condition=
s.=0D
Type "show copying" to see the conditions.=0D
There is absolutely no warranty for GDB. Type "show warranty" for details.=
=0D
This GDB was configured as "i386-undermydesk-freebsd"...=0D
panic: m_free detected a mbuf double-free=0D
panic messages:=0D
---=0D
panic: m_free detected a mbuf double-free=0D
=0D
syncing disks, buffers remaining... 1407 1407 1401 1398 1398 1398 1398 1398=
1397 1397 1397 =0D
sio1: 1 more silo overflow (total 26)=0D
1397 1397 1397 1397 1397 1397 1397 1397 1397 1397 1397 1397 1397 1397 1397 =
1397 1397 =0D
giving up on 428 buffers=0D
Uptime: 22m48s=0D
Dumping 127 MB=0D
ata1: resetting devices ..=0D
done=0D
[CTRL-C to abort] [CTRL-C to abort] [CTRL-C to abort] 16 32 48 64 80 96 11=
2=0D
---=0D
Reading symbols from /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules=
/linux/linux.ko.debug...done.=0D
Loaded symbols for /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules/l=
inux/linux.ko.debug=0D
Reading symbols from /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules=
/acpi/acpi.ko.debug...done.=0D
Loaded symbols for /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules/a=
cpi/acpi.ko.debug=0D
Reading symbols from /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules=
/linprocfs/linprocfs.ko.debug...done.=0D
Loaded symbols for /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules/l=
inprocfs/linprocfs.ko.debug=0D
Reading symbols from /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules=
/ipfw/ipfw.ko.debug...done.=0D
Loaded symbols for /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules/i=
pfw/ipfw.ko.debug=0D
Reading symbols from /boot/kernel/logo_saver.ko...done.=0D
Loaded symbols for /boot/kernel/logo_saver.ko=0D
#0 doadump () at /usr/src/sys/kern/kern_shutdown.c:238=0D
238 dumping++;=0D
(kgdb) bt=0D
#0 doadump () at /usr/src/sys/kern/kern_shutdown.c:238=0D
#1 0xc023a7aa in boot (howto=3D256) at /usr/src/sys/kern/kern_shutdown.c:3=
70=0D
#2 0xc023aafb in panic () at /usr/src/sys/kern/kern_shutdown.c:543=0D
#3 0xc0256352 in m_free (mb=3D0xc0bbcf00) at /usr/src/sys/kern/subr_mbuf.c=
:1392=0D
#4 0xc02a8993 in tunread (dev=3D0x0, uio=3D0xce8a6c7c, flag=3D8323072)=0D
at /usr/src/sys/net/if_tun.c:679=0D
#5 0xc01fe3ae in spec_read (ap=3D0xce8a6be0)=0D
at /usr/src/sys/fs/specfs/spec_vnops.c:271=0D
#6 0xc01fdf38 in spec_vnoperate (ap=3D0x0)=0D
at /usr/src/sys/fs/specfs/spec_vnops.c:123=0D
#7 0xc02991e2 in vn_read (fp=3D0xc256099c, uio=3D0xce8a6c7c, =0D
active_cred=3D0xc235b900, flags=3D0, td=3D0xc2674390) at vnode_if.h:383=
=0D
#8 0xc025cd12 in dofileread (td=3D0xc2674390, fp=3D0xc256099c, fd=3D0, =0D
buf=3D0xbfbfee40, nbyte=3D0, offset=3D0, flags=3D0) at file.h:227=0D
#9 0xc025cb7b in read (td=3D0xc2674390, uap=3D0xce8a6d10)=0D
at /usr/src/sys/kern/sys_generic.c:106=0D
#10 0xc038ecfe in syscall (frame=3D=0D
{tf_fs =3D 47, tf_es =3D -1078001617, tf_ds =3D -1078001617, tf_edi =
=3D 134883872, tf_esi =3D 134996480, tf_ebp =3D -1077938584, tf_isp =3D -82=
9788812, tf_ebx =3D 134969308, tf_edx =3D 135049216, tf_ecx =3D 7, tf_eax =
=3D 3, tf_trapno =3D 0, tf_err =3D 2, tf_eip =3D 673638227, tf_cs =3D 31, t=
f_eflags =3D 514, tf_esp =3D -1077940724, tf_ss =3D 47})=0D
at /usr/src/sys/i386/i386/trap.c:1021=0D
#11 0xc037ec0d in Xint0x80_syscall () at {standard input}:138=0D
---Can't read userspace from dump, or kernel process---=0D
=0D
(kgdb) up 3=0D
#3 0xc0256352 in m_free (mb=3D0xc0bbcf00) at /usr/src/sys/kern/subr_mbuf.c=
:1392=0D
1392 MEXT_REM_REF(mb);=0D
(kgdb) l=0D
1387 #endif=0D
1388 if ((mb->m_flags & M_PKTHDR) !=3D 0)=0D
1389 m_tag_delete_chain(mb, NULL);=0D
1390 nb =3D mb->m_next;=0D
1391 if ((mb->m_flags & M_EXT) !=3D 0) {=0D
1392 MEXT_REM_REF(mb);=0D
1393 if (atomic_cmpset_int(mb->m_ext.ref_cnt, 0, 1)) {=0D
1394 if (mb->m_ext.ext_type =3D=3D EXT_CLUSTER) {=0D
1395 mb_free(&mb_list_clust,=0D
1396 (caddr_t)mb->m_ext.ext_buf, MT_NOTMBUF,=0D
(kgdb) print md=08 =08b=0D
$1 =3D (struct mbuf *) 0xc0bbcf00=0D
(kgdb) print *mb
$2 =3D {m_hdr =3D {mh_next =3D 0x0, mh_nextpkt =3D 0x0, mh_data =3D 0xc0bbc=
f3c "", =0D
mh_len =3D 44, mh_flags =3D 16386, mh_type =3D 2}, M_dat =3D {MH =3D {M=
H_pkthdr =3D {=0D
rcvif =3D 0x0, len =3D 44, header =3D 0x2, csum_flags =3D 0, csum_d=
ata =3D 16, =0D
tags =3D {slh_first =3D 0x0}}, MH_dat =3D {MH_ext =3D {=0D
ext_buf =3D 0xc105f000 "5\020\004", ext_free =3D 0, ext_args =3D =
0x0, =0D
ext_size =3D 33554432, ref_cnt =3D 0x28000045, ext_type =3D 7684}=
, =0D
MH_databuf =3D "\0=F0\005=C1", '\0' <repeats 11 times>, "\002E\0\0(=
\004\036\0\0@\006p=ABQN\r/=C3\\=E4-=C0\025\0P=B7\205\037\004=B3=F0d=DFP\020=
\0\0=FA\r\0\0\001\001\b\n\0\001\005\023Q\n|=FD\002\0\0\0\0\0\0\0L\001\005\0=
\025\0=A0\0\021\0=A0\0\021\08\001 1.3A\001\b\0\025\0=A0\0\031\0=A0\0\021\0-=
\001\005\0\0\0\0\0\f\0=FB=FF\0\0\0\0=F4=FF\004\030\0\0@\001\v=C2QN\r/=D8=EF=
3c\b\0=D5=CA=FC\002\001=B6%=CD=B2>am\0\0\b\t\n\v\f\r\016\017\020\021\022\02=
3\024\025\026\027\030\031\032\e\034\035\036\037 !\"#$%&'()*+,-./0"...}}, =0D
M_databuf =3D "\0\0\0\0,\0\0\0\002\0\0\0\0\0\0\0\020\0\0\0\0\0\0\0\0=F0=
\005=C1", '\0' <repeats 11 times>, "\002E\0\0(\004\036\0\0@\006p=ABQN\r/=C3=
\\=E4-=C0\025\0P=B7\205\037\004=B3=F0d=DFP\020\0\0=FA\r\0\0\001\001\b\n\0\0=
01\005\023Q\n|=FD\002\0\0\0\0\0\0\0L\001\005\0\025\0=A0\0\021\0=A0\0\021\08=
\001 1.3A\001\b\0\025\0=A0\0\031\0=A0\0\021\0-\001\005\0\0\0\0\0\f\0=FB=FF\=
0\0\0\0=F4=FF\004\030\0\0@\001\v=C2QN\r/=D8=EF3c\b\0=D5=CA=FC\002\001=B6%=
=CD=B2>am\0\0\b\t\n\v\f\r\016\017\020\021\022\023\024\025\026\027\030"...}}=
=0D
(kgdb) up 1=0D
#4 0xc02a8993 in tunread (dev=3D0x0, uio=3D0xce8a6c7c, flag=3D8323072)=0D
at /usr/src/sys/net/if_tun.c:679=0D
679 m =3D m_free(m);=0D
(kgdb) l=0D
674 =0D
675 while (m && uio->uio_resid > 0 && error =3D=3D 0) {=0D
676 len =3D min(uio->uio_resid, m->m_len);=0D
677 if (len !=3D 0)=0D
678 error =3D uiomove(mtod(m, void *), len, uio);=0D
679 m =3D m_free(m);=0D
680 }=0D
681 =0D
682 if (m) {=0D
683 TUNDEBUG("%s%d: Dropping mbuf\n", ifp->if_name, ifp->if_unit);=0D
(kgdb)=20
Script done on Fri May 2 21:25:41 2003
--k1lZvvs/B4yU6o8G--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030502203559.GA658>