Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 08 Oct 1999 09:12:32 +0200
From:      sthaug@nethelp.no
To:        freebsd-hackers@freebsd.org
Subject:   3.3-STABLE panic in m_copym
Message-ID:  <25159.939366752@verdi.nethelp.no>

next in thread | raw e-mail | index | archive | help
I have a Compaq Proliant 3000 (2 x PII-333) running 3.3-STABLE which has
crashed several times with the following backtrace:

#0  boot (howto=256) at ../../kern/kern_shutdown.c:285
#1  0xc0144299 in panic (fmt=0xc023eb04 "m_copym") at ../../kern/kern_shutdown.c:446
#2  0xc015ac7e in m_copym (m=0xc141ae80, off0=10788, len=1216, wait=1) at ../../kern/uipc_mbuf.c:435
#3  0xc019286a in tcp_output (tp=0xd0be8960) at ../../netinet/tcp_output.c:505
#4  0xc0194106 in tcp_usr_send (so=0xd0ae9640, flags=0, m=0xc1420680, nam=0x0, control=0x0, p=0xd0e95b20) at ../../netinet/tcp_usrreq.c:395
#5  0xc015c4b2 in sosend (so=0xd0ae9640, addr=0x0, uio=0xd0ee5f10, top=0xc1420680, control=0x0, flags=0, p=0xd0e95b20)
    at ../../kern/uipc_socket.c:530
#6  0xc01525dc in soo_write (fp=0xc210c600, uio=0xd0ee5f10, cred=0xc1fce600, flags=0) at ../../kern/sys_socket.c:82
#7  0xc014f46a in dofilewrite (p=0xd0e95b20, fp=0xc210c600, fd=7, buf=0x806f0f4, nbyte=8192, offset=-1, flags=0)
    at ../../kern/sys_generic.c:363
#8  0xc014f373 in write (p=0xd0e95b20, uap=0xd0ee5f94) at ../../kern/sys_generic.c:298
#9  0xc021f39b in syscall (frame={tf_es = 39, tf_ds = -1078001625, tf_edi = 671806342, tf_esi = 7, tf_ebp = -1077949676, 
      tf_isp = -789684252, tf_ebx = 0, tf_edx = 434759, tf_ecx = 0, tf_eax = 4, tf_trapno = 7, tf_err = 2, tf_eip = 134533700, tf_cs = 31, 
      tf_eflags = 518, tf_esp = -1077949700, tf_ss = 39}) at ../../i386/i386/trap.c:1100
#10 0xc020b2ac in Xint0x80_syscall ()

The panic is the following loop in m_copym:

	while (off > 0) {
		if (m == 0)
			panic("m_copym");
		if (off < m->m_len)
			break;
		off -= m->m_len;
		m = m->m_next;
	}

so it seems to be running off the end of the mbuf chain before having
verified the whole length. Following the m_next pointers, starting with
the mbuf pointer from the calling routine, I get a total of 5 mbufs in
this chain, with the following lengths:

0xc141ae80      2048
0xc13fef80      2008
0xc1446e00      2048
0xc147fe80      872
0xc1420680      1216

The total is 8192, so obviously copying 1216 bytes at offset 10788
won't work.

The crash only happens occasionally, typically several days apart.

The crash is not specific to 3.3-STABLE, it also happened with 3.2-STABLE.
Does this ring a bell with anybody? Anything more I should check in the
kernel dump?

The machine is a news feeder box, running diablo-1.24 - thus it would be
expected to be a heavy consumer of mbufs. It has NMBCLUSTERS=4096 in the
kernel config.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no
----------------------------------------------------------------------
# From: $FreeBSD: src/sys/i386/conf/GENERIC,v 1.143.2.22 1999/09/14 22:53:30 jkh Exp $

machine		"i386"
cpu		"I686_CPU"
ident		"NEWSFEED1"
maxusers	50

options 	MATH_EMULATE		#Support for x87 emulation
options 	INET			#InterNETworking
options 	FFS			#Berkeley Fast Filesystem
options 	FFS_ROOT		#FFS usable as root device [keep this!]
options 	NFS			#Network Filesystem
options 	NFS_ROOT		#NFS usable as root device, "NFS" req'ed
options 	MSDOSFS			#MSDOS Filesystem
options 	"CD9660"		#ISO 9660 Filesystem
options 	"CD9660_ROOT"		#CD-ROM usable as root. "CD9660" req'ed
options 	PROCFS			#Process filesystem
options 	"COMPAT_43"		#Compatible with BSD 4.3 [KEEP THIS!]
options 	SCSI_DELAY=5000		#Be pessimistic about Joe SCSI device
options 	UCONSOLE		#Allow users to grab the console
options 	USERCONFIG		#boot -c editor
options 	VISUAL_USERCONFIG	#visual boot -c editor
options 	KTRACE			#ktrace(1) syscall trace support
options 	SYSVSHM			#SYSV-style shared memory
options 	SYSVMSG			#SYSV-style message queues
options 	SYSVSEM			#SYSV-style semaphores
options		MSGBUF_SIZE=32768
options		INCLUDE_CONFIG_FILE	# Include this file in kernel
options		"NMBCLUSTERS=4096"	# default based on maxusers=50 is 1312 - not enough!
options		DDB
options		DDB_UNATTENDED
options		SOFTUPDATES
options		"MAXMEM=(576*1024)"	# 64 MB + 512 MB, in kB

config		kernel	root on da0

options 	SMP			# Symmetric MultiProcessor Kernel
options 	APIC_IO			# Symmetric (APIC) I/O
options 	NINTR=50		# number of INTs

controller	isa0
controller	eisa0
controller	pci0

controller	fdc0	at isa? port "IO_FD1" bio irq 6 drq 2
disk		fd0	at fdc0 drive 0

options		"CMD640"	# work around CMD640 chip deficiency
controller	wdc0	at isa? port "IO_WD1" bio irq 14
options		ATAPI		#Enable ATAPI support for IDE bus
options		ATAPI_STATIC	#Don't do it as an LKM
device		acd0		#IDE CD-ROM

controller	ncr0		# NCR/Symbios Logic
controller	scbus0		# SCSI bus (required)
device		da0		# Direct Access (disks)
device		sa0		# Sequential Access (tape etc)
device		cd0		# CD
device		pass0		# Passthrough device (direct SCSI)

controller	atkbdc0	at isa? port IO_KBD tty
device		atkbd0	at isa? tty irq 1
device		psm0	at isa? tty irq 12
device		vga0	at isa? port ? conflicts
device		sc0	at isa? tty
device		npx0	at isa? port IO_NPX irq 13
device		sio0	at isa? port "IO_COM1" flags 0x10 tty irq 4
device		sio1	at isa? port "IO_COM2" tty irq 3

device		de0		# DEC/Intel DC21x4x (``Tulip'')
device		fxp0		# Intel EtherExpress PRO/100B (82557, 82558)
device		tl0		# Texas Instruments ThunderLAN

pseudo-device	loop		# Network loopback
pseudo-device	ether		# Ethernet support
pseudo-device	ppp	1	# Kernel PPP
pseudo-device	tun	1	# Packet tunnel
pseudo-device	pty	16	# Pseudo-ttys (telnet etc)
pseudo-device	gzip		# Exec gzipped a.out's
pseudo-device	bpfilter 4	#Berkeley packet filter
pseudo-device	ccd	4	#Concatenated disk driver
----------------------------------------------------------------------
Copyright (c) 1992-1999 FreeBSD Inc.
Copyright (c) 1982, 1986, 1989, 1991, 1993
	The Regents of the University of California. All rights reserved.
FreeBSD 3.3-STABLE #1: Sun Sep 19 13:08:57 CEST 1999
    sthaug@newsfeed1.telia.no:/local/freebsd/src/sys/compile/NEWSFEED1
Timecounter "i8254"  frequency 1193182 Hz
CPU: Pentium II/Xeon/Celeron (686-class CPU)
  Origin = "GenuineIntel"  Id = 0x651  Stepping = 1
  Features=0x183fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR>
real memory  = 603979776 (589824K bytes)
avail memory = 584122368 (570432K bytes)
Programming 28 pins in IOAPIC #0
EISA INTCONTROL = 00000620
IOAPIC #0 intpint 24 -> irq 5
FreeBSD/SMP: Multiprocessor motherboard
 cpu0 (BSP): apic id:  1, version: 0x00040011, at 0xfee00000
 cpu1 (AP):  apic id:  0, version: 0x00040011, at 0xfee00000
 io0 (APIC): apic id:  8, version: 0x001b0011, at 0xfec00000
Preloaded elf kernel "kernel" at 0xc02d2000.
Pentium Pro MTRR support enabled
eisa0: <CPQ561 (System Board)>
Probing for devices on the EISA bus
Probing for devices on PCI bus 0:
chip0: <Ross (?) host to PCI bridge> rev 0x03 on pci0.0.0
vga0: <Cirrus Logic GD5430 SVGA controller> rev 0x22 int a irq 255 on pci0.6.0
chip1: <PCI to EISA bridge (vendor=0e11 device=0001)> rev 0x07 on pci0.15.0
chip2: <Ross (?) host to PCI bridge> rev 0x03 on pci0.17.0
Probing for devices on PCI bus 1:
ncr0: <ncr 53c875 fast20 wide scsi> rev 0x14 int a irq 19 on pci1.4.0
ncr1: <ncr 53c875 fast20 wide scsi> rev 0x14 int b irq 18 on pci1.4.1
fxp0: <Intel EtherExpress Pro 10/100B Ethernet> rev 0x05 int a irq 18 on pci1.7.0
fxp0: Ethernet address 00:90:27:13:f6:21
tl0: <Compaq Netelligent 10/100> rev 0x10 int a irq 17 on pci1.8.0
tl0: Ethernet address: 00:08:c7:1e:a7:35
tl0: autoneg not complete, no carrier
Probing for devices on PCI bus 2:
Probing for devices on the ISA bus:
sc0 on isa
sc0: VGA color <16 virtual consoles, flags=0x0>
atkbdc0 at 0x60-0x6f on motherboard
atkbd0 irq 1 on isa
psm0: failed to get data.
psm0 irq 12 on isa
psm0: model Generic PS/2 mouse, device ID 0
sio0 at 0x3f8-0x3ff irq 4 flags 0x10 on isa
sio0: type 16550A
sio1 at 0x2f8-0x2ff irq 3 on isa
sio1: type 16550A
fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa
fdc0: FIFO enabled, 8 bytes threshold
fd0: 1.44MB 3.5in
wdc0 at 0x1f0-0x1f7 irq 14 on isa
wdc0: unit 0 (atapi): <CD-ROM CDU571-Q/1.1a>, removable, accel, dma, iordis
acd0: drive speed 1378KB/sec, 128KB cache
acd0: supported read types: CD-DA
acd0: Audio: play, 256 volume levels
acd0: Mechanism: ejectable tray
acd0: Medium: no/blank disc inside, unlocked
vga0 at 0x3b0-0x3df maddr 0xa0000 msize 131072 on isa
npx0 on motherboard
npx0: INT 16 interface
APIC_IO: Testing 8254 interrupt delivery
APIC_IO: Broken MP table detected: 8254 is not connected to IO APIC int pin 2
APIC_IO: routing 8254 via 8259 on pin 0
ccd0-3: Concatenated disk drivers
Waiting 5 seconds for SCSI devices to settle
SMP: AP CPU #1 Launched!
changing root device to da0s3da0 at ncr0 bus 0 target 0 lun 0
da0: <COMPAQ HD0093172C 3207> Fixed Direct Access SCSI-2 device 
da0: 40.000MB/s transfers (20.000MHz, offset 15, 16bit), Tagged Queueing Enabled
da0: 8678MB (17773500 512 byte sectors: 255H 63S/T 1106C)
da2 at ncr0 bus 0 target 4 lun 0
da2: <COMPAQ HD0093172C 3207> Fixed Direct Access SCSI-2 device 
da2: 40.000MB/s transfers (20.000MHz, offset 15, 16bit), Tagged Queueing Enabled
da2: 8678MB (17773500 512 byte sectors: 255H 63S/T 1106C)
da3 at ncr0 bus 0 target 5 lun 0
da3: <COMPAQ HD0093172C 3207> Fixed Direct Access SCSI-2 device 
da3: 40.000MB/s transfers (20.000MHz, offset 15, 16bit), Tagged Queueing Enabled
da3: 8678MB (17773500 512 byte sectors: 255H 63S/T 1106C)
da1 at ncr0 bus 0 target 1 lun 0
da1: <COMPAQ HD0093172C 3207> Fixed Direct Access SCSI-2 device 
da1: 40.000MB/s transfers (20.000MHz, offset 15, 16bit), Tagged Queueing Enabled
da1: 8678MB (17773500 512 byte sectors: 255H 63S/T 1106C)
a
WARNING: / was not properly dismounted


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?25159.939366752>