I'd like to disclaim all responsibility :-I
I'd normally try to figure out what the problem is or ask for more
info, but seen as ppp caused a kernel panic on me this morning on the
train, and since then cvsup has caused a similar panic, htc panics
and just about anything else interesting I do panics, I tend to
suspect it's nothing to do with (user-land) ppp....
I'm trying to rebuild my machine by cvs update -D'ing to before the
snapshot code commit at the moment....
> Hi,
> I've finally managed to capture a crashdump after a panic in sbdrop(). The
> machine in question uses ppp/ipfw/natd to connect a small LAN to the
> outside world via a DSL link. ppp started to misbehave: NS queries were
> sent out but didn't come back (I had tcpdumps running on both tun0 and
> ed1). I tried to terminate ppp by sending a SIGTERM. ppp (pid 78) was
> still around after a minute, so I send a SIGTERM. The machine crashed
> immediately.
>
> The machine world as of 7/7, I've only added the latest type fix to
> ppp/bundle.c (rev 1.99).
>
> The point of doom:
>
> bash# gdb -k /sys/compile/UE/kernel.debug /var/crash/vmcore.0
> GNU gdb 4.18
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for details.
> This GDB was configured as "i386-unknown-freebsd"...
> IdlePTD 3952640
> initial pcb at 325320
> panicstr: sbdrop
> panic messages:
> ---
> panic: sbdrop
>
> syncing disks...
> done
> Uptime: 1h4m5s
>
> dumping to dev #da/0x20001, offset 190228
> dump 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39
>38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11
>10 9 8 7 6 5 4 3 2 1
> ---
> #0 boot (howto=256) at ../../kern/kern_shutdown.c:303
> 303 dumppcb.pcb_cr3 = rcr3();
> (kgdb) wwhheerree
> #0 boot (howto=256) at ../../kern/kern_shutdown.c:303
> #1 0xc01717f4 in poweroff_wait (junk=0xc02b3a26, howto=-946356848)
> at ../../kern/kern_shutdown.c:553
> #2 0xc01931c8 in sbdrop (sb=0xc797bd90, len=158)
> at ../../kern/uipc_socket2.c:793
> #3 0xc0193058 in sbflush (sb=0xc797bd90) at ../../kern/uipc_socket2.c:772
> #4 0xc0192b11 in sbrelease (sb=0xc797bd90, so=0xc6d59b40)
> at ../../kern/uipc_socket2.c:455
> #5 0xc0191443 in sorflush (so=0xc6d59b40) at ../../kern/uipc_socket.c:988
> #6 0xc01900ad in sofree (so=0xc6d59b40) at ../../kern/uipc_socket.c:262
> #7 0xc01901de in soclose (so=0xc6d59b40) at ../../kern/uipc_socket.c:327
> #8 0xc018553a in soo_close (fp=0xc0f8fe40, p=0xc74b32a0)
> at ../../kern/sys_socket.c:193
> #9 0xc0166165 in fdrop (fp=0xc0f8fe40, p=0xc74b32a0) at ../../sys/file.h:212
> #10 0xc01660ab in closef (fp=0xc0f8fe40, p=0xc74b32a0)
> at ../../kern/kern_descrip.c:1079
> #11 0xc0165dfc in fdfree (p=0xc74b32a0) at ../../kern/kern_descrip.c:945
> #12 0xc016854d in exit1 (p=0xc74b32a0, rv=9) at ../../kern/kern_exit.c:186
> #13 0xc01732d2 in sigexit (p=0xc74b32a0, sig=9) at ../../kern/kern_sig.c:1499
> #14 0xc017304c in postsig (sig=9) at ../../kern/kern_sig.c:1402
> #15 0xc028e6f0 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47,
> tf_edi = -1077940036, tf_esi = 134920284, tf_ebp = -1077940004,
> tf_isp = -946356268, tf_ebx = 672838652, tf_edx = 134909952,
> tf_ecx = 2048, tf_eax = 29, tf_trapno = 7, tf_err = 2,
> tf_eip = 673074366, tf_cs = 31, tf_eflags = 647, tf_esp = -1077940096,
> tf_ss = 47}) at ../../i386/i386/trap.c:164
> #16 0xc02838f5 in Xint0x80_syscall ()
> #17 0x80781c6 in ?? ()
> #18 0x806eaa9 in ?? ()
> #19 0x806e1fb in ?? ()
> #20 0x8078778 in ?? ()
> #21 0x805996f in ?? ()
> #22 0x804ccd8 in ?? ()
> #23 0x806a776 in ?? ()
> #24 0x806a35f in ?? ()
> #25 0x804b0a1 in ?? ()
> (kgdb) frame 2
> #2 0xc01931c8 in sbdrop (sb=0xc797bd90, len=158)
> at ../../kern/uipc_socket2.c:793
> 793 panic("sbdrop");
> (kgdb) print sb
> $1 = (struct sockbuf *) 0xc797bd90
> (kgdb) print *sb
> $2 = {sb_cc = 158, sb_hiwat = 20480, sb_mbcnt = 512, sb_mbmax = 163840,
> sb_lowat = 1, sb_mb = 0x0, sb_sel = {si_pid = 0, si_note = {
> slh_first = 0x0}, si_flags = 0}, sb_flags = 64, sb_timeo = 0}
> (kgdb) print len
> $3 = 158
> (kgdb) print m
> $4 = (struct mbuf *) 0xc02b3a26
> (kgdb) print *m
> $5 = {m_hdr = {mh_next = 0x72646273, mh_nextpkt = 0x4e00706f,
> mh_data = 0x63706900 <Address 0x63706900 out of bounds>,
> mh_len = -1377828864, mh_type = -16336, mh_flags = 73}, M_dat = {MH = {
> MH_pkthdr = {rcvif = 0x6d6d7564, len = -1373634439,
> header = 0x616dc030 <Address 0x616dc030 out of bounds>,
> csum_flags = 1668248440, csum_data = 1718968939, aux = 0xae600000},
> MH_dat = {MH_ext = {
> ext_buf = 0x616dc030 <Address 0x616dc030 out of bounds>,
> ext_free = 0x636f7378, ext_size = 1937007979, ext_ref = 0xaea00000},
> MH_databuf =
>"0Àmaxsockets\000\000 ®0Àsockbuf_waste_factor\000\000\000\000à®0Àkern.ipc.maxsockets\000\004¯0À\000\000\000\000\000\000\000\000\024¯0Àaccept\000connec\000sfbufa\000\000\000\000\000\000\000\000sf_buf_ref:
> referencing a free sf_buf", '\000' <repeats 27 times>, "sf_buf_free: freeing free
>sf_buf\000sfpbs"}},
> M_databuf = "dummy\000
>®0Àmaxsockbuf\000\000`®0Àmaxsockets\000\000 ®0Àsockbuf_waste_factor\000\000\000\000à®0Àkern.ipc.maxsockets\000\004¯0À\000\000\000\000\000\000\000\000\024¯0Àaccept\000connec\000sfbufa\000\000\000\000\000\000\000\000sf_buf_ref:
> referencing a free sf_buf", '\000' <repeats 27 times>, "sf_buf_free: freein"...}}
> (kgdb) print mn
> $6 = (struct mbuf *) 0xc02b3a26
> (kgdb) print *mn
> $7 = {m_hdr = {mh_next = 0x72646273, mh_nextpkt = 0x4e00706f,
> mh_data = 0x63706900 <Address 0x63706900 out of bounds>,
> mh_len = -1377828864, mh_type = -16336, mh_flags = 73}, M_dat = {MH = {
> MH_pkthdr = {rcvif = 0x6d6d7564, len = -1373634439,
> header = 0x616dc030 <Address 0x616dc030 out of bounds>,
> csum_flags = 1668248440, csum_data = 1718968939, aux = 0xae600000},
> MH_dat = {MH_ext = {
> ext_buf = 0x616dc030 <Address 0x616dc030 out of bounds>,
> ext_free = 0x636f7378, ext_size = 1937007979, ext_ref = 0xaea00000},
> MH_databuf =
>"0Àmaxsockets\000\000 ®0Àsockbuf_waste_factor\000\000\000\000à®0Àkern.ipc.maxsockets\000\004¯0À\000\000\000\000\000\000\000\000\024¯0Àaccept\000connec\000sfbufa\000\000\000\000\000\000\000\000sf_buf_ref:
> referencing a free sf_buf", '\000' <repeats 27 times>, "sf_buf_free: freeing free
>sf_buf\000sfpbs"}},
> M_databuf = "dummy\000
>®0Àmaxsockbuf\000\000`®0Àmaxsockets\000\000 ®0Àsockbuf_waste_factor\000\000\000\000à®0Àkern.ipc.maxsockets\000\004¯0À\000\000\000\000\000\000\000\000\024¯0Àaccept\000connec\000sfbufa\000\000\000\000\000\000\000\000sf_buf_ref:
> referencing a free sf_buf", '\000' <repeats 27 times>, "sf_buf_free: freein"...}}
> (kgdb) print next
> $8 = (struct mbuf *) 0x0
>
> The "adress out of bounds" messages looks strange.
>
> I'll try to reproduce the bug after updating kernel, sources and world.
> I have stored the kernel, modules (build with kernel, only ng_ether used)
> and the dump on tape so I should be able to produce additional details if
> needed.
>
> /s/Udo
> PS: One strange thing about dumping: savecore never found a dump during
> "normal" startup. After this crash, I booted single-user, fsck'ed and
> mount'ed my filesystems, set the dump device, called savecore and voila,
> one crashdump stored in /var/crash. The machine has 64 MBytes of RAM
> and 156 MByte swap (da0s1b).
>
> --
> Getting a SCSI chain working is perfectly simple if you remember that there
> must be exactly three terminations: one on one end of the cable, one on the
> far end, and the goat, terminated over the SCSI chain with a silver-handled
> knife whilst burning *black* candles.
--
Brian <[EMAIL PROTECTED]> <brian@[uk.]FreeBSD.org>
<http://www.Awfulhak.org> <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
