Date: Wed, 8 Sep 2004 17:37:43 +0200 From: Ulrich Spoerlein <q@uni.de> To: freebsd-current@freebsd.org Subject: Re: panic: bfe_start: attempted use of a free mbuf! (RELENG_5) Message-ID: <20040908153743.GA777@galgenberg.net> In-Reply-To: <4109EC00.7020104@uni.de> References: <4109EC00.7020104@uni.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--/04w6evG8XlLl3ft
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, 30.07.2004 at 08:34:40 +0200, Ulrich Spoerlein wrote:
> panic: bfe_start: attempted use of a free mbuf!
> KDB: enter: panic
> [thread 100019]
> Stopped at kdb_enter+0x2a: leave
> > trace
> kdb_enter()
> panic()
> bfe_start()
> bfe_intr()
> ithread_loop()
> fork_exit()
> fork_trampoline()
> --- trap 0x1, eip=3D0, esp=3D0xdb0c6d7c, ebp=3D0 ---
This just happend again on a recent RELENG_5. I get an _instant reboot_,
when trying to move a file from my gbde-home to NFS-mounted
/usr/ports/distfiles (this is symliked three times... don't ask :)
I then tried to copy it from / to the NFS server directly (without the
three level symlinks) and got this panic (and dump! yay!)
panic: bfe_start: attempted use of a free mbuf!
(kgdb) bt
#0 doadump () at pcpu.h:159
#1 0xc048e14b in db_fncall (dummy1=3D-281335756, dummy2=3D0, dummy3=3D-281=
335856,=20
dummy4=3D0xef3b27cc "\036=E4n=C0") at /usr/src/sys/ddb/db_command.c:531
#2 0xc048e4ec in db_command_loop () at /usr/src/sys/ddb/db_command.c:349
#3 0xc048fc71 in db_trap (type=3D3, code=3D0) at /usr/src/sys/ddb/db_main.=
c:221
#4 0xc057a355 in kdb_trap (type=3D3, code=3D0, tf=3D0xef3b28ec) at /usr/sr=
c/sys/kern/subr_kdb.c:418
#5 0xc06bb84f in trap (frame=3D
{tf_fs =3D -281346024, tf_es =3D -1068040176, tf_ds =3D -1066336240, =
tf_edi =3D 256, tf_esi =3D -1066397045, tf_ebp =3D -281335508, tf_isp =3D -=
281335528, tf_ebx =3D -281335468, tf_edx =3D 0, tf_ecx =3D -1066286908, tf_=
eax =3D -1066295100, tf_trapno =3D 3, tf_err =3D 0, tf_eip =3D -1067999226,=
tf_cs =3D 8, tf_eflags =3D 646, tf_esp =3D -281335480, tf_ss =3D -10680836=
41}) at /usr/src/sys/i386/i386/trap.c:576
#6 0xc06b04ca in calltrap () at /usr/src/sys/i386/i386/exception.s:140
#7 0xef3b0018 in ?? ()
#8 0xc0570010 in kern_timeout_callwheel_alloc (v=3D0x0) at /usr/src/sys/ke=
rn/kern_timeout.c:125
#9 0xc0565647 in panic (fmt=3D0xc070128b "%s: attempted use of a free mbuf=
!")
at /usr/src/sys/kern/kern_shutdown.c:536
#10 0xc04b4681 in bfe_start (ifp=3D0xc2419000) at /usr/src/sys/dev/bfe/if_b=
fe.c:1400
#11 0xc05c0309 in ether_output_frame (ifp=3D0xc2419000, m=3D0xc3393500)
at /usr/src/sys/net/if_ethersubr.c:377
#12 0xc05c0646 in ether_output (ifp=3D0xc2419000, m=3D0xc3393500, dst=3D0xe=
f3b2a3c, rt0=3D0x0)
at /usr/src/sys/net/if_ethersubr.c:330
#13 0xc05e3ef5 in ip_output (m=3D0xc3393500, opt=3D0xc3393500, ro=3D0xef3b2=
a38, flags=3D0, imo=3D0x0,=20
inp=3D0xc28c52d0) at /usr/src/sys/netinet/ip_output.c:824
#14 0xc05f203b in udp_send (so=3D0x0, flags=3D0, m=3D0x0, addr=3D0x0, contr=
ol=3D0x0, td=3D0xc32be840)
at /usr/src/sys/netinet/udp_usrreq.c:906
#15 0xc0595f8f in sosend (so=3D0xc28c3288, addr=3D0x0, uio=3D0x0, top=3D0xc=
3368200, control=3D0x0, flags=3D0,=20
td=3D0xc32be840) at /usr/src/sys/kern/uipc_socket.c:799
#16 0xc062b391 in nfs_send (so=3D0xc28c3288, nam=3D0xc252f7a0, top=3D0xc336=
8200, rep=3D0xc32a5a00)
at pcpu.h:156
---Type <return> to continue, or q <return> to quit---
#17 0xc062bd7d in nfs_request (vp=3D0xc32e6420, mrest=3D0xc32a5a00, procnum=
=3D7, td=3D0x0,=20
cred=3D0xc2a5c800, mrp=3D0xef3b2c54, mdp=3D0xef3b2c58, dposp=3D0xef3b2c=
5c)
at /usr/src/sys/nfsclient/nfs_socket.c:1002
#18 0xc063134f in nfs_writerpc (vp=3D0xc32e6420, uiop=3D0xef3b2ccc, cred=3D=
0xc2a5c800,=20
iomode=3D0xef3b2cbc, must_commit=3D0xef3b2cc0) at /usr/src/sys/nfsclien=
t/nfs_vnops.c:1129
#19 0xc0628dd0 in nfs_doio (bp=3D0xd64b563c, cr=3D0xc2a5c800, td=3D0x0)
at /usr/src/sys/nfsclient/nfs_bio.c:1452
#20 0xc062e533 in nfssvc_iod (instance=3D0xc07c6538) at /usr/src/sys/nfscli=
ent/nfs_nfsiod.c:262
#21 0xc0554326 in fork_exit (callout=3D0xc062e3e4 <nfssvc_iod>, arg=3D0xc07=
c6538, frame=3D0xef3b2d48)
at /usr/src/sys/kern/kern_fork.c:820
#22 0xc06b052c in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:=
209
(kgdb) f 10
#10 0xc04b4681 in bfe_start (ifp=3D0xc2419000) at /usr/src/sys/dev/bfe/if_b=
fe.c:1400
1400 BPF_MTAP(ifp, m_head);
(kgdb) l
1395
1396 /*
1397 * If there's a BPF listener, bounce a copy of this=
frame
1398 * to him.
1399 */
1400 BPF_MTAP(ifp, m_head);
1401 }
1402
1403 sc->bfe_tx_prod =3D idx;
1404 /* Transmit - twice due to apparent hardware bug */
(kgdb) p *ifp
$1 =3D {if_softc =3D 0xc2419000, if_link =3D {tqe_next =3D 0xc243482c, tqe_=
prev =3D 0xc07b6b24},=20
if_xname =3D "bfe0", '\0' <repeats 11 times>, if_dname =3D 0xc22cd56c "bf=
e", if_dunit =3D 0,=20
if_addrhead =3D {tqh_first =3D 0xc2418200, tqh_last =3D 0xc28e1260}, if_k=
list =3D {kl_lock =3D 0xc078bea0,=20
kl_list =3D {slh_first =3D 0x0}}, if_pcount =3D 0, if_carp =3D 0x0, if_=
bpf =3D 0xc2431200, if_index =3D 1,=20
if_timer =3D 5, if_nvlans =3D 0, if_flags =3D 34883, if_capabilities =3D =
8, if_capenable =3D 8,=20
if_linkmib =3D 0x0, if_linkmiblen =3D 0, if_data =3D {ifi_type =3D 6 '\00=
6', ifi_physical =3D 0 '\0',=20
ifi_addrlen =3D 6 '\006', ifi_hdrlen =3D 18 '\022', ifi_link_state =3D =
2 '\002',=20
ifi_recvquota =3D 0 '\0', ifi_xmitquota =3D 0 '\0', ifi_mtu =3D 1500, i=
fi_metric =3D 0,=20
ifi_baudrate =3D 100000000, ifi_ipackets =3D 640, ifi_ierrors =3D 0, if=
i_opackets =3D 7145,=20
ifi_oerrors =3D 0, ifi_collisions =3D 0, ifi_ibytes =3D 128126, ifi_oby=
tes =3D 10260512,=20
ifi_imcasts =3D 0, ifi_omcasts =3D 7, ifi_iqdrops =3D 0, ifi_noproto =
=3D 0, ifi_hwassist =3D 0,=20
ifi_unused =3D 0, ifi_lastchange =3D {tv_sec =3D 1094655632, tv_usec =
=3D 806107}}, if_multiaddrs =3D {
tqh_first =3D 0xc2530860, tqh_last =3D 0xc28bd500}, if_amcount =3D 0,=
=20
if_output =3D 0xc05c0314 <ether_output>, if_input =3D 0xc05c0903 <ether_i=
nput>,=20
if_start =3D 0xc04b4278 <bfe_start>, if_ioctl =3D 0xc04b5076 <bfe_ioctl>,=
=20
if_watchdog =3D 0xc04b501a <bfe_watchdog>, if_init =3D 0xc04b4b90 <bfe_in=
it>,=20
if_resolvemulti =3D 0xc05c0d98 <ether_resolvemulti>, if_snd =3D {ifq_head=
=3D 0x0, ifq_tail =3D 0x0,=20
ifq_len =3D 0, ifq_maxlen =3D 256, ifq_drops =3D 0, ifq_mtx =3D {mtx_ob=
ject =3D {lo_class =3D 0xc075dc44,=20
lo_name =3D 0xc241900c "bfe0", lo_type =3D 0xc0722ed9 "if send queu=
e", lo_flags =3D 196608,=20
lo_list =3D {tqe_next =3D 0xc241827c, tqe_prev =3D 0xc2419204}, lo_=
witness =3D 0xc0792498},=20
mtx_lock =3D 4, mtx_recurse =3D 0}, ifq_drv_head =3D 0x0, ifq_drv_tai=
l =3D 0x0, ifq_drv_len =3D 0,=20
ifq_drv_maxlen =3D 256, altq_type =3D 0, altq_flags =3D 1, altq_disc =
=3D 0x0, altq_ifp =3D 0xc2419000,=20
altq_enqueue =3D 0, altq_dequeue =3D 0, altq_request =3D 0, altq_clfier=
=3D 0x0, altq_classify =3D 0,=20
altq_tbr =3D 0x0, altq_cdnr =3D 0x0}, if_broadcastaddr =3D 0xc06e14a0 "=
=FF=FF=FF=FF=FF=FFether_ipfw_chk",=20
lltables =3D 0x0, if_label =3D 0x0, if_prefixhead =3D {tqh_first =3D 0x0,=
tqh_last =3D 0xc2419154},=20
if_afdata =3D {0x0 <repeats 28 times>, 0xc2534730, 0x0, 0x0, 0x0, 0x0, 0x=
0, 0x0, 0x0, 0x0},=20
if_afdata_initialized =3D 1, if_afdata_mtx =3D {mtx_object =3D {lo_class =
=3D 0xc075dc44,=20
lo_name =3D 0xc0722e9d "if_afdata", lo_type =3D 0xc0722e9d "if_afdata=
", lo_flags =3D 196608,=20
lo_list =3D {tqe_next =3D 0xc24190e8, tqe_prev =3D 0xc241b35c}, lo_wi=
tness =3D 0xc07924c0},=20
---Type <return> to continue, or q <return> to quit---
mtx_lock =3D 4, mtx_recurse =3D 0}, if_starttask =3D {ta_link =3D {stqe=
_next =3D 0x0}, ta_pending =3D 0,=20
ta_priority =3D 0, ta_func =3D 0xc05bf59c <if_start_deferred>, ta_conte=
xt =3D 0xc2419000}}
(kgdb) p *m_head
$2 =3D {m_hdr =3D {mh_next =3D 0xc3393600, mh_nextpkt =3D 0x0, mh_data =3D =
0xc3393532 "", mh_len =3D 34,=20
mh_flags =3D 43010, mh_type =3D 2}, M_dat =3D {MH =3D {MH_pkthdr =3D {r=
cvif =3D 0x0, len =3D 266,=20
header =3D 0x0, csum_flags =3D 0, csum_data =3D 0, tags =3D {slh_fi=
rst =3D 0x0}}, MH_dat =3D {
MH_ext =3D {ext_buf =3D 0x1000e800---Can't read userspace from dump=
, or kernel process---
(kgdb) up
#11 0xc05c0309 in ether_output_frame (ifp=3D0xc2419000, m=3D0xc3393500)
at /usr/src/sys/net/if_ethersubr.c:377
377 IFQ_HANDOFF(ifp, m, error);
(kgdb) l
372
373 /*
374 * Queue message on interface, update output statistics if
375 * successful, and start output if interface not yet active.
376 */
377 IFQ_HANDOFF(ifp, m, error);
378 return (error);
379 }
380
381 #if defined(INET) || defined(INET6)
The system is running with giant-locked network stack, because of IPSec
FreeBSD 5.3-BETA3 #16: Tue Sep 7 16:23:16 CEST 2004
root@igor.q.local:/usr/obj/usr/src/sys/IGOR
WARNING: WITNESS option enabled, expect reduced performance.
WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant
WARNING: MPSAFE network stack disabled, expect reduced performance.
I will now try with a GENERIC-Kernel and see if that helps.
Ulrich Spoerlein
--=20
PGP Key ID: F0DB9F44 Get it while it's hot!
PGP Fingerprint: F1CE D062 0CA9 ADE3 349B 2FE8 980A C6B5 F0DB 9F44
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." -- Benjamin Franklin
--/04w6evG8XlLl3ft
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)
iD8DBQFBPydHmArGtfDbn0QRAiIxAJ9mmbCEOSS4u+MmDKnjtyl09UICxwCfZqsA
M5ohmNCNEOsyOK7Bw5uN+iQ=
=0KoX
-----END PGP SIGNATURE-----
--/04w6evG8XlLl3ft--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040908153743.GA777>