From owner-freebsd-current@FreeBSD.ORG Wed Sep 8 15:37:47 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6FEBB16A4CE for ; Wed, 8 Sep 2004 15:37:47 +0000 (GMT) Received: from wrzx35.rz.uni-wuerzburg.de (wrzx35.rz.uni-wuerzburg.de [132.187.3.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E0E043D41 for ; Wed, 8 Sep 2004 15:37:46 +0000 (GMT) (envelope-from q@uni.de) Received: from wrzx34.rz.uni-wuerzburg.de (wrzx34.rz.uni-wuerzburg.de [132.187.3.34]) by wrzx35.rz.uni-wuerzburg.de (Postfix) with ESMTP id 6D970DD1FA for ; Wed, 8 Sep 2004 17:37:45 +0200 (CEST) Received: from virusscan (localhost [127.0.0.1]) by wrzx34.rz.uni-wuerzburg.de (Postfix) with ESMTP id 4F8639BF33 for ; Wed, 8 Sep 2004 17:37:45 +0200 (CEST) Received: from wrzx28.rz.uni-wuerzburg.de (wrzx28.rz.uni-wuerzburg.de [132.187.3.28]) by wrzx34.rz.uni-wuerzburg.de (Postfix) with ESMTP id 1F8D19BE3E for ; Wed, 8 Sep 2004 17:37:45 +0200 (CEST) Received: from coyote.q.local (wwsx14.win-screen.uni-wuerzburg.de [132.187.253.14]) by wrzx28.rz.uni-wuerzburg.de (Postfix) with ESMTP id ED69BD3EB5 for ; Wed, 8 Sep 2004 17:37:44 +0200 (CEST) Received: from igor.q.local (igor [192.168.0.148]) by coyote.q.local (8.12.10/8.12.10) with ESMTP id i88FbiTH027271 for ; Wed, 8 Sep 2004 17:37:44 +0200 (CEST) (envelope-from q@igor.q.local) Received: from igor.q.local (localhost [127.0.0.1]) by igor.q.local (8.13.1/8.13.1) with ESMTP id i88FbiDp000865 for ; Wed, 8 Sep 2004 17:37:44 +0200 (CEST) (envelope-from q@igor.q.local) Received: (from q@localhost) by igor.q.local (8.13.1/8.13.1/Submit) id i88FbhqW000864 for freebsd-current@freebsd.org; Wed, 8 Sep 2004 17:37:43 +0200 (CEST) (envelope-from q) Date: Wed, 8 Sep 2004 17:37:43 +0200 From: Ulrich Spoerlein To: freebsd-current@freebsd.org Message-ID: <20040908153743.GA777@galgenberg.net> Mail-Followup-To: freebsd-current@freebsd.org References: <4109EC00.7020104@uni.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="/04w6evG8XlLl3ft" Content-Disposition: inline In-Reply-To: <4109EC00.7020104@uni.de> User-Agent: Mutt/1.5.6i X-Virus-Scanned: by amavisd-new (Rechenzentrum Universitaet Wuerzburg) Subject: Re: panic: bfe_start: attempted use of a free mbuf! (RELENG_5) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2004 15:37:47 -0000 --/04w6evG8XlLl3ft Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, 30.07.2004 at 08:34:40 +0200, Ulrich Spoerlein wrote: > panic: bfe_start: attempted use of a free mbuf! > KDB: enter: panic > [thread 100019] > Stopped at kdb_enter+0x2a: leave > > trace > kdb_enter() > panic() > bfe_start() > bfe_intr() > ithread_loop() > fork_exit() > fork_trampoline() > --- trap 0x1, eip=3D0, esp=3D0xdb0c6d7c, ebp=3D0 --- This just happend again on a recent RELENG_5. I get an _instant reboot_, when trying to move a file from my gbde-home to NFS-mounted /usr/ports/distfiles (this is symliked three times... don't ask :) I then tried to copy it from / to the NFS server directly (without the three level symlinks) and got this panic (and dump! yay!) panic: bfe_start: attempted use of a free mbuf! (kgdb) bt #0 doadump () at pcpu.h:159 #1 0xc048e14b in db_fncall (dummy1=3D-281335756, dummy2=3D0, dummy3=3D-281= 335856,=20 dummy4=3D0xef3b27cc "\036=E4n=C0") at /usr/src/sys/ddb/db_command.c:531 #2 0xc048e4ec in db_command_loop () at /usr/src/sys/ddb/db_command.c:349 #3 0xc048fc71 in db_trap (type=3D3, code=3D0) at /usr/src/sys/ddb/db_main.= c:221 #4 0xc057a355 in kdb_trap (type=3D3, code=3D0, tf=3D0xef3b28ec) at /usr/sr= c/sys/kern/subr_kdb.c:418 #5 0xc06bb84f in trap (frame=3D {tf_fs =3D -281346024, tf_es =3D -1068040176, tf_ds =3D -1066336240, = tf_edi =3D 256, tf_esi =3D -1066397045, tf_ebp =3D -281335508, tf_isp =3D -= 281335528, tf_ebx =3D -281335468, tf_edx =3D 0, tf_ecx =3D -1066286908, tf_= eax =3D -1066295100, tf_trapno =3D 3, tf_err =3D 0, tf_eip =3D -1067999226,= tf_cs =3D 8, tf_eflags =3D 646, tf_esp =3D -281335480, tf_ss =3D -10680836= 41}) at /usr/src/sys/i386/i386/trap.c:576 #6 0xc06b04ca in calltrap () at /usr/src/sys/i386/i386/exception.s:140 #7 0xef3b0018 in ?? () #8 0xc0570010 in kern_timeout_callwheel_alloc (v=3D0x0) at /usr/src/sys/ke= rn/kern_timeout.c:125 #9 0xc0565647 in panic (fmt=3D0xc070128b "%s: attempted use of a free mbuf= !") at /usr/src/sys/kern/kern_shutdown.c:536 #10 0xc04b4681 in bfe_start (ifp=3D0xc2419000) at /usr/src/sys/dev/bfe/if_b= fe.c:1400 #11 0xc05c0309 in ether_output_frame (ifp=3D0xc2419000, m=3D0xc3393500) at /usr/src/sys/net/if_ethersubr.c:377 #12 0xc05c0646 in ether_output (ifp=3D0xc2419000, m=3D0xc3393500, dst=3D0xe= f3b2a3c, rt0=3D0x0) at /usr/src/sys/net/if_ethersubr.c:330 #13 0xc05e3ef5 in ip_output (m=3D0xc3393500, opt=3D0xc3393500, ro=3D0xef3b2= a38, flags=3D0, imo=3D0x0,=20 inp=3D0xc28c52d0) at /usr/src/sys/netinet/ip_output.c:824 #14 0xc05f203b in udp_send (so=3D0x0, flags=3D0, m=3D0x0, addr=3D0x0, contr= ol=3D0x0, td=3D0xc32be840) at /usr/src/sys/netinet/udp_usrreq.c:906 #15 0xc0595f8f in sosend (so=3D0xc28c3288, addr=3D0x0, uio=3D0x0, top=3D0xc= 3368200, control=3D0x0, flags=3D0,=20 td=3D0xc32be840) at /usr/src/sys/kern/uipc_socket.c:799 #16 0xc062b391 in nfs_send (so=3D0xc28c3288, nam=3D0xc252f7a0, top=3D0xc336= 8200, rep=3D0xc32a5a00) at pcpu.h:156 ---Type to continue, or q to quit--- #17 0xc062bd7d in nfs_request (vp=3D0xc32e6420, mrest=3D0xc32a5a00, procnum= =3D7, td=3D0x0,=20 cred=3D0xc2a5c800, mrp=3D0xef3b2c54, mdp=3D0xef3b2c58, dposp=3D0xef3b2c= 5c) at /usr/src/sys/nfsclient/nfs_socket.c:1002 #18 0xc063134f in nfs_writerpc (vp=3D0xc32e6420, uiop=3D0xef3b2ccc, cred=3D= 0xc2a5c800,=20 iomode=3D0xef3b2cbc, must_commit=3D0xef3b2cc0) at /usr/src/sys/nfsclien= t/nfs_vnops.c:1129 #19 0xc0628dd0 in nfs_doio (bp=3D0xd64b563c, cr=3D0xc2a5c800, td=3D0x0) at /usr/src/sys/nfsclient/nfs_bio.c:1452 #20 0xc062e533 in nfssvc_iod (instance=3D0xc07c6538) at /usr/src/sys/nfscli= ent/nfs_nfsiod.c:262 #21 0xc0554326 in fork_exit (callout=3D0xc062e3e4 , arg=3D0xc07= c6538, frame=3D0xef3b2d48) at /usr/src/sys/kern/kern_fork.c:820 #22 0xc06b052c in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:= 209 (kgdb) f 10 #10 0xc04b4681 in bfe_start (ifp=3D0xc2419000) at /usr/src/sys/dev/bfe/if_b= fe.c:1400 1400 BPF_MTAP(ifp, m_head); (kgdb) l 1395 1396 /* 1397 * If there's a BPF listener, bounce a copy of this= frame 1398 * to him. 1399 */ 1400 BPF_MTAP(ifp, m_head); 1401 } 1402 1403 sc->bfe_tx_prod =3D idx; 1404 /* Transmit - twice due to apparent hardware bug */ (kgdb) p *ifp $1 =3D {if_softc =3D 0xc2419000, if_link =3D {tqe_next =3D 0xc243482c, tqe_= prev =3D 0xc07b6b24},=20 if_xname =3D "bfe0", '\0' , if_dname =3D 0xc22cd56c "bf= e", if_dunit =3D 0,=20 if_addrhead =3D {tqh_first =3D 0xc2418200, tqh_last =3D 0xc28e1260}, if_k= list =3D {kl_lock =3D 0xc078bea0,=20 kl_list =3D {slh_first =3D 0x0}}, if_pcount =3D 0, if_carp =3D 0x0, if_= bpf =3D 0xc2431200, if_index =3D 1,=20 if_timer =3D 5, if_nvlans =3D 0, if_flags =3D 34883, if_capabilities =3D = 8, if_capenable =3D 8,=20 if_linkmib =3D 0x0, if_linkmiblen =3D 0, if_data =3D {ifi_type =3D 6 '\00= 6', ifi_physical =3D 0 '\0',=20 ifi_addrlen =3D 6 '\006', ifi_hdrlen =3D 18 '\022', ifi_link_state =3D = 2 '\002',=20 ifi_recvquota =3D 0 '\0', ifi_xmitquota =3D 0 '\0', ifi_mtu =3D 1500, i= fi_metric =3D 0,=20 ifi_baudrate =3D 100000000, ifi_ipackets =3D 640, ifi_ierrors =3D 0, if= i_opackets =3D 7145,=20 ifi_oerrors =3D 0, ifi_collisions =3D 0, ifi_ibytes =3D 128126, ifi_oby= tes =3D 10260512,=20 ifi_imcasts =3D 0, ifi_omcasts =3D 7, ifi_iqdrops =3D 0, ifi_noproto = =3D 0, ifi_hwassist =3D 0,=20 ifi_unused =3D 0, ifi_lastchange =3D {tv_sec =3D 1094655632, tv_usec = =3D 806107}}, if_multiaddrs =3D { tqh_first =3D 0xc2530860, tqh_last =3D 0xc28bd500}, if_amcount =3D 0,= =20 if_output =3D 0xc05c0314 , if_input =3D 0xc05c0903 ,=20 if_start =3D 0xc04b4278 , if_ioctl =3D 0xc04b5076 ,= =20 if_watchdog =3D 0xc04b501a , if_init =3D 0xc04b4b90 ,=20 if_resolvemulti =3D 0xc05c0d98 , if_snd =3D {ifq_head= =3D 0x0, ifq_tail =3D 0x0,=20 ifq_len =3D 0, ifq_maxlen =3D 256, ifq_drops =3D 0, ifq_mtx =3D {mtx_ob= ject =3D {lo_class =3D 0xc075dc44,=20 lo_name =3D 0xc241900c "bfe0", lo_type =3D 0xc0722ed9 "if send queu= e", lo_flags =3D 196608,=20 lo_list =3D {tqe_next =3D 0xc241827c, tqe_prev =3D 0xc2419204}, lo_= witness =3D 0xc0792498},=20 mtx_lock =3D 4, mtx_recurse =3D 0}, ifq_drv_head =3D 0x0, ifq_drv_tai= l =3D 0x0, ifq_drv_len =3D 0,=20 ifq_drv_maxlen =3D 256, altq_type =3D 0, altq_flags =3D 1, altq_disc = =3D 0x0, altq_ifp =3D 0xc2419000,=20 altq_enqueue =3D 0, altq_dequeue =3D 0, altq_request =3D 0, altq_clfier= =3D 0x0, altq_classify =3D 0,=20 altq_tbr =3D 0x0, altq_cdnr =3D 0x0}, if_broadcastaddr =3D 0xc06e14a0 "= =FF=FF=FF=FF=FF=FFether_ipfw_chk",=20 lltables =3D 0x0, if_label =3D 0x0, if_prefixhead =3D {tqh_first =3D 0x0,= tqh_last =3D 0xc2419154},=20 if_afdata =3D {0x0 , 0xc2534730, 0x0, 0x0, 0x0, 0x0, 0x= 0, 0x0, 0x0, 0x0},=20 if_afdata_initialized =3D 1, if_afdata_mtx =3D {mtx_object =3D {lo_class = =3D 0xc075dc44,=20 lo_name =3D 0xc0722e9d "if_afdata", lo_type =3D 0xc0722e9d "if_afdata= ", lo_flags =3D 196608,=20 lo_list =3D {tqe_next =3D 0xc24190e8, tqe_prev =3D 0xc241b35c}, lo_wi= tness =3D 0xc07924c0},=20 ---Type to continue, or q to quit--- mtx_lock =3D 4, mtx_recurse =3D 0}, if_starttask =3D {ta_link =3D {stqe= _next =3D 0x0}, ta_pending =3D 0,=20 ta_priority =3D 0, ta_func =3D 0xc05bf59c , ta_conte= xt =3D 0xc2419000}} (kgdb) p *m_head $2 =3D {m_hdr =3D {mh_next =3D 0xc3393600, mh_nextpkt =3D 0x0, mh_data =3D = 0xc3393532 "", mh_len =3D 34,=20 mh_flags =3D 43010, mh_type =3D 2}, M_dat =3D {MH =3D {MH_pkthdr =3D {r= cvif =3D 0x0, len =3D 266,=20 header =3D 0x0, csum_flags =3D 0, csum_data =3D 0, tags =3D {slh_fi= rst =3D 0x0}}, MH_dat =3D { MH_ext =3D {ext_buf =3D 0x1000e800---Can't read userspace from dump= , or kernel process--- (kgdb) up #11 0xc05c0309 in ether_output_frame (ifp=3D0xc2419000, m=3D0xc3393500) at /usr/src/sys/net/if_ethersubr.c:377 377 IFQ_HANDOFF(ifp, m, error); (kgdb) l 372 373 /* 374 * Queue message on interface, update output statistics if 375 * successful, and start output if interface not yet active. 376 */ 377 IFQ_HANDOFF(ifp, m, error); 378 return (error); 379 } 380 381 #if defined(INET) || defined(INET6) The system is running with giant-locked network stack, because of IPSec FreeBSD 5.3-BETA3 #16: Tue Sep 7 16:23:16 CEST 2004 root@igor.q.local:/usr/obj/usr/src/sys/IGOR WARNING: WITNESS option enabled, expect reduced performance. WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant WARNING: MPSAFE network stack disabled, expect reduced performance. I will now try with a GENERIC-Kernel and see if that helps. Ulrich Spoerlein --=20 PGP Key ID: F0DB9F44 Get it while it's hot! PGP Fingerprint: F1CE D062 0CA9 ADE3 349B 2FE8 980A C6B5 F0DB 9F44 "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin --/04w6evG8XlLl3ft Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFBPydHmArGtfDbn0QRAiIxAJ9mmbCEOSS4u+MmDKnjtyl09UICxwCfZqsA M5ohmNCNEOsyOK7Bw5uN+iQ= =0KoX -----END PGP SIGNATURE----- --/04w6evG8XlLl3ft--