Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 13 Oct 2016 04:51:24 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-net@FreeBSD.org
Subject:   [Bug 148807] [panic] "panic: sbdrop" and "panic: sbsndptr: sockbuf _ and mbuf _ clashing" (8.1-RELEASE/10.1-STABLE/11-CURRENT)
Message-ID:  <bug-148807-2472-9eW6hNnuKW@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-148807-2472@https.bugs.freebsd.org/bugzilla/>
References:  <bug-148807-2472@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D148807

--- Comment #31 from Hiren Panchasara <hiren@FreeBSD.org> ---
(In reply to Robert Watson from comment #29)

Robert,

Thanks for your response.

 On a slightly modified (nothing in driver space) stable/11, I am seeing
repeated panic in sbsndptr() with igb while box is pretty much idle or doing
very low traffic.

(kgdb) bt
#0  __curthread () at ./machine/pcpu.h:221
#1  doadump (textdump=3D-2121667464) at
/d2/hiren/freebsd/sys/kern/kern_shutdown.c:298
#2  0xffffffff80389f86 in db_fncall_generic (nargs=3D0, addr=3D<optimized o=
ut>,
rv=3D<optimized out>,=20
    args=3D<optimized out>) at /d2/hiren/freebsd/sys/ddb/db_command.c:568
#3  db_fncall (dummy1=3D<optimized out>, dummy2=3D<optimized out>,
dummy3=3D<optimized out>, dummy4=3D<optimized out>)
    at /d2/hiren/freebsd/sys/ddb/db_command.c:616
#4  0xffffffff80389a29 in db_command (last_cmdp=3D<optimized out>,
cmd_table=3D<optimized out>,=20
    dopager=3D<optimized out>) at /d2/hiren/freebsd/sys/ddb/db_command.c:440
#5  0xffffffff80389784 in db_command_loop () at
/d2/hiren/freebsd/sys/ddb/db_command.c:493
#6  0xffffffff8038c76b in db_trap (type=3D<optimized out>, code=3D<optimize=
d out>)
    at /d2/hiren/freebsd/sys/ddb/db_main.c:251
#7  0xffffffff809a6f33 in kdb_trap (type=3D<optimized out>, code=3D<optimiz=
ed out>,
tf=3D<optimized out>)
    at /d2/hiren/freebsd/sys/kern/subr_kdb.c:654
#8  0xffffffff80d93521 in trap_fatal (frame=3D0xfffffe1f2bb38210, eva=3D24)
    at /d2/hiren/freebsd/sys/amd64/amd64/trap.c:836
#9  0xffffffff80d93753 in trap_pfault (frame=3D0xfffffe1f2bb38210, usermode=
=3D0)
    at /d2/hiren/freebsd/sys/amd64/amd64/trap.c:691
#10 0xffffffff80d92cdc in trap (frame=3D0xfffffe1f2bb38210) at
/d2/hiren/freebsd/sys/amd64/amd64/trap.c:442
#11 <signal handler called>
#12 sbsndptr (sb=3D0xfffff8060f8a5518, off=3D0, len=3D4294967287,
moff=3D0xfffffe1f2bb38420)
    at /d2/hiren/freebsd/sys/kern/uipc_sockbuf.c:1191
#13 0xffffffff80ab9382 in tcp_output (tp=3D<optimized out>) at
/d2/hiren/freebsd/sys/netinet/tcp_output.c:1099
#14 0xffffffff80ab6105 in tcp_do_segment (m=3D<optimized out>, th=3D<optimi=
zed
out>, so=3D0xfffff8060f8a5360,=20
    tp=3D<optimized out>, drop_hdrlen=3D60, tlen=3D<optimized out>, iptos=
=3D<optimized
out>,=20
    ti_locked=3D<error reading variable: Cannot access memory at address 0x=
1>)
    at /d2/hiren/freebsd/sys/netinet/tcp_input.c:3182
#15 0xffffffff80ab2803 in tcp_input (mp=3D<optimized out>, offp=3D<optimize=
d out>,
proto=3D<optimized out>)
    at /d2/hiren/freebsd/sys/netinet/tcp_input.c:1444
#16 0xffffffff80aa6bc5 in ip_input (m=3D<error reading variable: Cannot acc=
ess
memory at address 0x0>)
    at /d2/hiren/freebsd/sys/netinet/ip_input.c:809
#17 0xffffffff80a82b35 in netisr_dispatch_src (proto=3D1, source=3D<optimiz=
ed out>,
m=3D0x0)
    at /d2/hiren/freebsd/sys/net/netisr.c:1120
#18 0xffffffff80a6c2ca in ether_demux (ifp=3D<optimized out>, m=3D0x0) at
/d2/hiren/freebsd/sys/net/if_ethersubr.c:850
#19 0xffffffff80a6cf22 in ether_input_internal (ifp=3D<optimized out>, m=3D=
0x0)
    at /d2/hiren/freebsd/sys/net/if_ethersubr.c:639
#20 ether_nh_input (m=3D<optimized out>) at
/d2/hiren/freebsd/sys/net/if_ethersubr.c:669
#21 0xffffffff80a82b35 in netisr_dispatch_src (proto=3D5, source=3D<optimiz=
ed out>,
m=3D0x0)
    at /d2/hiren/freebsd/sys/net/netisr.c:1120
#22 0xffffffff80a6c546 in ether_input (ifp=3D<optimized out>, m=3D0x0) at
/d2/hiren/freebsd/sys/net/if_ethersubr.c:759
#23 0xffffffff804e2b3c in igb_rx_input (rxr=3D<optimized out>,
ifp=3D0xfffff80115614800, m=3D0xfffff8014eee7600,=20
    ptype=3D<optimized out>) at /d2/hiren/freebsd/sys/dev/e1000/if_igb.c:49=
57
#24 igb_rxeof (que=3D<optimized out>, count=3D358700136, done=3D<optimized =
out>)
    at /d2/hiren/freebsd/sys/dev/e1000/if_igb.c:5185
#25 0xffffffff804e1daf in igb_msix_que (arg=3D<optimized out>) at
/d2/hiren/freebsd/sys/dev/e1000/if_igb.c:1612
#26 0xffffffff8091425f in intr_event_execute_handlers (p=3D<optimized out>,
ie=3D<optimized out>)
    at /d2/hiren/freebsd/sys/kern/kern_intr.c:1262
#27 0xffffffff80914876 in ithread_execute_handlers (ie=3D<optimized out>,
p=3D<optimized out>)
    at /d2/hiren/freebsd/sys/kern/kern_intr.c:1275
#28 ithread_loop (arg=3D<optimized out>) at
/d2/hiren/freebsd/sys/kern/kern_intr.c:1356
#29 0xffffffff80910ea5 in fork_exit (callout=3D0xffffffff809147b0 <ithread_=
loop>,
arg=3D0xfffff8011561a0e0,=20
    frame=3D0xfffffe1f2bb38ac0) at /d2/hiren/freebsd/sys/kern/kern_fork.c:1=
040
#30 <signal handler called>

----------------------------------------------------------------

Most interesting frames are these 2:

#22 0xffffffff80a6c546 in ether_input (ifp=3D<optimized out>, m=3D0x0) at
/d2/hiren/freebsd/sys/net/if_ethersubr.c:759
#23 0xffffffff804e2b3c in igb_rx_input (rxr=3D<optimized out>,
ifp=3D0xfffff80115614800, m=3D0xfffff8014eee7600,=20
    ptype=3D<optimized out>) at /d2/hiren/freebsd/sys/dev/e1000/if_igb.c:49=
57

#23 has an mbuf while #22 has it null.

Does this point to your hunch of
"device-driver bugs involving modifications to the mbuf chain after submitt=
ing
the mbuf to the network stack (e.g., due to concurrency bugs in the device
driver)" ?

OR something else is going on?

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-148807-2472-9eW6hNnuKW>