From owner-freebsd-current@FreeBSD.ORG Sun May 4 06:44:12 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B599137B401 for ; Sun, 4 May 2003 06:44:12 -0700 (PDT) Received: from tao.xtaz.co.uk (pc-62-30-69-139-az.blueyonder.co.uk [62.30.69.139]) by mx1.FreeBSD.org (Postfix) with ESMTP id BAB6D43FB1 for ; Sun, 4 May 2003 06:44:11 -0700 (PDT) (envelope-from matt@xtaz.co.uk) Received: from webmail.xtaz.co.uk (localhost [127.0.0.1]) by tao.xtaz.co.uk (Postfix) with SMTP id E68F88FCCF for ; Sun, 4 May 2003 14:44:09 +0100 (BST) Received: from 192.168.1.10 (SquirrelMail authenticated user matt) by webmail.xtaz.co.uk with HTTP; Sun, 4 May 2003 14:44:10 +0100 (BST) Message-ID: <49332.192.168.1.10.1052055850.squirrel@webmail.xtaz.co.uk> In-Reply-To: <49952.192.168.1.10.1052046537.squirrel@webmail.xtaz.co.uk> References: <49952.192.168.1.10.1052046537.squirrel@webmail.xtaz.co.uk> Date: Sun, 4 May 2003 14:44:10 +0100 (BST) From: "Matt" To: current@freebsd.org User-Agent: SquirrelMail/1.4.0 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 X-Priority: 3 Importance: Normal Subject: Re: m_freem detected a mbuf double-free : xl0 kernel panic (BACKTRACE now included) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 May 2003 13:44:13 -0000 Matt said: > Unfortunatly this machine does not have enough swap space to dump a panic > and I also do not have a serial console so there is no debug information, > but I am getting a 100% reproducable panic on a kernel built on sources > cvsup'd either an hour ago or yesterday morning (I've tried both). Sources > from friday are fine. I have now configured the machine with more swap and got a panic again. This time I have got the full panic and trace. This is 100% reproducable on my system by booting a kernel dated approx from saturday morning onwards (3rd of may) and i just run irssi. The moment it tries to connect to IRC *boom*. Trace follows: Script started on Sun May 4 14:32:43 2003 [root@tao root]# gdb -k /usr/obj/usr/src/sys/TAO/kernel.debug /var/crash/vmcore.0 GNU gdb 5.2.1 (FreeBSD) Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-undermydesk-freebsd"... panic: from debugger panic messages: --- panic: m_freem detected a mbuf double-free panic: from debugger Uptime: 1m3s Dumping 256 MB ata0: resetting devices .. done 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 --- #0 doadump () at /usr/src/sys/kern/kern_shutdown.c:238 238 dumping++; (kgdb) where #0 doadump () at /usr/src/sys/kern/kern_shutdown.c:238 #1 0xc019f1f3 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:370 #2 0xc019f53b in panic () at /usr/src/sys/kern/kern_shutdown.c:543 #3 0xc0128bc2 in db_panic () at /usr/src/sys/ddb/db_command.c:448 #4 0xc0128b42 in db_command (last_cmdp=0xc0331700, cmd_table=0x0, aux_cmd_tablep=0xc032ca58, aux_cmd_tablep_end=0xc032ca5c) at /usr/src/sys/ddb/db_command.c:346 #5 0xc0128c56 in db_command_loop () at /usr/src/sys/ddb/db_command.c:470 #6 0xc012b9ea in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_trap.c:72 #7 0xc02dbbd5 in kdb_trap (type=3, code=0, regs=0xcd313bfc) at /usr/src/sys/i386/i386/db_interface.c:170 #8 0xc02ecdbc in trap (frame= {tf_fs = 24, tf_es = -1058209776, tf_ds = -852426736, tf_edi = 256, tf_esi = -1058258640, tf_ebp = -852411320, tf_isp = -852411352, tf_ebx = 0, tf_edx = 0, tf_ecx = 32, tf_eax = 18, tf_trapno = 3, tf_err = 0, tf_eip = -1070743948, tf_cs = 8, tf_eflags = 646, tf_esp = -1070430627, tf_ss = -1070520242}) at /usr/src/sys/i386/i386/trap.c:593 #9 0xc02dd528 in calltrap () at {standard input}:96 #10 0xc019f4db in panic (fmt=0x0) at /usr/src/sys/kern/kern_shutdown.c:527 #11 0xc01baec9 in m_freem (mb=0xc0edc000) at /usr/src/sys/kern/subr_mbuf.c:1441 #12 0xc027909e in xl_txeof_90xB (sc=0xc25a2000) at /usr/src/sys/pci/if_xl.c:2212 #13 0xc02793fd in xl_intr (arg=0xc25a2000) at /usr/src/sys/pci/if_xl.c:2329 #14 0xc018bfb2 in ithread_loop (arg=0xc259d000) at /usr/src/sys/kern/kern_intr.c:537 #15 0xc018afa0 in fork_exit (callout=0xc2550180, arg=0x0, frame=0x0) at /usr/src/sys/kern/kern_fork.c:792 (kgdb) bt full #0 doadump () at /usr/src/sys/kern/kern_shutdown.c:238 No locals. #1 0xc019f1f3 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:370 No locals. #2 0xc019f53b in panic () at /usr/src/sys/kern/kern_shutdown.c:543 td = (struct thread *) 0xc0ec4130 bootopt = 260 newpanic = 0 buf = "from debugger\0ed a mbuf double-free", '\0' #3 0xc0128bc2 in db_panic () at /usr/src/sys/ddb/db_command.c:448 No locals. #4 0xc0128b42 in db_command (last_cmdp=0xc0331700, cmd_table=0x0, aux_cmd_tablep=0xc032ca58, aux_cmd_tablep_end=0xc032ca5c) at /usr/src/sys/ddb/db_command.c:346 cmd = (struct command *) 0xc02fdba0 t = 0 modif = "\0p5À\b¹:ÀÀ:1Í\r\0\0\0\200¤9À\r\0\0\0\001\0\0\0à:1Í\026#-À \2139À\aK\0 \0¥9À`\0039À\200p5Àx\0\0\0\200p5À\b¹:À\004;1Ía¨\022ÀÂÉ0ÀP§\022À\0\0\0\0\020\0\0\0\b¹:À\200p5ÀÎ \022À\200p5À8h5Àx\0\0\0\003\0\0" addr = -1070743948 count = -1 have_addr = 0 result = 0 #5 0xc0128c56 in db_command_loop () at /usr/src/sys/ddb/db_command.c:470 No locals. #6 0xc012b9ea in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_trap.c:72 bkpt = 0 #7 0xc02dbbd5 in kdb_trap (type=3, code=0, regs=0xcd313bfc) at /usr/src/sys/i386/i386/db_interface.c:170 ef = 70 ddb_mode = 1 #8 0xc02ecdbc in trap (frame= {tf_fs = 24, tf_es = -1058209776, tf_ds = -852426736, tf_edi = 256, tf_esi = -1058258640, tf_ebp = -852411320, tf_isp = -852411352, tf_ebx = 0, tf_edx = 0, tf_ecx = 32, tf_eax = 18, tf_trapno = 3, tf_err = 0, tf_eip = -1070743948, tf_cs = 8, tf_eflags = 646, tf_esp = -1070430627, tf_ss = -1070520242}) at /usr/src/sys/i386/i386/trap.c:593 td = (struct thread *) 0xc0ec4130 p = (struct proc *) 0xc0eca780 sticks = 3236711392 i = 0 ucode = 0 type = 3 code = 0 eva = 0 #9 0xc02dd528 in calltrap () at {standard input}:96 No locals. #10 0xc019f4db in panic (fmt=0x0) at /usr/src/sys/kern/kern_shutdown.c:527 td = (struct thread *) 0xc0ec4130 bootopt = 256 newpanic = 1 buf = "from debugger\0ed a mbuf double-free", '\0' #11 0xc01baec9 in m_freem (mb=0xc0edc000) at /usr/src/sys/kern/subr_mbuf.c:1441 m = (struct mbuf *) 0xb2 cchnum = -1058255904 persist = 0 #12 0xc027909e in xl_txeof_90xB (sc=0xc25a2000) at /usr/src/sys/pci/if_xl.c:2212 cur_tx = (struct xl_chain *) 0xc25a3a6c ifp = (struct ifnet *) 0xc25a2000 ---Type to continue, or q to quit--- idx = 178 #13 0xc02793fd in xl_intr (arg=0xc25a2000) at /usr/src/sys/pci/if_xl.c:2329 sc = (struct xl_softc *) 0xc25a2000 ifp = (struct ifnet *) 0xc25a2000 status = 57857 #14 0xc018bfb2 in ithread_loop (arg=0xc259d000) at /usr/src/sys/kern/kern_intr.c:537 ithd = (struct ithd *) 0xc259d000 ih = (struct intrhand *) 0xc2550180 td = (struct thread *) 0xc0ec4130 p = (struct proc *) 0xc0eca780 #15 0xc018afa0 in fork_exit (callout=0xc2550180, arg=0x0, frame=0x0) at /usr/src/sys/kern/kern_fork.c:792 td = (struct thread *) 0x0 p = (struct proc *) 0xc259d000 (kgdb) (kgdb) quit [root@tao root]# exit Script done on Sun May 4 14:33:35 2003 -- email: matt@xtaz.co.uk - web: http://xtaz.co.uk/ Hardware, n.: The parts of a computer system that can be kicked.