Date: Sun, 29 Oct 1995 17:58:18 +0200 From: Heikki Suonsivu <hsu@clinet.fi> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/798: PPP panics Message-ID: <199510291558.RAA21635@katiska.clinet.fi> Resent-Message-ID: <199510291600.IAA28832@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 798
>Category: kern
>Synopsis: PPP panics, touches 0xdeadc0de pointers
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Oct 29 08:00:01 PST 1995
>Last-Modified:
>Originator: Heikki Suonsivu
>Organization:
Clinet, Espoo, Finland
>Release: FreeBSD 2.2-CURRENT i386
>Environment:
The machines are 486-100 and 486-120, with 1 or 2 16-port cyclades
boards. Used as terminal servers, people talk PPP into them.
Oct 29 10:21:42 osku /kernel: CPU: i486 DX4 (486-class CPU)
Oct 29 10:21:42 osku /kernel: Origin = "GenuineIntel" Id = 0x480 Stepping=0
Oct 29 10:21:42 osku /kernel: Features=0x3<FPU,VME>
Oct 29 10:21:42 osku /kernel: real memory = 16777216 (16384K bytes)
Oct 29 10:21:43 osku /kernel: avail memory = 14544896 (14204K bytes)
Oct 29 10:21:43 osku /kernel: Probing for devices on the ISA bus:
Oct 29 10:21:43 osku /kernel: ed0 at 0x280-0x29f irq 5 maddr 0xd8000 msize 16384 on isa
Oct 29 10:21:43 osku /kernel: ed0: address 00:00:c0:b9:ae:23, type WD8013EP (16 bit)
Oct 29 10:21:43 osku /kernel: ed1 not found at 0x300
Oct 29 10:21:43 osku /kernel: ed2 not found at 0x360
Oct 29 10:21:43 osku /kernel: ed3 not found at 0x240
Oct 29 10:21:43 osku /kernel: ed4 not found at 0x340
Oct 29 10:21:43 osku /kernel: ed5 not found at 0x220
Oct 29 10:21:43 osku /kernel: vt0 at 0x60-0x6f irq 1 on motherboard
Oct 29 10:21:43 osku /kernel: vt0: unkown s3, 80 col, color, 8 scr, mf2-kbd, [R3
.20-b24]
Oct 29 10:21:43 osku /kernel: sio0 at 0x3f8-0x3ff irq 4 on isa
Oct 29 10:21:43 osku /kernel: sio0: type 16550A
Oct 29 10:21:43 osku /kernel: sio1 at 0x2f8-0x2ff irq 3 on isa
Oct 29 10:21:43 osku /kernel: sio1: type 16550A
Oct 29 10:21:43 osku /kernel: sio2 not found at 0x2a0
Oct 29 10:21:49 osku /kernel: sio3 not found at 0x2a8
Oct 29 10:21:49 osku /kernel: sio4 not found at 0x2b0
Oct 29 10:21:49 osku /kernel: sio5 not found at 0x2b8
Oct 29 10:21:49 osku /kernel: cy0 irq 10 maddr 0xd4000 msize 8192 on isa
Oct 29 10:21:49 osku /kernel: cy1 irq 11 maddr 0xd6000 msize 8192 on isa
Oct 29 10:21:49 osku /kernel: bt0 not found at 0x330
Oct 29 10:21:49 osku /kernel: aha0 not found at 0x330
Oct 29 10:21:49 osku /kernel: wdc0 at 0x1f0-0x1f7 irq 14 on isa
Oct 29 10:21:49 osku /kernel: wdc0: unit 0 (wd0): <QUANTUM FIREBALL1080A>
Oct 29 10:21:50 osku /kernel: wd0: 1039MB (2128896 sectors), 2112 cyls, 16 heads, 63 S/T, 512 B/S
Oct 29 10:21:50 osku /kernel: wdc1 not found at 0x170
Oct 29 10:21:50 osku /kernel: fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa
Oct 29 10:21:50 osku /kernel: fdc0: NEC 765
Oct 29 10:21:50 osku /kernel: fd0: 1.44MB 3.5in
Oct 29 10:21:50 osku /kernel: npx0 on motherboard
Oct 29 10:21:50 osku /kernel: npx0: INT 16 interface
Oct 29 10:21:50 osku /kernel: bio_imask c0004040 tty_imask c0030c3a net_imask c0030c3a
Oct 29 10:21:50 osku /kernel: Probing for devices on the PCI bus:
Oct 29 10:21:50 osku /kernel: pci0:0: vendor=0x10b9, device=0x1489, class=bridge (host) [no driver assigned]
Oct 29 10:21:50 osku /kernel: vga0 <VGA-compatible display device> rev 0 int a irq 11 on pci0:3
Oct 29 10:21:50 osku /kernel: WARNING: / was not properly dismounted.
Oct 27 01:55:37 karvinen /kernel: CPU: i486DX (486-class CPU)
Oct 27 01:55:37 karvinen /kernel: real memory = 16777216 (16384K bytes)
Oct 27 01:55:37 karvinen /kernel: avail memory = 14544896 (14204K bytes)
Oct 27 01:55:37 karvinen /kernel: Probing for devices on the ISA bus:
Oct 27 01:55:38 karvinen /kernel: ed0 at 0x280-0x29f irq 5 maddr 0xd8000 msize 16384 on isa
Oct 27 01:55:38 karvinen /kernel: ed0: address 00:00:c0:94:3e:2c, type WD8013EP (16 bit)
Oct 27 01:55:38 karvinen /kernel: ed1 not found at 0x300
Oct 27 01:55:39 karvinen /kernel: ed2 not found at 0x360
Oct 27 01:55:39 karvinen /kernel: ed3 not found at 0x240
Oct 27 01:55:39 karvinen /kernel: ed4 not found at 0x340
Oct 27 01:55:39 karvinen /kernel: ed5 not found at 0x220
Oct 27 01:55:40 karvinen /kernel: vt0 at 0x60-0x6f irq 1 on motherboard
Oct 27 01:55:40 karvinen /kernel: vt0: cl-gd5428, 80/132 col, color, 8 scr, mf2-kbd, [R3.20-b24]
Oct 27 01:55:40 karvinen /kernel: sio0 not found at 0x3f8
Oct 27 01:55:40 karvinen /kernel: sio1 not found at 0x2f8
Oct 27 01:55:40 karvinen /kernel: sio2 not found at 0x2a0
Oct 27 01:55:41 karvinen /kernel: sio3 not found at 0x2a8
Oct 27 01:55:41 karvinen /kernel: sio4 not found at 0x2b0
Oct 27 01:55:41 karvinen /kernel: sio5 not found at 0x2b8
Oct 27 01:55:41 karvinen /kernel: cy0 irq 10 maddr 0xd4000 msize 8192 on isa
Oct 27 01:55:42 karvinen /kernel: cy1 irq 11 maddr 0xd6000 msize 8192 on isa
Oct 27 01:55:42 karvinen /kernel: bt0 not found at 0x330
Oct 27 01:55:42 karvinen /kernel: aha0 not found at 0x330
Oct 27 01:55:43 karvinen /kernel: wdc0 at 0x1f0-0x1f7 irq 14 on isa
Oct 27 01:55:43 karvinen /kernel: wdc0: unit 0 (wd0): <ST3660A>
Oct 27 01:55:43 karvinen /kernel: wd0: 520MB (1065456 sectors), 1057 cyls, 16 heads, 63 S/T, 512 B/S
Oct 27 01:55:44 karvinen /kernel: wdc1 not found at 0x170
Oct 27 01:55:44 karvinen /kernel: fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa
Oct 27 01:55:44 karvinen /kernel: fdc0: NEC 765
Oct 27 01:55:44 karvinen /kernel: fd0: 1.44MB 3.5in
Oct 27 01:55:45 karvinen /kernel: npx0 on motherboard
Oct 27 01:55:45 karvinen /kernel: npx0: INT 16 interface
Oct 27 01:55:45 karvinen /kernel: bio_imask c0004040 tty_imask c0030c22 net_imask c0030c22
Oct 27 01:55:45 karvinen /kernel: WARNING: / was not properly dismounted.
machine "i386"
cpu "I386_CPU"
cpu "I486_CPU"
cpu "I586_CPU" # aka Pentium(tm)
ident CLINETTS
maxusers 64
options "NMBCLUSTERS=2048"
options "TTYHOG=4096"
options "RS_IBUFSIZE=1024"
options "CHILD_MAX=256"
options "OPEN_MAX=256"
options MATH_EMULATE #Support for x87 emulation
#new math emulator
config kernel root on wd0 swap on wd0 and wd1 and sd0 and sd1 and sd2 and sd3 and vn0 dumps on wd0
options "COMPAT_43"
options SYSVSHM
options SYSVSEM
options SYSVMSG
options DODUMP
options KTRACE #kernel tracing
options DIAGNOSTIC
options UCONSOLE
options INET #Internet communications protocols
pseudo-device ether #Generic Ethernet
pseudo-device sppp #Generic Synchronous PPP
pseudo-device loop #Network loopback device
pseudo-device sl 16 #Serial Line IP
pseudo-device ppp 32 #Point-to-point protocol
pseudo-device bpfilter 4 #Berkeley packet filter
pseudo-device disc #Discard device
pseudo-device tun 32 #Tunnel driver(user process ppp)
options "TCP_COMPAT_42" #emulate 4.2BSD TCP bugs
options GATEWAY #internetwork gateway
options MROUTING # Multicast routing
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #print information about
# dropped packets
options FFS #Fast filesystem
options NFS #Network File System
options "CD9660" #ISO 9660 filesystem
options MFS #Memory File System
options MSDOSFS #MS DOS File System
options PROCFS #Process filesystem
controller pci0
device ncr0
device de5
options PROBE_VERBOSE
options "SCSI_DELAY=10"
controller scbus0 #base SCSI code
device ch0 #SCSI media changers
device sd0 #SCSI disks
device st0 #SCSI tapes
device cd0 #SCSI CD-ROMs
disk sd0 at scbus0 target 0
disk sd1 at scbus0 target 1
disk sd2 at scbus0 target 2
disk sd3 at scbus0 target 3
disk sd4 at scbus0 target 4
disk sd5 at scbus0 target 5
disk sd6 at scbus0 target 6
tape st0 at scbus0 target 0
tape st1 at scbus0 target 1
tape st2 at scbus0 target 2
tape st3 at scbus0 target 3
tape st4 at scbus0 target 4
tape st5 at scbus0 target 5
tape st6 at scbus0 target 6
device cd0 at scbus0 target 0
device cd1 at scbus0 target 1
device cd2 at scbus0 target 2
device cd3 at scbus0 target 3
device cd4 at scbus0 target 4
device cd5 at scbus0 target 5
device cd6 at scbus0 target 6
pseudo-device pty 64 #Pseudo ttys - can go as high as 64
pseudo-device speaker #Play IBM BASIC-style noises out your speaker
pseudo-device log #Kernel syslog interface (/dev/klog)
pseudo-device gzip #Exec gzipped a.out's
pseudo-device vn #Vnode driver (turns a file into a device)
controller isa0
options "AUTO_EOI_1"
options BOUNCE_BUFFERS
device vt0 at isa? port "IO_KBD" tty irq 1 vector pcrint
options "PCVT_FREEBSD=210" # pcvt running on FreeBSD 2.1
options XSERVER # include code for XFree86
options FAT_CURSOR # start with block cursor
options HARDFONTS
options "MAXCONS=16"
device npx0 at isa? port "IO_NPX" irq 13 vector npxintr
controller bt0 at isa? port "IO_BT0" bio irq ? vector btintr
controller aha0 at isa? port "IO_AHA0" bio irq ? drq 5 vector ahaintr
controller wdc0 at isa? port "IO_WD1" bio irq 14 vector wdintr
disk wd0 at wdc0 drive 0
disk wd1 at wdc0 drive 1
controller wdc1 at isa? port "IO_WD2" bio irq 15 vector wdintr
disk wd2 at wdc1 drive 0
disk wd3 at wdc1 drive 1
controller fdc0 at isa? port "IO_FD1" bio irq 6 drq 2 vector fdintr
disk fd0 at fdc0 drive 0
disk fd1 at fdc0 drive 1
tape ft0 at fdc0 drive 2
device sio0 at isa? port "IO_COM1" tty irq 4 vector siointr
device sio1 at isa? port "IO_COM2" tty irq 3 vector siointr
device sio2 at isa? port 0x2a0 tty flags 0x501
device sio3 at isa? port 0x2a8 tty flags 0x501
device sio4 at isa? port 0x2b0 tty flags 0x501
device sio5 at isa? port 0x2b8 tty irq 12 flags 0x501 vector siointr
device cy0 at isa? tty irq 10 iomem 0xd4000 iosiz 8192 vector cyintr
device cy1 at isa? tty irq 11 iomem 0xd6000 iosiz 8192 vector cyintr
options COM_MULTIPORT #code for some cards with shared IRQs
device ed0 at isa? port 0x280 net irq 5 iomem 0xd8000 vector edintr
device ed1 at isa? port 0x300 net irq 10 iomem 0xcc000 vector edintr
device ed2 at isa? port 0x360 net irq 7 iomem 0xd0000 vector edintr
device ed3 at isa? port 0x240 net irq 9 vector edintr
device ed4 at isa? port 0x340 net irq 15 iomem 0xdc000 vector edintr
device ed5 at isa? port 0x220 net irq 11 iomem 0xd4000 vector edintr
>Description:
Panic dumps are ftp://clinet.fi/pub/FreeBSD/crashdumps/kernel.[2-8].
They are all with full symbols so they are relatively easy to look at
with kgdb. These are against -STABLE from about a week ago with the
slirp patch installed (the patch didn't have effect to this problem,
and the older dumps may be too old).
Current directory is /usr/local/ftp/pub/FreeBSD/crashdumps/
Reading symbol data from /usr/local/ftp/pub/FreeBSD/crashdumps/kernel.8...done.
IdlePTD 234000
panic: page fault
current pcb at 1ef1a4
Reading in symbols for ../../i386/i386/machdep.c...done.
(kgdb) bt
#0 boot (howto=256) (../../i386/i386/machdep.c line 873)
#1 0xf0114b83 in panic (...)
#2 0xf01afb6e in trap_fatal (...)
#3 0xf01af6e0 in trap_pfault (...)
#4 0xf01af37f in trap (...)
#5 0xf01a54fd in exception:calltrap ()
#6 0xf013d343 in pppstart (...)
#7 0xf01b9bd2 in cypoll (...)
#8 0xf01a6851 in exception:swi_tty ()
#9 0xf01aecec in cpu_switch ()
(kgdb) up
Reading in symbols for ../../kern/subr_prf.c...done.
#1 0xf0114b83 in panic (fmt=(char *) 0xf01af06e "page fault") (../../kern/subr_prf.c line 124)
124 (../../kern/subr_prf.c)
(kgdb) directory /usr/stable/src/sys/i386/conf
Source directories searched: /usr/local/ftp/pub/FreeBSD/crashdumps:/usr/stable/src/sys/i386/conf
(kgdb) up
Reading in symbols for ../../i386/i386/trap.c...done.
#2 0xf01afb6e in trap_fatal (frame=(struct trapframe *) 0xf01d9f28) (../../i386/i386/trap.c line 745)
(kgdb) up
#3 0xf01af6e0 in trap_pfault (frame=(struct trapframe *) 0xf01d9f28, usermode=0) (../../i386/i386/trap.c line 667)
(kgdb) up
#4 0xf01af37f in trap (frame={tf_es = -262406128, tf_ds = -256704496, tf_edi = -266405500, tf_esi = -262352588, tf_ebp = -266494064, tf_isp = -267136189, tf_ebx = -1073676288, tf_edx = -262516736, tf_ecx = -1073542110, tf_eax = 1952364, tf_trapno = 12, tf_err = -267190272, tf_eip = -267136189, tf_cs = 8, tf_eflags = 66070, tf_esp = -257933312, tf_ss = -266428316}) (../../i386/i386/trap.c line 307)
(kgdb) up
#5 0xf01a54fd in exception:calltrap ()
(kgdb) up
Reading in symbols for ../../net/if_ppp.c...done.
#6 0xf013d343 in pppstart (tp=(struct tty *) 0xf01ea064) (../../net/if_ppp.c line 1042)
(kgdb) print m
$1 = (struct mbuf *) 0xf0c25880
(kgdb) print m2
$2 = (struct mbuf *) 0xc0010000
(kgdb) print done
$3 = 1
(kgdb) print m
$4 = (struct mbuf *) 0xf0c25880
(kgdb) print *m
$5 = {m_hdr = {mh_next = 0xdeadc0de, mh_nextpkt = 0xdead0001, mh_len = -559038242, mh_data = 0xf0ac9280 "\336\300\255\336\001", mh_type = -16162, mh_flags = -8531}, M_dat = {MH = {MH_pkthdr = {len = -559038242, rcvif = 0xdeadc0de}, MH_dat = {MH_ext = {ext_buf = 0xdeadc0de <Address 0xdeadc0de out of bounds>, ext_free = 0xdeadc0de, ext_size = 0xdeadc0de}, MH_databuf = {"\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336", '\000' <repeats 64 times>}}}, M_databuf = {"\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336\336\300\255\336", '\000' <repeats 64 times>}}}
0xdeadc0de, a freed mbuf was received from input queue?
(kgdb) print start
$6 = (unsigned char *) 0xf05cd134 "\032N-\034D;\331\242\311\"\0269\207\017\354,\206\377S\263f\234=\005.4F\360\030D\350 \322L\221s\025\325po\246\252\245\251\332V\020\320\210`\366\203=\324\304z\r\335\374n\355\237\232\300\371|\256K\227.\264m\ay\252\211\2001\234\252\206\224\237\001\225\b\244"
(kgdb) print sc
$7 = (struct ppp_softc *) 0xf01ef984
(kgdb) print sc->sc_outm
$8 = (struct mbuf *) 0x0
(kgdb) print m
$9 = (struct mbuf *) 0xf0c25880
(kgdb) up
Reading in symbols for ../../i386/isa/cy.c...done.
#7 0xf01b9bd2 in cypoll () (../../i386/isa/cy.c line 1603)
(kgdb) print tp
$10 = (struct tty *) 0xf01ea064
(kgdb) print *tp
$11 = {t_rawq = {c_cc = 0, c_cbcount = 0, c_cbmax = 0, c_cbreserved = 0, c_cf = 0x0, c_cl = 0x0}, t_rawcc = 684277, t_canq = {c_cc = 0, c_cbcount = 0, c_cbmax = 1, c_cbreserved = 1, c_cf = 0x0, c_cl = 0x0}, t_cancc = 956, t_outq = {c_cc = 723, c_cbcount = 7, c_cbmax = 7, c_cbreserved = 7, c_cf = 0xf0c3c2ac , c_cl = 0xf0b3c577 }, t_outcc = 8130688, t_line = 5, t_dev = 0x00003011, t_state = 131118, t_flags = 1543831560, t_timeout = 0, t_pgrp = 0xf0c38d40, t_session = 0xf0b62d00, t_rsel = {si_pid = 0, si_flags = 0}, t_wsel = {si_pid = 0, si_flags = 0}, t_termios = {c_iflag = 0x00000005, c_oflag = 0x00000000, c_cflag = 0x00034b00, c_lflag = 0x00000000, c_cc = {"\004\377\377\177\027\025\022\377\003\034\032\031\021\023\026\017\001\000\024\377"}, c_ispeed = 115200, c_ospeed = 115200}, t_winsize = {ws_row = 0x0000, ws_col = 0x0000, ws_xpixel = 0x0000, ws_ypixel = 0x0000}, t_oproc = 0xf01ba0a8, t_stop = 0x0, t_param = 0xf01b9d00, t_sc = 0xf01ef984, t_column = 34, t_rocount = 0, t_roc!
ol = 0, t_hiwat = 2052, t_lowat = 256, t_gen = 33}
(kgdb)
>How-To-Repeat:
Build a terminal server from a FreeBSD system with many ports
and let people dial in and run PPP into it.
>Fix:
Don't know, but the above seems like ppp driver receives a freed mbuf?
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199510291558.RAA21635>