From owner-freebsd-current@FreeBSD.ORG Fri May 2 13:28:04 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA5E037B401 for ; Fri, 2 May 2003 13:28:04 -0700 (PDT) Received: from cmailm3.svr.pol.co.uk (cmailm3.svr.pol.co.uk [195.92.193.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2AC6243F3F for ; Fri, 2 May 2003 13:28:02 -0700 (PDT) (envelope-from mtm98@mcgoldrick.org) Received: from modem-916.crocodile.dialup.pol.co.uk ([81.78.35.148] helo=mcgoldrick.org) by cmailm3.svr.pol.co.uk with esmtp (Exim 4.14) id 19Bh8Q-0005Dh-3O for current@freebsd.org; Fri, 02 May 2003 21:27:58 +0100 Received: by mcgoldrick.org (Postfix, from userid 1000) id A1BAF501B; Fri, 2 May 2003 21:36:00 +0100 (BST) Date: Fri, 2 May 2003 21:36:00 +0100 From: Michael McGoldrick To: current@freebsd.org Message-ID: <20030502203559.GA658@uriel.mcgoldrick.org> References: <20030502203621.GA792@uriel.mcgoldrick.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="k1lZvvs/B4yU6o8G" Content-Disposition: inline In-Reply-To: <20030502203621.GA792@uriel.mcgoldrick.org> User-Agent: Mutt/1.4.1i Subject: Re: mbuf double-free panic X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2003 20:28:05 -0000 X-List-Received-Date: Fri, 02 May 2003 20:28:05 -0000 X-List-Received-Date: Fri, 02 May 2003 20:28:05 -0000 --k1lZvvs/B4yU6o8G Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Oooops, attached the wrong file. Ahh, the delights of embarassing yourself on a public forum. -- Michael McGoldrick: mmcgoldrick@linuxdriven.net --k1lZvvs/B4yU6o8G Content-Type: text/plain; charset=unknown-8bit Content-Disposition: attachment; filename=crash Content-Transfer-Encoding: quoted-printable Script started on Fri May 2 21:21:59 2003 GNU gdb 5.2.1 (FreeBSD)=0D Copyright 2002 Free Software Foundation, Inc.=0D GDB is free software, covered by the GNU General Public License, and you ar= e=0D welcome to change it and/or distribute copies of it under certain condition= s.=0D Type "show copying" to see the conditions.=0D There is absolutely no warranty for GDB. Type "show warranty" for details.= =0D This GDB was configured as "i386-undermydesk-freebsd"...=0D panic: m_free detected a mbuf double-free=0D panic messages:=0D ---=0D panic: m_free detected a mbuf double-free=0D =0D syncing disks, buffers remaining... 1407 1407 1401 1398 1398 1398 1398 1398= 1397 1397 1397 =0D sio1: 1 more silo overflow (total 26)=0D 1397 1397 1397 1397 1397 1397 1397 1397 1397 1397 1397 1397 1397 1397 1397 = 1397 1397 =0D giving up on 428 buffers=0D Uptime: 22m48s=0D Dumping 127 MB=0D ata1: resetting devices ..=0D done=0D [CTRL-C to abort] [CTRL-C to abort] [CTRL-C to abort] 16 32 48 64 80 96 11= 2=0D ---=0D Reading symbols from /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules= /linux/linux.ko.debug...done.=0D Loaded symbols for /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules/l= inux/linux.ko.debug=0D Reading symbols from /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules= /acpi/acpi.ko.debug...done.=0D Loaded symbols for /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules/a= cpi/acpi.ko.debug=0D Reading symbols from /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules= /linprocfs/linprocfs.ko.debug...done.=0D Loaded symbols for /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules/l= inprocfs/linprocfs.ko.debug=0D Reading symbols from /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules= /ipfw/ipfw.ko.debug...done.=0D Loaded symbols for /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules/i= pfw/ipfw.ko.debug=0D Reading symbols from /boot/kernel/logo_saver.ko...done.=0D Loaded symbols for /boot/kernel/logo_saver.ko=0D #0 doadump () at /usr/src/sys/kern/kern_shutdown.c:238=0D 238 dumping++;=0D (kgdb) bt=0D #0 doadump () at /usr/src/sys/kern/kern_shutdown.c:238=0D #1 0xc023a7aa in boot (howto=3D256) at /usr/src/sys/kern/kern_shutdown.c:3= 70=0D #2 0xc023aafb in panic () at /usr/src/sys/kern/kern_shutdown.c:543=0D #3 0xc0256352 in m_free (mb=3D0xc0bbcf00) at /usr/src/sys/kern/subr_mbuf.c= :1392=0D #4 0xc02a8993 in tunread (dev=3D0x0, uio=3D0xce8a6c7c, flag=3D8323072)=0D at /usr/src/sys/net/if_tun.c:679=0D #5 0xc01fe3ae in spec_read (ap=3D0xce8a6be0)=0D at /usr/src/sys/fs/specfs/spec_vnops.c:271=0D #6 0xc01fdf38 in spec_vnoperate (ap=3D0x0)=0D at /usr/src/sys/fs/specfs/spec_vnops.c:123=0D #7 0xc02991e2 in vn_read (fp=3D0xc256099c, uio=3D0xce8a6c7c, =0D active_cred=3D0xc235b900, flags=3D0, td=3D0xc2674390) at vnode_if.h:383= =0D #8 0xc025cd12 in dofileread (td=3D0xc2674390, fp=3D0xc256099c, fd=3D0, =0D buf=3D0xbfbfee40, nbyte=3D0, offset=3D0, flags=3D0) at file.h:227=0D #9 0xc025cb7b in read (td=3D0xc2674390, uap=3D0xce8a6d10)=0D at /usr/src/sys/kern/sys_generic.c:106=0D #10 0xc038ecfe in syscall (frame=3D=0D {tf_fs =3D 47, tf_es =3D -1078001617, tf_ds =3D -1078001617, tf_edi = =3D 134883872, tf_esi =3D 134996480, tf_ebp =3D -1077938584, tf_isp =3D -82= 9788812, tf_ebx =3D 134969308, tf_edx =3D 135049216, tf_ecx =3D 7, tf_eax = =3D 3, tf_trapno =3D 0, tf_err =3D 2, tf_eip =3D 673638227, tf_cs =3D 31, t= f_eflags =3D 514, tf_esp =3D -1077940724, tf_ss =3D 47})=0D at /usr/src/sys/i386/i386/trap.c:1021=0D #11 0xc037ec0d in Xint0x80_syscall () at {standard input}:138=0D ---Can't read userspace from dump, or kernel process---=0D =0D (kgdb) up 3=0D #3 0xc0256352 in m_free (mb=3D0xc0bbcf00) at /usr/src/sys/kern/subr_mbuf.c= :1392=0D 1392 MEXT_REM_REF(mb);=0D (kgdb) l=0D 1387 #endif=0D 1388 if ((mb->m_flags & M_PKTHDR) !=3D 0)=0D 1389 m_tag_delete_chain(mb, NULL);=0D 1390 nb =3D mb->m_next;=0D 1391 if ((mb->m_flags & M_EXT) !=3D 0) {=0D 1392 MEXT_REM_REF(mb);=0D 1393 if (atomic_cmpset_int(mb->m_ext.ref_cnt, 0, 1)) {=0D 1394 if (mb->m_ext.ext_type =3D=3D EXT_CLUSTER) {=0D 1395 mb_free(&mb_list_clust,=0D 1396 (caddr_t)mb->m_ext.ext_buf, MT_NOTMBUF,=0D (kgdb) print md=08 =08b=0D $1 =3D (struct mbuf *) 0xc0bbcf00=0D (kgdb) print *mb $2 =3D {m_hdr =3D {mh_next =3D 0x0, mh_nextpkt =3D 0x0, mh_data =3D 0xc0bbc= f3c "", =0D mh_len =3D 44, mh_flags =3D 16386, mh_type =3D 2}, M_dat =3D {MH =3D {M= H_pkthdr =3D {=0D rcvif =3D 0x0, len =3D 44, header =3D 0x2, csum_flags =3D 0, csum_d= ata =3D 16, =0D tags =3D {slh_first =3D 0x0}}, MH_dat =3D {MH_ext =3D {=0D ext_buf =3D 0xc105f000 "5\020\004", ext_free =3D 0, ext_args =3D = 0x0, =0D ext_size =3D 33554432, ref_cnt =3D 0x28000045, ext_type =3D 7684}= , =0D MH_databuf =3D "\0=F0\005=C1", '\0' , "\002E\0\0(= \004\036\0\0@\006p=ABQN\r/=C3\\=E4-=C0\025\0P=B7\205\037\004=B3=F0d=DFP\020= \0\0=FA\r\0\0\001\001\b\n\0\001\005\023Q\n|=FD\002\0\0\0\0\0\0\0L\001\005\0= \025\0=A0\0\021\0=A0\0\021\08\001 1.3A\001\b\0\025\0=A0\0\031\0=A0\0\021\0-= \001\005\0\0\0\0\0\f\0=FB=FF\0\0\0\0=F4=FF\004\030\0\0@\001\v=C2QN\r/=D8=EF= 3c\b\0=D5=CA=FC\002\001=B6%=CD=B2>am\0\0\b\t\n\v\f\r\016\017\020\021\022\02= 3\024\025\026\027\030\031\032\e\034\035\036\037 !\"#$%&'()*+,-./0"...}}, =0D M_databuf =3D "\0\0\0\0,\0\0\0\002\0\0\0\0\0\0\0\020\0\0\0\0\0\0\0\0=F0= \005=C1", '\0' , "\002E\0\0(\004\036\0\0@\006p=ABQN\r/=C3= \\=E4-=C0\025\0P=B7\205\037\004=B3=F0d=DFP\020\0\0=FA\r\0\0\001\001\b\n\0\0= 01\005\023Q\n|=FD\002\0\0\0\0\0\0\0L\001\005\0\025\0=A0\0\021\0=A0\0\021\08= \001 1.3A\001\b\0\025\0=A0\0\031\0=A0\0\021\0-\001\005\0\0\0\0\0\f\0=FB=FF\= 0\0\0\0=F4=FF\004\030\0\0@\001\v=C2QN\r/=D8=EF3c\b\0=D5=CA=FC\002\001=B6%= =CD=B2>am\0\0\b\t\n\v\f\r\016\017\020\021\022\023\024\025\026\027\030"...}}= =0D (kgdb) up 1=0D #4 0xc02a8993 in tunread (dev=3D0x0, uio=3D0xce8a6c7c, flag=3D8323072)=0D at /usr/src/sys/net/if_tun.c:679=0D 679 m =3D m_free(m);=0D (kgdb) l=0D 674 =0D 675 while (m && uio->uio_resid > 0 && error =3D=3D 0) {=0D 676 len =3D min(uio->uio_resid, m->m_len);=0D 677 if (len !=3D 0)=0D 678 error =3D uiomove(mtod(m, void *), len, uio);=0D 679 m =3D m_free(m);=0D 680 }=0D 681 =0D 682 if (m) {=0D 683 TUNDEBUG("%s%d: Dropping mbuf\n", ifp->if_name, ifp->if_unit);=0D (kgdb)=20 Script done on Fri May 2 21:25:41 2003 --k1lZvvs/B4yU6o8G--